cobaltstrike | f0316f42ba92a215b8afa0fb1a014d2e35c377d276842f061d656d0bb2cb516c

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

b7587879d7ec94b4fd07a00f69e252bd
SHA1

f0d6ef8215595b2e6887aa476b98ec1982434915
SHA256

f0316f42ba92a215b8afa0fb1a014d2e35c377d276842f061d656d0bb2cb516c
SHA512

11d2148e0741ab7db6bac80edc4db1737f0113803c06d142631ff9c85e09d1ef36a118de3329041f67da9351e805fd6a0a430746a4f0129deb1bf8bfb2bef10d
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUf:j+R56utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b93-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c88-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-118.dat	cobalt_reflective_dll
behavioral2/files/0x000300000001e767-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/5056-0-0x00007FF6A78B0000-0x00007FF6A7BFD000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b93-5.dat	xmrig
behavioral2/files/0x0007000000023c8c-9.dat	xmrig
behavioral2/files/0x0007000000023c8b-10.dat	xmrig
behavioral2/memory/2044-12-0x00007FF6F9980000-0x00007FF6F9CCD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8d-23.dat	xmrig
behavioral2/files/0x0007000000023c8f-31.dat	xmrig
behavioral2/memory/1728-37-0x00007FF6477E0000-0x00007FF647B2D000-memory.dmp	xmrig
behavioral2/memory/1072-34-0x00007FF61FB20000-0x00007FF61FE6D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8e-33.dat	xmrig
behavioral2/memory/4472-27-0x00007FF6E0050000-0x00007FF6E039D000-memory.dmp	xmrig
behavioral2/memory/2244-19-0x00007FF66E590000-0x00007FF66E8DD000-memory.dmp	xmrig
behavioral2/memory/456-11-0x00007FF7435D0000-0x00007FF74391D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c90-41.dat	xmrig
behavioral2/memory/2588-43-0x00007FF7D4D70000-0x00007FF7D50BD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c91-47.dat	xmrig
behavioral2/memory/4604-49-0x00007FF6C1610000-0x00007FF6C195D000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c88-53.dat	xmrig
behavioral2/memory/3328-55-0x00007FF644250000-0x00007FF64459D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c92-59.dat	xmrig
behavioral2/memory/3460-61-0x00007FF67A990000-0x00007FF67ACDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c93-64.dat	xmrig
behavioral2/memory/2792-67-0x00007FF6AA3E0000-0x00007FF6AA72D000-memory.dmp	xmrig
behavioral2/memory/3588-73-0x00007FF7D6FE0000-0x00007FF7D732D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c96-77.dat	xmrig
behavioral2/memory/2892-81-0x00007FF7401E0000-0x00007FF74052D000-memory.dmp	xmrig
behavioral2/memory/400-84-0x00007FF6B6620000-0x00007FF6B696D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c97-83.dat	xmrig
behavioral2/files/0x0007000000023c94-72.dat	xmrig
behavioral2/files/0x0007000000023c98-90.dat	xmrig
behavioral2/memory/1144-91-0x00007FF6F4D50000-0x00007FF6F509D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9a-95.dat	xmrig
behavioral2/files/0x0007000000023c9b-99.dat	xmrig
behavioral2/memory/2352-101-0x00007FF7D4150000-0x00007FF7D449D000-memory.dmp	xmrig
behavioral2/memory/3096-102-0x00007FF6B43E0000-0x00007FF6B472D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9c-108.dat	xmrig
behavioral2/memory/4780-109-0x00007FF6AE430000-0x00007FF6AE77D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9d-113.dat	xmrig
behavioral2/memory/3144-114-0x00007FF75A200000-0x00007FF75A54D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c9e-118.dat	xmrig
behavioral2/memory/1332-121-0x00007FF72A220000-0x00007FF72A56D000-memory.dmp	xmrig
behavioral2/files/0x000300000001e767-124.dat	xmrig
behavioral2/memory/3764-126-0x00007FF6DF410000-0x00007FF6DF75D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
456	CZQlfut.exe
2044	cISkXRB.exe
2244	MCfxgVq.exe
4472	aZZXaRw.exe
1072	mDlFSxL.exe
1728	uwJihub.exe
2588	DxvHoma.exe
4604	nQbxRer.exe
3328	dAeIRVM.exe
3460	ZRtahdp.exe
2792	XccFEvo.exe
3588	oFqUdzC.exe
2892	FpHvHEE.exe
400	xtJZLcn.exe
1144	qhtMJqN.exe
2352	DztRmbI.exe
3096	dlaBaVi.exe
4780	KJBVxde.exe
3144	AFJwnde.exe
1332	VjLHsBX.exe
3764	HQkyBSJ.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cISkXRB.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRtahdp.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XccFEvo.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KJBVxde.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MCfxgVq.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtJZLcn.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DztRmbI.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VjLHsBX.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZQlfut.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZZXaRw.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mDlFSxL.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwJihub.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxvHoma.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dAeIRVM.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpHvHEE.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AFJwnde.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HQkyBSJ.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQbxRer.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oFqUdzC.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhtMJqN.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dlaBaVi.exe	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 456	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5056 wrote to memory of 456	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5056 wrote to memory of 2044	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5056 wrote to memory of 2044	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5056 wrote to memory of 2244	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5056 wrote to memory of 2244	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5056 wrote to memory of 4472	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5056 wrote to memory of 4472	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5056 wrote to memory of 1072	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5056 wrote to memory of 1072	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5056 wrote to memory of 1728	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5056 wrote to memory of 1728	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5056 wrote to memory of 2588	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5056 wrote to memory of 2588	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5056 wrote to memory of 4604	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5056 wrote to memory of 4604	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5056 wrote to memory of 3328	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5056 wrote to memory of 3328	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5056 wrote to memory of 3460	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5056 wrote to memory of 3460	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5056 wrote to memory of 2792	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5056 wrote to memory of 2792	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5056 wrote to memory of 3588	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5056 wrote to memory of 3588	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5056 wrote to memory of 2892	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5056 wrote to memory of 2892	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5056 wrote to memory of 400	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5056 wrote to memory of 400	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5056 wrote to memory of 1144	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5056 wrote to memory of 1144	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5056 wrote to memory of 2352	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5056 wrote to memory of 2352	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5056 wrote to memory of 3096	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5056 wrote to memory of 3096	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5056 wrote to memory of 4780	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5056 wrote to memory of 4780	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5056 wrote to memory of 3144	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5056 wrote to memory of 3144	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5056 wrote to memory of 1332	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5056 wrote to memory of 1332	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5056 wrote to memory of 3764	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5056 wrote to memory of 3764	5056	2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-22_b7587879d7ec94b4fd07a00f69e252bd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System\CZQlfut.exe
  C:\Windows\System\CZQlfut.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\cISkXRB.exe
  C:\Windows\System\cISkXRB.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\MCfxgVq.exe
  C:\Windows\System\MCfxgVq.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\aZZXaRw.exe
  C:\Windows\System\aZZXaRw.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\mDlFSxL.exe
  C:\Windows\System\mDlFSxL.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\uwJihub.exe
  C:\Windows\System\uwJihub.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\DxvHoma.exe
  C:\Windows\System\DxvHoma.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\nQbxRer.exe
  C:\Windows\System\nQbxRer.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\dAeIRVM.exe
  C:\Windows\System\dAeIRVM.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\ZRtahdp.exe
  C:\Windows\System\ZRtahdp.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\XccFEvo.exe
  C:\Windows\System\XccFEvo.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\oFqUdzC.exe
  C:\Windows\System\oFqUdzC.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\FpHvHEE.exe
  C:\Windows\System\FpHvHEE.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\xtJZLcn.exe
  C:\Windows\System\xtJZLcn.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\qhtMJqN.exe
  C:\Windows\System\qhtMJqN.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\DztRmbI.exe
  C:\Windows\System\DztRmbI.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\dlaBaVi.exe
  C:\Windows\System\dlaBaVi.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\KJBVxde.exe
  C:\Windows\System\KJBVxde.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\AFJwnde.exe
  C:\Windows\System\AFJwnde.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\VjLHsBX.exe
  C:\Windows\System\VjLHsBX.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\HQkyBSJ.exe
  C:\Windows\System\HQkyBSJ.exe
  2⤵
  - Executes dropped EXE
  PID:3764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AFJwnde.exe

