cobaltstrike | 4a089402a96c29c7eeae0e231f688ed0ee38def47d2b433ea08ac05cac062920

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

5fb631f211b44ee78557b799e91f3e71
SHA1

ae03955b25d0593a316d6df75bfd65a00cd8453e
SHA256

4a089402a96c29c7eeae0e231f688ed0ee38def47d2b433ea08ac05cac062920
SHA512

add89bf26cfc328b47851b2c04e6fe7cc662242bbdddfc7579c187381afac747fb5dd89ce15c1e9ce9ebef1c4c871061953368efd886145402ade7c1861e9f39
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lU5:j+R56utgpPF8u/75

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b54-5.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b67-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-19.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-21.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b70-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-63.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b71-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b73-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-83.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b76-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b77-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b79-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-117.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/216-0-0x00007FF74D9C0000-0x00007FF74DD0D000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b54-5.dat	xmrig
behavioral2/files/0x000b000000023b67-11.dat	xmrig
behavioral2/memory/1492-13-0x00007FF669CF0000-0x00007FF66A03D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b69-19.dat	xmrig
behavioral2/memory/2424-25-0x00007FF7F5B80000-0x00007FF7F5ECD000-memory.dmp	xmrig
behavioral2/memory/1188-22-0x00007FF624530000-0x00007FF62487D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b68-21.dat	xmrig
behavioral2/memory/1728-7-0x00007FF6B56D0000-0x00007FF6B5A1D000-memory.dmp	xmrig
behavioral2/memory/3356-31-0x00007FF747E50000-0x00007FF74819D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b6a-29.dat	xmrig
behavioral2/files/0x000a000000023b6b-35.dat	xmrig
behavioral2/files/0x000a000000023b6c-38.dat	xmrig
behavioral2/memory/2436-40-0x00007FF70CB00000-0x00007FF70CE4D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b6d-47.dat	xmrig
behavioral2/memory/1460-49-0x00007FF768340000-0x00007FF76868D000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b6e-53.dat	xmrig
behavioral2/files/0x000a000000023b70-62.dat	xmrig
behavioral2/memory/4036-67-0x00007FF760A10000-0x00007FF760D5D000-memory.dmp	xmrig
behavioral2/memory/1192-64-0x00007FF7AC1A0000-0x00007FF7AC4ED000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b6f-63.dat	xmrig
behavioral2/memory/2384-60-0x00007FF60BAF0000-0x00007FF60BE3D000-memory.dmp	xmrig
behavioral2/memory/640-45-0x00007FF7D3E60000-0x00007FF7D41AD000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b71-70.dat	xmrig
behavioral2/files/0x000a000000023b73-77.dat	xmrig
behavioral2/files/0x000a000000023b74-83.dat	xmrig
behavioral2/files/0x000a000000023b76-92.dat	xmrig
behavioral2/files/0x000a000000023b77-95.dat	xmrig
behavioral2/files/0x000a000000023b75-105.dat	xmrig
behavioral2/files/0x000a000000023b78-108.dat	xmrig
behavioral2/files/0x000a000000023b79-113.dat	xmrig
behavioral2/files/0x000a000000023b7a-117.dat	xmrig
behavioral2/files/0x000a000000023b7b-118.dat	xmrig
behavioral2/memory/1008-126-0x00007FF6CE2C0000-0x00007FF6CE60D000-memory.dmp	xmrig
behavioral2/memory/2296-123-0x00007FF615C40000-0x00007FF615F8D000-memory.dmp	xmrig
behavioral2/memory/1472-120-0x00007FF69D4F0000-0x00007FF69D83D000-memory.dmp	xmrig
behavioral2/memory/4768-109-0x00007FF799260000-0x00007FF7995AD000-memory.dmp	xmrig
behavioral2/memory/532-106-0x00007FF7161A0000-0x00007FF7164ED000-memory.dmp	xmrig
behavioral2/memory/4864-103-0x00007FF6C32D0000-0x00007FF6C361D000-memory.dmp	xmrig
behavioral2/memory/3812-100-0x00007FF68DCA0000-0x00007FF68DFED000-memory.dmp	xmrig
behavioral2/memory/232-85-0x00007FF65C610000-0x00007FF65C95D000-memory.dmp	xmrig
behavioral2/memory/2400-78-0x00007FF62BE40000-0x00007FF62C18D000-memory.dmp	xmrig
behavioral2/memory/1900-74-0x00007FF7B0A20000-0x00007FF7B0D6D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1728	vsqfyCY.exe
1492	RTncBgh.exe
1188	aRBySzU.exe
2424	LfVtAdr.exe
3356	GUcMTSQ.exe
2436	FKcuBLX.exe
640	BqPqFoB.exe
1460	TcGhDou.exe
2384	tQngkbl.exe
1192	rbEIsOq.exe
4036	njQSgDR.exe
1900	tbFunTV.exe
2400	BfGlAde.exe
232	ZwUsoBe.exe
532	lbzeABI.exe
3812	pKLEgCr.exe
4864	rlLauEW.exe
4768	PERRuct.exe
1472	QCyZTpG.exe
2296	LTKLsag.exe
1008	gnBJLhC.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\njQSgDR.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pKLEgCr.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCyZTpG.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsqfyCY.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RTncBgh.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LfVtAdr.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rbEIsOq.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aRBySzU.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FKcuBLX.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TcGhDou.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tbFunTV.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqPqFoB.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lbzeABI.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PERRuct.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlLauEW.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LTKLsag.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnBJLhC.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GUcMTSQ.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQngkbl.