Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 12:36
Behavioral task
behavioral1
Sample
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
-
Size
8.3MB
-
MD5
7b0ac74f2376c54583fa3e8733a1cd48
-
SHA1
6c2365f7f3b35b4fb4af1b9d389b9b3e9fd9cd91
-
SHA256
a346e1a3fc47d97c252d090e356b36f9bec6792b7206b4a38e531c754e72c3d4
-
SHA512
af61495a70aa698ab4249665d44f341c92a4c0bbd8165d65500ec93b25f64ec92e922828d8fba0b70b7885543652b0e81bed4502c8afebfa8181ffba3a7ea66c
-
SSDEEP
98304:sRIAB5BpuaeE99e65N4E0XwuK+xmgQGjrFIpFAjOiz0UAim:sRtB5rfd5N4bXwuK+RNIpF8OiAl
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whoami.exe -
GoLang User-Agent 64 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 76 Go-http-client/1.1 HTTP User-Agent header 3 Go-http-client/1.1 HTTP User-Agent header 48 Go-http-client/1.1 HTTP User-Agent header 50 Go-http-client/1.1 HTTP User-Agent header 65 Go-http-client/1.1 HTTP User-Agent header 72 Go-http-client/1.1 HTTP User-Agent header 75 Go-http-client/1.1 HTTP User-Agent header 26 Go-http-client/1.1 HTTP User-Agent header 40 Go-http-client/1.1 HTTP User-Agent header 54 Go-http-client/1.1 HTTP User-Agent header 57 Go-http-client/1.1 HTTP User-Agent header 60 Go-http-client/1.1 HTTP User-Agent header 4 Go-http-client/1.1 HTTP User-Agent header 43 Go-http-client/1.1 HTTP User-Agent header 77 Go-http-client/1.1 HTTP User-Agent header 42 Go-http-client/1.1 HTTP User-Agent header 46 Go-http-client/1.1 HTTP User-Agent header 56 Go-http-client/1.1 HTTP User-Agent header 58 Go-http-client/1.1 HTTP User-Agent header 13 Go-http-client/1.1 HTTP User-Agent header 9 Go-http-client/1.1 HTTP User-Agent header 10 Go-http-client/1.1 HTTP User-Agent header 52 Go-http-client/1.1 HTTP User-Agent header 66 Go-http-client/1.1 HTTP User-Agent header 74 Go-http-client/1.1 HTTP User-Agent header 7 Go-http-client/1.1 HTTP User-Agent header 8 Go-http-client/1.1 HTTP User-Agent header 19 Go-http-client/1.1 HTTP User-Agent header 25 Go-http-client/1.1 HTTP User-Agent header 27 Go-http-client/1.1 HTTP User-Agent header 31 Go-http-client/1.1 HTTP User-Agent header 32 Go-http-client/1.1 HTTP User-Agent header 63 Go-http-client/1.1 HTTP User-Agent header 29 Go-http-client/1.1 HTTP User-Agent header 51 Go-http-client/1.1 HTTP User-Agent header 59 Go-http-client/1.1 HTTP User-Agent header 67 Go-http-client/1.1 HTTP User-Agent header 14 Go-http-client/1.1 HTTP User-Agent header 18 Go-http-client/1.1 HTTP User-Agent header 39 Go-http-client/1.1 HTTP User-Agent header 5 Go-http-client/1.1 HTTP User-Agent header 12 Go-http-client/1.1 HTTP User-Agent header 44 Go-http-client/1.1 HTTP User-Agent header 45 Go-http-client/1.1 HTTP User-Agent header 70 Go-http-client/1.1 HTTP User-Agent header 73 Go-http-client/1.1 HTTP User-Agent header 34 Go-http-client/1.1 HTTP User-Agent header 41 Go-http-client/1.1 HTTP User-Agent header 71 Go-http-client/1.1 HTTP User-Agent header 16 Go-http-client/1.1 HTTP User-Agent header 21 Go-http-client/1.1 HTTP User-Agent header 62 Go-http-client/1.1 HTTP User-Agent header 64 Go-http-client/1.1 HTTP User-Agent header 17 Go-http-client/1.1 HTTP User-Agent header 28 Go-http-client/1.1 HTTP User-Agent header 53 Go-http-client/1.1 HTTP User-Agent header 55 Go-http-client/1.1 HTTP User-Agent header 15 Go-http-client/1.1 HTTP User-Agent header 11 Go-http-client/1.1 HTTP User-Agent header 33 Go-http-client/1.1 HTTP User-Agent header 47 Go-http-client/1.1 HTTP User-Agent header 23 Go-http-client/1.1 HTTP User-Agent header 38 Go-http-client/1.1 HTTP User-Agent header 6 Go-http-client/1.1 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1272 whoami.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2760 1624 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 30 PID 1624 wrote to memory of 2760 1624 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 30 PID 1624 wrote to memory of 2760 1624 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 30 PID 1624 wrote to memory of 2760 1624 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 30 PID 2760 wrote to memory of 1272 2760 cmd.exe 32 PID 2760 wrote to memory of 1272 2760 cmd.exe 32 PID 2760 wrote to memory of 1272 2760 cmd.exe 32 PID 2760 wrote to memory of 1272 2760 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c whoami2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-