Filesize
5.7MB

MD5
52e82c8d587616c9b6759ae6ce9d0be0

SHA1
6a77d003902366d05d546e00159e12bc08122b4c

SHA256
84edda215382e580476eb3715e170f148b9713c0f562173a80385255963159ae

SHA512
19438a0d8f6e609da710a40172a8421c331dae5d76ed68d124c275f5159f1da5dca6885e29b4ae85b70ccfe0110acdb0e3502ab532a3a59b8f5a8645edd30961

Download Submit
C:\Windows\System\CZQlfut.exe

Filesize
5.7MB

MD5
71c2e3881e01b4a3c45264feef637c14

SHA1
c81ce20cd5f1bc1d4bb27fc528e213e66b0bd79e

SHA256
2db5ed06467915833663368397201a3587fbba325000c945c46215dbb19d2ba6

SHA512
b509d78b29676e4845c6ab60e20bd1ffa26750a344d8c6546ab6e9a9fcf47ac2c822e4fe9e1dfa8b15d0b129a9ab184063fb7cc598ed7c76fb632f1c11eddc1d

Download Submit
C:\Windows\System\DxvHoma.exe

Filesize
5.7MB

MD5
6906aa5925431feaac464ba0afbef4e9

SHA1
dd6d443f7482aba982ed4762fce4836c2b85a366

SHA256
c7c7207eb709f260a59de513ed708c56660e908d7d7a277a062655292cb7ceca

SHA512
5e097f6c8eb2520e53d8b66a86ebd2d73fc30b9af35d8024a92a75777a8c9d3ec15c12a42606b3aa182dfc088d3e0437b02f97c2930690aea84086d807778d47

Download Submit
C:\Windows\System\DztRmbI.exe

Filesize
5.7MB

MD5
d2915e0e465409b34a276bae03ea1ebe

SHA1
3b33a14e8eca1bd102a9d1eaf60595f85d1d24b5

SHA256
553f0569e375b381e050f7da16b2c9d04c43588d4f7c332a57fe9a89b22d09ad

SHA512
aa3dc1b42f39e0e129143b50a0cd6140bce3f818dcf61035a4463bcc80e1cee4b834d482e26269fcd962cbf3d4a2618403bc1cb57e3cd1ee9b9148ec58d90d13

Download Submit
C:\Windows\System\FpHvHEE.exe

Filesize
5.7MB

MD5
8382927e96bb1e5b5bb0d982cd1f1ae7

SHA1
f0aca3f96ae50d0d09342b1c8f9b1d9766d90cff

SHA256
db567969dae793593aad653d9da793babd48a2790f3fc68771ca548efda16759

SHA512
49c4b3c302ea197cb2921047e269fd9243dd3f6da6800e94db6e15b67ecd8ea2593d8f6bf36404664c9028fcfdaae11ec10b9fbd70eae5ad5b7ac8c67b5deba7

Download Submit
C:\Windows\System\HQkyBSJ.exe

Filesize
5.7MB

MD5
ad60f1ba71384a5ec65c9aaf848052e5

SHA1
f046404c66b310246da76c2bb2176603580aa3cc

SHA256
9136e99fb0b24668b69efa0595ca0dc02fba2f4b01bb263e6b7c523002ef5987

SHA512
1a9d4a9489d6f7b22568089b55cbe5b69bb1125cbb9dc1dbfaacede105c635a796cc4cfe76b5216f710b52590472eadbad59005f3c6ffa5821961d81fb978074