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BfGlAde.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZwUsoBe.exe	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 1728	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 216 wrote to memory of 1728	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 216 wrote to memory of 1492	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 216 wrote to memory of 1492	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 216 wrote to memory of 1188	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 216 wrote to memory of 1188	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 216 wrote to memory of 2424	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 216 wrote to memory of 2424	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 216 wrote to memory of 3356	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 216 wrote to memory of 3356	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 216 wrote to memory of 2436	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 216 wrote to memory of 2436	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 216 wrote to memory of 640	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 216 wrote to memory of 640	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 216 wrote to memory of 1460	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 216 wrote to memory of 1460	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 216 wrote to memory of 2384	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 216 wrote to memory of 2384	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 216 wrote to memory of 1192	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 216 wrote to memory of 1192	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 216 wrote to memory of 4036	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 216 wrote to memory of 4036	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 216 wrote to memory of 1900	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 216 wrote to memory of 1900	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 216 wrote to memory of 2400	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 216 wrote to memory of 2400	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 216 wrote to memory of 232	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 216 wrote to memory of 232	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 216 wrote to memory of 532	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 216 wrote to memory of 532	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 216 wrote to memory of 3812	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 216 wrote to memory of 3812	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 216 wrote to memory of 4864	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 216 wrote to memory of 4864	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 216 wrote to memory of 4768	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 216 wrote to memory of 4768	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 216 wrote to memory of 1472	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 216 wrote to memory of 1472	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 216 wrote to memory of 2296	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 216 wrote to memory of 2296	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 216 wrote to memory of 1008	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 216 wrote to memory of 1008	216	2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_5fb631f211b44ee78557b799e91f3e71_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\System\vsqfyCY.exe
  C:\Windows\System\vsqfyCY.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\RTncBgh.exe
  C:\Windows\System\RTncBgh.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\aRBySzU.exe
  C:\Windows\System\aRBySzU.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\LfVtAdr.exe
  C:\Windows\System\LfVtAdr.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\GUcMTSQ.exe
  C:\Windows\System\GUcMTSQ.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\FKcuBLX.exe
  C:\Windows\System\FKcuBLX.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\BqPqFoB.exe
  C:\Windows\System\BqPqFoB.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\TcGhDou.exe
  C:\Windows\System\TcGhDou.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\tQngkbl.exe
  C:\Windows\System\tQngkbl.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\rbEIsOq.exe
  C:\Windows\System\rbEIsOq.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\njQSgDR.exe
  C:\Windows\System\njQSgDR.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\tbFunTV.exe
  C:\Windows\System\tbFunTV.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\BfGlAde.exe
  C:\Windows\System\BfGlAde.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\ZwUsoBe.exe
  C:\Windows\System\ZwUsoBe.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\lbzeABI.exe
  C:\Windows\System\lbzeABI.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\pKLEgCr.exe
  C:\Windows\System\pKLEgCr.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\rlLauEW.exe
  C:\Windows\System\rlLauEW.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\PERRuct.exe
  C:\Windows\System\PERRuct.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\QCyZTpG.exe
  C:\Windows\System\QCyZTpG.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\LTKLsag.exe
  C:\Windows\System\LTKLsag.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\gnBJLhC.exe
  C:\Windows\System\gnBJLhC.exe
  2⤵
  - Executes dropped EXE
  PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BfGlAde.exe

