Analysis Overview
SHA256
bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c
Threat Level: Known bad
The file 2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch was found to be: Known bad.
Malicious Activity Summary
Lumma family
Meduza Stealer payload
Meduza family
Meduza
Stealc family
Stealc
Lumma Stealer, LummaC
Downloads MZ/PE file
System Binary Proxy Execution: Rundll32
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
outlook_win_path
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Runs ping.exe
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 04:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 04:23
Reported
2024-11-06 04:26
Platform
win7-20241010-en
Max time kernel
64s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 04:23
Reported
2024-11-06 04:26
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
142s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Stealc
Stealc family
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Reads user/profile data of web browsers
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1988 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| PID 4368 set thread context of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| PID 4480 set thread context of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\2.exe
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Users\Admin\AppData\Local\Temp\3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2860 -ip 2860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1232
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| RU | 89.23.96.109:80 | 89.23.96.109 | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.96.23.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 83.217.209.11:80 | tcp | |
| US | 8.8.8.8:53 | geerkenmsu.shop | udp |
| US | 172.67.201.7:443 | geerkenmsu.shop | tcp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 104.21.16.142:443 | worddosofrm.shop | tcp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 104.21.11.225:443 | mutterissuen.shop | tcp |
| US | 8.8.8.8:53 | 7.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 172.67.220.135:443 | standartedby.shop | tcp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 172.67.219.152:443 | nightybinybz.shop | tcp |
| US | 8.8.8.8:53 | 225.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 104.21.17.229:443 | conceszustyb.shop | tcp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 104.21.45.184:443 | bakedstusteeb.shop | tcp |
| US | 8.8.8.8:53 | 135.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.219.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.17.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 104.21.4.29:443 | respectabosiz.shop | tcp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 172.67.157.139:443 | moutheventushz.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 184.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 162.181.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | b38dc2ab97f5cd458a79101eebf61abd |
| SHA1 | 51b055431950a9060ae596780bd980adffd970c6 |
| SHA256 | 00f37d516fa294a2f427c65cc204e671387c6f6ee4f533fea02cd240238e2ae6 |
| SHA512 | 9449079f5d4a764b772540924085af6ab862877bac2b6f6031c5ee775aa0626088a63f2bf709dcd1e68839881a6ef23411a53d5ddee161876c1c2f0b9f283a31 |
memory/1988-3-0x000000007413E000-0x000000007413F000-memory.dmp
memory/1988-4-0x0000000000F90000-0x0000000001020000-memory.dmp
memory/1988-5-0x0000000005940000-0x0000000005946000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 620be184e3b841379369141e21ef846f |
| SHA1 | 9657fd75f1a9ef3eb41acdb26f083f949bc48eac |
| SHA256 | 5e152875bda58c94cbff53e7fda99582d327f2c5c26db9ce6c9e0dcb5d21d08f |
| SHA512 | a0b301d02b3e80c7552f71b0f39fe0606ef4a0dc38e94e0b32de68e92422eb1b34f68211ab34e67ad42417a64be2e46e46d0755cd71908c47d198d401bbb35cd |
memory/2860-16-0x0000000003450000-0x0000000003742000-memory.dmp
memory/2860-19-0x0000000003450000-0x0000000003742000-memory.dmp
memory/1988-20-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/2860-21-0x0000000003450000-0x0000000003742000-memory.dmp
memory/1988-17-0x0000000074130000-0x00000000748E0000-memory.dmp
memory/2860-12-0x0000000003450000-0x0000000003742000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | f3722ca3549113a8636ed6df95c707c1 |
| SHA1 | b99a53e33983169c2f5eb17344444a8d9afc9aad |
| SHA256 | 9f16012a1fdf7ff2efc29284d687072089659e0d6fefbbeb9cf2116c52ddc7a1 |
| SHA512 | dcefcca50cc5429eb1aa4545b24d92b853085412b49a993b2ee53246dac5fd575f79106aabf179ffd06191feb731c1e96385aa914bbee4c0ac81c197182645c1 |
memory/4368-25-0x00000000003D0000-0x0000000000420000-memory.dmp
memory/4368-26-0x0000000004C00000-0x0000000004C06000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 1a4d15d0bcfe5b97e5cf6015efc23157 |
| SHA1 | 9413817ca10fe4351b358ff4cbc6527b06d74221 |
| SHA256 | 9717abc44094665a940dd6b73d52ab22404e248533366135191a7a6f95f2be48 |
| SHA512 | e615af6c15238150aed37cd24eb6d73b092f4579e15dbb3539f3949aa3d7e4e04f60346caa5a8bee245e7ac8ed943408c6dd03a275f4549a492d19df0d990703 |
memory/4380-34-0x0000000002750000-0x00000000027B0000-memory.dmp
memory/4380-39-0x0000000002750000-0x00000000027B0000-memory.dmp
memory/4380-36-0x0000000002750000-0x00000000027B0000-memory.dmp
memory/2860-40-0x0000000003450000-0x0000000003742000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | 7053a5df81a5ef855d1ca5a1e2a67c29 |
| SHA1 | 5030fd814b639d7650d368ebcd6b920b6c719e7b |
| SHA256 | b1a33532e26c7128e521428b10b2fb7e068da79b41d9fb3ed471cb50e43b5463 |
| SHA512 | 7ddd3d8dd5374a32e0a16f74bb360387e48b35c02dd536e528fed2d83a3fcd7ed16d0d49a210da44f686d9d687ab20e7bbb63f203b0f602fd4f4ab0449a51f60 |
memory/3268-46-0x0000000140000000-0x000000014013E000-memory.dmp
memory/3268-44-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-53-0x0000000003450000-0x0000000003742000-memory.dmp