Download Submit
C:\Windows\System\KJBVxde.exe

Filesize
5.7MB

MD5
21c3dd3aa670cda912b9deb0de149436

SHA1
910c4b34e5b3b2ba9886f88b7b50fd312a7f324a

SHA256
04702f61b5ce23e625cf2c601f966f8a378b764d9482799282e581125435e341

SHA512
55be83fff0c48de58aaa43a35329e2bee6d124cb549a05c2a63670afae8be528e2fedd7378e14f7c5c37492cd85e0fcc428608e575555ea116bb717b51f93f9a

Download Submit
C:\Windows\System\MCfxgVq.exe

Filesize
5.7MB

MD5
fed15608ad3afc260b0148d70cede623

SHA1
a23967c755e12d940eb4824503f5108d7d04bab5

SHA256
fa14cea64508cf0f4a83f8f31d71921616222077507fcabab701bef26f1b4d11

SHA512
5f2d41d00bfa8f1e45b6e99459a5326cb59d0fe449162ba1a94adc615b6fd825b88d1edca6b0bd5f168767b29436ae3b90ba09b69b39517efd3656f95135a508

Download Submit
C:\Windows\System\VjLHsBX.exe

Filesize
5.7MB

MD5
b6b734448bf64d233e06c42eeb49da39

SHA1
d5adb3ca2115614e7d9090dae49dfb2d152f0b9f

SHA256
46c60f4527714a16e22df8f70ad935faedf5e7b14ab7fa0fcb2932975c06107d

SHA512
d0308b63bb6f05875801bb151bf8e3428c2a1691ae3fb3b3c5b8ee8b7fd1a037eef21f493b0ba4a687a79f5c2cd3df1fb8e8ac9594e768c30aac618dd70c11f2

Download Submit
C:\Windows\System\XccFEvo.exe

Filesize
5.7MB

MD5
067ee2501c8c5bcc1c8021266eb41169

SHA1
1ebc72c42610b262d444fe2b64322d1890040019

SHA256
c0d3296a6e727ad16d111ead8f71123d59638621e96c4820d218a09ae57ef64c

SHA512
0a7bfcb4203431f688849d8270497f334f2e0e0a33a8414a34cd6cb9710e84bdc9fadd93b73f51e71f5494448122b4c19369d797e146b12f0f08c4aa5f70d345

Download Submit
C:\Windows\System\ZRtahdp.exe

Filesize
5.7MB

MD5
c99a3431692af375265a08ba7cfa5dc8

SHA1
4a321bc7425e047e4292a12c474f034b135b2679

SHA256
700b738fda9dd1de9bf160236a27aaebe5db72e37b2a998a9fdd1b63e5643934

SHA512
00de26eb188b5a2e8ae852321d5e5eb9fb291b552e017024b3e2aa59c10d99ae6cc068cf45917e87bf439460f666a9de46d6aab7ef0d49ed73adfea14b9e5d59

Download Submit
C:\Windows\System\aZZXaRw.exe

Filesize
5.7MB

MD5
d58c499b5011a3831f922146098e330a

SHA1
a8889d5609425bf9b01f65e3a1f42f6b38e71c00

SHA256
18aeb266fba4adb09b4da001ac3f75684c9c0796e75f3b4d5eeac140df471d05

SHA512
6c35cf6f5b9da1f09d6acb9fd28f213a69ea9c1638bf657b7efbd18e701d9ee367158c7f8c495dde04759e0da35be3df8ddd33e9ade1641419a14efb8b1c2ecc

Download Submit
C:\Windows\System\cISkXRB.exe

Filesize
5.7MB

MD5
ecaf41c1f1fdce749082e8972ad0628d

SHA1
0ddd65a171d0b2547536f4c453c0491027114964

SHA256
42146ced098d3558f61853ef9bbe1c1c8e412943d528639bdb5a66f080afddc4

SHA512
8922c03e6da97ea767fc72579213b4c585a87a12a12b64b4a3140b6d7da4f2e48ca2fdb96579152698a7c643532441f543cf3e8b4b6616b7dedfdb4831b0485e