Filesize
5.7MB

MD5
01e5d3b2c9cfe89f38d5f8b41437c4be

SHA1
16809cc6ff1ee05fca483e52db6a9de067391518

SHA256
ae708ffacd314da7c728abb984c06af659faf30f56c7beb3b720c97dd9b5bd49

SHA512
d276e446865d3d85ffd02d936826256b763644f6ef75a87aaea62d835f2b4a28a5d3d8a8e1c5be840d88e7dbb9a72ff78c58a0ec3e7895af2f1f496729b5d95b

Download Submit
C:\Windows\System\BqPqFoB.exe

Filesize
5.7MB

MD5
531325ddb6b9523b88ed418e5efc186b

SHA1
a24bd9d1efffd5a3cff264ce46b7b2f8ee3e2950

SHA256
d50906432e90f5177f841d0d64e53c17ae4582ac8a4c0072b613f67ac97d7cb4

SHA512
f4ab1d7123db1af295780088ae7b55ddbce14bcc81d33e1e5807d68a97fb5cca1c5717b003bed95e0f5b69f8a35a2cb40fdfdf992ad9f7ffc388df64680bbfd9

Download Submit
C:\Windows\System\FKcuBLX.exe

Filesize
5.7MB

MD5
85af255fdef3eae0548a6bf962297da5

SHA1
68139718bad8da0cc4382e67492fefcbf33b2e7f

SHA256
2ee8880eb4514760c792baff1933a9f38c62887e482ad3a894ca53ccd75b2c50

SHA512
401820c9d056e78ad8c3b663cf8003c6cba16f8afffc5765f6965db3c2c27b7dbec805bffbb56738dd8ae80e41668e539f155768c048439c9106ec064dcd281c

Download Submit
C:\Windows\System\GUcMTSQ.exe

Filesize
5.7MB

MD5
86480bd7b1678dee27a94be2fb9189b7

SHA1
c714cfc4d7c1af71ba631d666c68ba791bbdf1ce

SHA256
577e28208701cb9d7f1face059c12e7d45d304e99196097b5101470d04c4b0e9

SHA512
434d111788248e56d7d3824b6470a6e5ad616fddaa1ec614b9498b5ef76df057ccf64e4d8dfb5a0d4c2028da7218f1f64ac40704144fb657007db7320b8b1cce

Download Submit
C:\Windows\System\LTKLsag.exe

Filesize
5.7MB

MD5
46f0b5c9f86ae6fe55b0b6307b4a0eed

SHA1
8aeb89736cf891a31e8ef9a9b847c15d719422e4

SHA256
2be85c418d0db7ed135c5e606e05d966d0969cc8f5862feb3157261d6d582d9f

SHA512
1474bd6b5f9188c7ad0e3a1589de7219adda220b33ad740648a582f5faac2301c1db8cbf5be1fae6a49b0b6ebf4a6a69db0b20f840af75ef7313d074cebf28b5

Download Submit
C:\Windows\System\LfVtAdr.exe

Filesize
5.7MB

MD5
730acca7330caf41b1c8682fb86694cf

SHA1
ed2dfc752573869d4debe646d939b555442a9d64

SHA256
bc24607cae65991f3653debd802ed8d3e9fb7443738e49ac45e4b62b6ecbc14f

SHA512
4d725ff247961fe9189ec471a631dcccd340a0e42565e0c1483001fbb3e1013559efec64db01271294c26472c3a3448a9cd9b0691637cac2a5371735bf7d36c3

