Analysis Overview
SHA256
bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c
Threat Level: Known bad
The file 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch was found to be: Known bad.
Malicious Activity Summary
Meduza Stealer payload
Stealc
Stealc family
Lumma Stealer, LummaC
Meduza family
Lumma family
Meduza
Downloads MZ/PE file
System Binary Proxy Execution: Rundll32
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Browser Information Discovery
GoLang User-Agent
Runs ping.exe
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 04:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 04:13
Reported
2024-11-06 04:15
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 04:13
Reported
2024-11-06 04:15
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Stealc
Stealc family
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Reads user/profile data of web browsers
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4688 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| PID 4720 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| PID 3624 set thread context of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\2.exe
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2024 -ip 2024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1240
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 89.23.96.109:80 | 89.23.96.109 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.96.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| RU | 83.217.209.11:80 | tcp | |
| US | 8.8.8.8:53 | geerkenmsu.shop | udp |
| US | 172.67.201.7:443 | geerkenmsu.shop | tcp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 172.67.212.246:443 | worddosofrm.shop | tcp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 172.67.192.220:443 | mutterissuen.shop | tcp |
| US | 8.8.8.8:53 | 7.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.212.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 104.21.24.204:443 | standartedby.shop | tcp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 104.21.24.161:443 | nightybinybz.shop | tcp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 104.21.17.229:443 | conceszustyb.shop | tcp |
| US | 8.8.8.8:53 | 220.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.24.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.24.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 172.67.218.30:443 | bakedstusteeb.shop | tcp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 172.67.131.150:443 | respectabosiz.shop | tcp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 172.67.157.139:443 | moutheventushz.shop | tcp |
| US | 8.8.8.8:53 | 229.17.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.131.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 139.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.181.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | b38dc2ab97f5cd458a79101eebf61abd |
| SHA1 | 51b055431950a9060ae596780bd980adffd970c6 |
| SHA256 | 00f37d516fa294a2f427c65cc204e671387c6f6ee4f533fea02cd240238e2ae6 |
| SHA512 | 9449079f5d4a764b772540924085af6ab862877bac2b6f6031c5ee775aa0626088a63f2bf709dcd1e68839881a6ef23411a53d5ddee161876c1c2f0b9f283a31 |
memory/4688-3-0x000000007476E000-0x000000007476F000-memory.dmp
memory/4688-4-0x0000000000100000-0x0000000000190000-memory.dmp
memory/4688-5-0x0000000004AB0000-0x0000000004AB6000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 620be184e3b841379369141e21ef846f |
| SHA1 | 9657fd75f1a9ef3eb41acdb26f083f949bc48eac |
| SHA256 | 5e152875bda58c94cbff53e7fda99582d327f2c5c26db9ce6c9e0dcb5d21d08f |
| SHA512 | a0b301d02b3e80c7552f71b0f39fe0606ef4a0dc38e94e0b32de68e92422eb1b34f68211ab34e67ad42417a64be2e46e46d0755cd71908c47d198d401bbb35cd |
memory/2024-12-0x0000000002630000-0x0000000002922000-memory.dmp
memory/2024-17-0x0000000002630000-0x0000000002922000-memory.dmp
memory/4688-15-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2024-19-0x0000000002630000-0x0000000002922000-memory.dmp
memory/2024-20-0x0000000002630000-0x0000000002922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | f3722ca3549113a8636ed6df95c707c1 |
| SHA1 | b99a53e33983169c2f5eb17344444a8d9afc9aad |
| SHA256 | 9f16012a1fdf7ff2efc29284d687072089659e0d6fefbbeb9cf2116c52ddc7a1 |
| SHA512 | dcefcca50cc5429eb1aa4545b24d92b853085412b49a993b2ee53246dac5fd575f79106aabf179ffd06191feb731c1e96385aa914bbee4c0ac81c197182645c1 |
memory/4720-24-0x0000000000E60000-0x0000000000EB0000-memory.dmp
memory/4720-25-0x0000000001830000-0x0000000001836000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 1a4d15d0bcfe5b97e5cf6015efc23157 |
| SHA1 | 9413817ca10fe4351b358ff4cbc6527b06d74221 |
| SHA256 | 9717abc44094665a940dd6b73d52ab22404e248533366135191a7a6f95f2be48 |
| SHA512 | e615af6c15238150aed37cd24eb6d73b092f4579e15dbb3539f3949aa3d7e4e04f60346caa5a8bee245e7ac8ed943408c6dd03a275f4549a492d19df0d990703 |
memory/2936-33-0x00000000033D0000-0x000000000342F000-memory.dmp
memory/2936-34-0x00000000033D0000-0x000000000342F000-memory.dmp
memory/2936-38-0x00000000033D0000-0x000000000342F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | 7053a5df81a5ef855d1ca5a1e2a67c29 |
| SHA1 | 5030fd814b639d7650d368ebcd6b920b6c719e7b |
| SHA256 | b1a33532e26c7128e521428b10b2fb7e068da79b41d9fb3ed471cb50e43b5463 |
| SHA512 | 7ddd3d8dd5374a32e0a16f74bb360387e48b35c02dd536e528fed2d83a3fcd7ed16d0d49a210da44f686d9d687ab20e7bbb63f203b0f602fd4f4ab0449a51f60 |
memory/3304-42-0x0000000140000000-0x000000014013E000-memory.dmp
memory/3304-44-0x0000000140000000-0x000000014013E000-memory.dmp
memory/4688-51-0x0000000074760000-0x0000000074F10000-memory.dmp
memory/2024-52-0x0000000002630000-0x0000000002922000-memory.dmp
memory/2024-53-0x0000000002630000-0x0000000002922000-memory.dmp