Download Submit
C:\Windows\System\dAeIRVM.exe

Filesize
5.7MB

MD5
2a64acddb8d6e8bec62cb69632399e2c

SHA1
8b1c12e13f0d5155b5c08d05c838916c9aa65d07

SHA256
aee56f72e798a353dcbbf09084af03fb0dd9308e8b3c01f6583643143a34af19

SHA512
7656e01b38239ac0d5075ec7ada0ae42c841ec599fe8abf5db6ddff18eef403dc31f0fa2b582f17fcbe03b5da14f5588253e3fcb2096a823889451c163499e4d

Download Submit
C:\Windows\System\dlaBaVi.exe

Filesize
5.7MB

MD5
172f792e9beef832e69b7f5a9385e774

SHA1
c1226b9ac1a250b03da23c24d7bba56694b1cf27

SHA256
ca1c396762f2fffbd03ce85c69fc7fe5c007606ef42bb07eaf73afb81188a4b7

SHA512
c7a7cbe5ebb78374fe323a1df92ea3c425f8bf31b08b91d0aa092cbcf76f6e5096d1328b3379ae9d2e47435acab66ad9ea280d5453a556ca7c549eb55e0602bf

Download Submit
C:\Windows\System\mDlFSxL.exe

Filesize
5.7MB

MD5
cd6398bc5c4ace2d4bcd3e9d150ce911

SHA1
93370f63afb3fd9d254d8df4308d6af70ae210d8

SHA256
c19688aa12b2b1a18c01dd65da9447e4dea0eedb765a06b72b883dc9171f78f9

SHA512
b6c41a791369c593fdf3657ae7aba38baf81a665d83d9cd0dc2d3b2efb1fa243d48d6dafddb43f09db4db3936c15b1c10c1571fa4d82778831cf5e7c81cbd42c

Download Submit
C:\Windows\System\nQbxRer.exe

Filesize
5.7MB

MD5
fc82324bda61126815a8c7af3bace377

SHA1
3ea5b3e68888d60c207302bdbf8b52f959d487ab

SHA256
00fdfcdaa0c7e4da035b922e7df6281db1ab164441642a628707a7e1de545753

SHA512
2c24f068a6b183cee0cbe9e2f5a40ae90e68e6ee35b411a0285ac32af9c8ee0452cddf8c03fb006332796fa73369025be0f86973ed6a07105d297171156a661d

Download Submit
C:\Windows\System\oFqUdzC.exe

Filesize
5.7MB

MD5
2804a7d58a7d8fa877e6a306b40f7851

SHA1
676b75817eae404310fdbc848d5c4800d4459360

SHA256
8252c96193c31ee5aec61ac173e9f474e40a6c22d0aec61a874b31fd345bc480

SHA512
3424ff592d27f91ecd3e8e6bce12fc18101e367b154e08f5a579ae484b6ca0314d91bebe5667b054bab35f8dac433b1963e069f39349140595c2e5f0387384fb

Download Submit
C:\Windows\System\qhtMJqN.exe

Filesize
5.7MB

MD5
ebd9b8894d30894ff5d30b4bd4c6942c

SHA1
ae78bd8a8d659b69f2a6ebeb8c571fa0b9e35119

SHA256
1b042bb8a0414a657774c9361a12769961f5eda23ee68d673439e320521b9465

SHA512
33406859fef90e39fbf1f3e86e02bc8700d874d2f0d5886b8a07a360a421eaca6d271a2a944fa95a6e926e6c00aee9733c854df1de477efc09637fcc2fb68c29