Download Submit
C:\Windows\System\PERRuct.exe

Filesize
5.7MB

MD5
f2b09e37f5d76e89c81769440638791b

SHA1
4c364c6cd8fbf35df31f62c5fe3f386f911bedfc

SHA256
87e61fbddf891cc87e46de0b3baa87470d2c9c639d1bbc8a9533756bc620eb62

SHA512
200aed9584aa4b8ac06c9b2fac4fa4fe4ac9618d83b0b3667552a67bcf92299899ab8caef413bb0864c6d8b57280816ff52901a35eb31604cc6ec67413c6484a

Download Submit
C:\Windows\System\QCyZTpG.exe

Filesize
5.7MB

MD5
c821ebe688a3c62c9527756396b5b8b7

SHA1
492e60df7393db6bf3d36d8924f2c07bfa0f3c34

SHA256
ba28a97270e682252820335d3c320e0c960abd7cfe6f93f22055e9f684d2767e

SHA512
2841b11e348bca4e9bd5c18c3e4ac62298ef8e0f83fe0e2a29ea1fdc5e2cb88c991fe921e6918b9bc4e7d542471be692a8472d9fe553bc925bf45259fe449285

Download Submit
C:\Windows\System\RTncBgh.exe

Filesize
5.7MB

MD5
4949066890d370fbca7d4beb0801dd73

SHA1
bdd88fe1dda4a01d741cbb46c7ba5f6771016c33

SHA256
4792a134795f933837a62114532d85b56303ae4ae6c64c5f54da668e84f9cc0a

SHA512
f92d5048fdcd5db0ddd6212d244501cf98852f3c0ef16c4508f7846599295a9533326ad50b44172b74683e494821c8133a2b9547b091299c2151aa0152159835

Download Submit
C:\Windows\System\TcGhDou.exe

Filesize
5.7MB

MD5
796b6f1fdc775f5ab2c58df06a9d18bd

SHA1
94d16f1912788457315d63dd737005e1442f0bcf

SHA256
3365296324cd68650ca89424e702bc1d5f66520d7fb3e78106d4da1c289f244f

SHA512
357fc898e1d86d9818ab7702ee8b20294f0d7e5047f91e3a5cb4f1eebf10474a6a06e67c93f94e88d0013f414b6dd8a9a3a78c2a92abda4c05c7437073ad8a71

Download Submit
C:\Windows\System\ZwUsoBe.exe

Filesize
5.7MB

MD5
ed46d376b715a433fa82785893f034eb

SHA1
ecb1ea5d9ad52f21ed4d51fa0fb701e45fc544c9

SHA256
c9f08f23d7a9d4e189a0feae8585314d0485212ff97a7b91c6ad141656b12416

SHA512
ad9be397b0c6d09ef5a5f1e3c8c8b654806a2550a5c6be036365e9b42938016af822d842a8c4f6226e524f919b5d3a7ec26637a79fabd558c71547ee9648082f

Download Submit
C:\Windows\System\aRBySzU.exe

Filesize
5.7MB

MD5
11c3ff8459ec81dbc58be0f6549f7ec9

SHA1
e8d85a8cb93a7774ee2fb3620a97aacfb10217a2

SHA256
bcc2966819306da2d5386486b5d799504b5205cf4fe073e431ffb08ab8abd0a1

SHA512
b2ddf4af0c0f3eb0c0108901385d17d7a082eac0d18af3dc70c3cba1549ea20f1b1c9f81f948967e810567462076279ab9e1a1640cb9799c3ba81ba8e07fecc5

Download Submit
C:\Windows\System\gnBJLhC.exe

Filesize
5.7MB

MD5
3515b81025d5512ce5482f8236bd59ee

SHA1
ccc3a86a66787f294a0de8c1bac0e426cf69c3fb

SHA256
2e550efc84608c61cd35fa63a2039d281044afd514656ca405a9a574ef34d3f7

SHA512
d86754dba660ef45aee020b3c6f9a769b00a8c82d7b6f3f23d64e26297da4864a1bbfc8b5c64677ee9bdf636007965e4f554caa1bfdf534da6dcd988fc2fd2c1

Download Submit
C:\Windows\System\lbzeABI.exe

Filesize
5.7MB

MD5
185a1ab076f8c0fcc6537b965cfbdb50

SHA1
34877428ba3799c0132fba8c18dac45f31cc8ebc

SHA256
a638c38f14c238ed23cec3de747b1484691f8576923c43551e76be55f09d932e

SHA512
ab835852d9fba6ad67647ed16cfe21227e02acf2b8eed58d12998c6b7b02b7c0da153231a98694003bf433a4dfbeb03f2261ded3defedab98efa10546a7eb423

Download Submit
C:\Windows\System\njQSgDR.exe

Filesize
5.7MB

MD5
0abb97e51dcf55bddddab2214ba0f9c1

SHA1
e396e99c7627dd9d81e02dfe9c51f34bfd45d75b

SHA256
16c320faaf9fb2d3975abfd8825fbaa7a4bc4109d681bb56aea935da266c45f0

SHA512
f094266903afd51e0be39acbb33fbaf67c6306fee246c30e2491dc3c5ca8c3d36e6246d1d22682392f925859c47c229b2a2632f3936171f80b62510cbad5f194

Download Submit
C:\Windows\System\pKLEgCr.exe

Filesize
5.7MB

MD5
118ce661d55a507534b763e68ac620b7

SHA1
08b107b5b7eea8e7c8e88cc00af0f776d538ea22

SHA256
2db1a04e1e1b051367b33ee460a0c3b06f5cd09c1bee5f36c3b7d9d5bd7ad5d6

SHA512
005151f8f19a913ce59e701910542f16db82b2d12d9f1306ced9e3a316f406873b67a4df662d9828458d26530057e180ca7dd4ac904bf74d7aada177a95616d2

Download Submit
C:\Windows\System\rbEIsOq.exe

Filesize
5.7MB

MD5
ab90a3552ecb78b600db43cde3059b04

SHA1
01aaa4433b44804f82db8096cf393ec07a980dc0

SHA256
5c4a14b1691b49500fb314695ae73e382ea16ba1091a7b50c00fda6af9223d55

SHA512
729f443651be279264ee0effb11eed384120606d9cc1a4e5b18c30169d42d74e290c81ab65093a819f23a415f945f90878bcc9883ad81e72ef8515de69cdfc5c

Download Submit
C:\Windows\System\rlLauEW.exe

Filesize
5.7MB

MD5
e0523fca51c98139413cd9208a508626

SHA1
31be16c3f15e148da6d09b51fad4e5fd24bdf3fa

SHA256
bf4fefaedd246974f091dd5472adb17820c1ac1bb3fe000ddaab0946a3f0f7d3

SHA512
0b4a9e6e657e2a407306e8d898064d8676e25f1ef30c5ec270ee06959f8d560d4d2254ae335f8bb58c0eb5f4a1d40164b591765c7a96bb48404e5b1bbf664f00

Download Submit
C:\Windows\System\tQngkbl.exe

Filesize
5.7MB

MD5
f9fc7114af0bf18afcf7eaff6b60d85b

SHA1
45607b78fe121ed8807a7141e5d4e4d7f754b3ce

SHA256
54d0f1fecd041bb0972cc925292fbc0530efd3fabb369a75f6a118456b157a6d

SHA512
620f24888d9a141203f0f1325cec560c8e00ff32bca22fd13cb35406b9c6108fe00e247ef282fa00289ff1c5604d5f9f5d39395e9c809aef877674c9087839d6