Download Submit
C:\Windows\System\uwJihub.exe

Filesize
5.7MB

MD5
92a78b6cdd77df65dd0c7af399b54b75

SHA1
40f71dfb2a709fc00069e7ed053391afcc2fbc48

SHA256
f09fef145d6dc6e76553d4ae34f3ca14f8c69b4c7792b78428623df9191a6dc2

SHA512
a92b2ba78a09c6e8ec95a725801ede652692f6f8563fae6606c76dca7ef2bfbc62111a8049f45e2244cd9d2b2d0c4e9484af78b3cb7775741e99938e8c43dce2

Download Submit
C:\Windows\System\xtJZLcn.exe

Filesize
5.7MB

MD5
b7f0e55031ab39eb6e2ffbb11b2172df

SHA1
29bdd38c16f4d9c3b232585d3402180e01bd12ad

SHA256
f43b5564243ba8b22217162c26da55428675af062760d9702d82c06ef1df0efd

SHA512
362c60de137031eda67dc2a5fa112c5b88aee6b19c425b978e98a064bf8ddb8274424d726f2f63967158a82e28fda2500791d61d43f1a20740029de6536eaefe

Download Submit
memory/400-84-0x00007FF6B6620000-0x00007FF6B696D000-memory.dmp

Filesize
3.3MB

Download
memory/456-11-0x00007FF7435D0000-0x00007FF74391D000-memory.dmp

Filesize
3.3MB

Download
memory/1072-34-0x00007FF61FB20000-0x00007FF61FE6D000-memory.dmp

Filesize
3.3MB

Download
memory/1144-91-0x00007FF6F4D50000-0x00007FF6F509D000-memory.dmp

Filesize
3.3MB

Download
memory/1332-121-0x00007FF72A220000-0x00007FF72A56D000-memory.dmp

Filesize
3.3MB

Download
memory/1728-37-0x00007FF6477E0000-0x00007FF647B2D000-memory.dmp

Filesize
3.3MB

Download
memory/2044-12-0x00007FF6F9980000-0x00007FF6F9CCD000-memory.dmp

Filesize
3.3MB

Download
memory/2244-19-0x00007FF66E590000-0x00007FF66E8DD000-memory.dmp

Filesize
3.3MB

Download
memory/2352-101-0x00007FF7D4150000-0x00007FF7D449D000-memory.dmp

Filesize
3.3MB

Download
memory/2588-43-0x00007FF7D4D70000-0x00007FF7D50BD000-memory.dmp

Filesize
3.3MB

Download
memory/2792-67-0x00007FF6AA3E0000-0x00007FF6AA72D000-memory.dmp

Filesize
3.3MB

Download
memory/2892-81-0x00007FF7401E0000-0x00007FF74052D000-memory.dmp

Filesize
3.3MB

Download
memory/3096-102-0x00007FF6B43E0000-0x00007FF6B472D000-memory.dmp

Filesize
3.3MB

Download
memory/3144-114-0x00007FF75A200000-0x00007FF75A54D000-memory.dmp

Filesize
3.3MB

Download
memory/3328-55-0x00007FF644250000-0x00007FF64459D000-memory.dmp

Filesize
3.3MB

Download
memory/3460-61-0x00007FF67A990000-0x00007FF67ACDD000-memory.dmp

Filesize
3.3MB

Download
memory/3588-73-0x00007FF7D6FE0000-0x00007FF7D732D000-memory.dmp

Filesize
3.3MB

Download
memory/3764-126-0x00007FF6DF410000-0x00007FF6DF75D000-memory.dmp

Filesize
3.3MB

Download
memory/4472-27-0x00007FF6E0050000-0x00007FF6E039D000-memory.dmp

Filesize
3.3MB

Download
memory/4604-49-0x00007FF6C1610000-0x00007FF6C195D000-memory.dmp

Filesize
3.3MB

Download
memory/4780-109-0x00007FF6AE430000-0x00007FF6AE77D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-0-0x00007FF6A78B0000-0x00007FF6A7BFD000-memory.dmp

Filesize
3.3MB

Download
memory/5056-1-0x000001EFBDA60000-0x000001EFBDA70000-memory.dmp

Filesize
64KB

Download