Download Submit
C:\Windows\System\tbFunTV.exe

Filesize
5.7MB

MD5
351d7ea9ea17ab6958a9420e0f8e586e

SHA1
353fbb79814dec4c705ce6333897223f68f67887

SHA256
014fb16ef189bc778233b9a5c1af895a62d782932db133d4cd2dc53083898758

SHA512
6c689424062e7e3307f4dacb77e34f48707621fc4ac0fc91c4b900c4401d55e8eefa67872b06bdc015bc06aa18670037140251336c4785c4b95ec5779e89d84f

Download Submit
C:\Windows\System\vsqfyCY.exe

Filesize
5.7MB

MD5
4ef43d97b2a4a7c74259a703dccf3c77

SHA1
3c0af64741f115f727e9116393a54496810bcd8b

SHA256
e4227c3f63eec14cf9e2692f07198399f00bd70564697bd56fba672b87c6d71f

SHA512
bda24184e1ba41ca7423b77d754bb47e8dea69044e08b5ed0b7085770de59ca5165513d15021a19636bd0464c4265bcf09558ee42a1dc906eb3a5ca52915df99

Download Submit
memory/216-1-0x000001F7F46D0000-0x000001F7F46E0000-memory.dmp

Filesize
64KB

Download
memory/216-0-0x00007FF74D9C0000-0x00007FF74DD0D000-memory.dmp

Filesize
3.3MB

Download
memory/232-85-0x00007FF65C610000-0x00007FF65C95D000-memory.dmp

Filesize
3.3MB

Download
memory/532-106-0x00007FF7161A0000-0x00007FF7164ED000-memory.dmp

Filesize
3.3MB

Download
memory/640-45-0x00007FF7D3E60000-0x00007FF7D41AD000-memory.dmp

Filesize
3.3MB

Download
memory/1008-126-0x00007FF6CE2C0000-0x00007FF6CE60D000-memory.dmp

Filesize
3.3MB

Download
memory/1188-22-0x00007FF624530000-0x00007FF62487D000-memory.dmp

Filesize
3.3MB

Download
memory/1192-64-0x00007FF7AC1A0000-0x00007FF7AC4ED000-memory.dmp

Filesize
3.3MB

Download
memory/1460-49-0x00007FF768340000-0x00007FF76868D000-memory.dmp

Filesize
3.3MB

Download
memory/1472-120-0x00007FF69D4F0000-0x00007FF69D83D000-memory.dmp

Filesize
3.3MB

Download
memory/1492-13-0x00007FF669CF0000-0x00007FF66A03D000-memory.dmp

Filesize
3.3MB

Download
memory/1728-7-0x00007FF6B56D0000-0x00007FF6B5A1D000-memory.dmp

Filesize
3.3MB

Download
memory/1900-74-0x00007FF7B0A20000-0x00007FF7B0D6D000-memory.dmp

Filesize
3.3MB

Download
memory/2296-123-0x00007FF615C40000-0x00007FF615F8D000-memory.dmp

Filesize
3.3MB

Download
memory/2384-60-0x00007FF60BAF0000-0x00007FF60BE3D000-memory.dmp

Filesize
3.3MB

Download
memory/2400-78-0x00007FF62BE40000-0x00007FF62C18D000-memory.dmp

Filesize
3.3MB

Download
memory/2424-25-0x00007FF7F5B80000-0x00007FF7F5ECD000-memory.dmp

Filesize
3.3MB

Download
memory/2436-40-0x00007FF70CB00000-0x00007FF70CE4D000-memory.dmp

Filesize
3.3MB

Download
memory/3356-31-0x00007FF747E50000-0x00007FF74819D000-memory.dmp

Filesize
3.3MB

Download
memory/3812-100-0x00007FF68DCA0000-0x00007FF68DFED000-memory.dmp

Filesize
3.3MB

Download
memory/4036-67-0x00007FF760A10000-0x00007FF760D5D000-memory.dmp

Filesize
3.3MB

Download
memory/4768-109-0x00007FF799260000-0x00007FF7995AD000-memory.dmp

Filesize
3.3MB

Download
memory/4864-103-0x00007FF6C32D0000-0x00007FF6C361D000-memory.dmp

Filesize
3.3MB

Download