Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 12:36
Behavioral task
behavioral1
Sample
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe
-
Size
8.3MB
-
MD5
7b0ac74f2376c54583fa3e8733a1cd48
-
SHA1
6c2365f7f3b35b4fb4af1b9d389b9b3e9fd9cd91
-
SHA256
a346e1a3fc47d97c252d090e356b36f9bec6792b7206b4a38e531c754e72c3d4
-
SHA512
af61495a70aa698ab4249665d44f341c92a4c0bbd8165d65500ec93b25f64ec92e922828d8fba0b70b7885543652b0e81bed4502c8afebfa8181ffba3a7ea66c
-
SSDEEP
98304:sRIAB5BpuaeE99e65N4E0XwuK+xmgQGjrFIpFAjOiz0UAim:sRtB5rfd5N4bXwuK+RNIpF8OiAl
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whoami.exe -
GoLang User-Agent 64 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 54 Go-http-client/1.1 HTTP User-Agent header 84 Go-http-client/1.1 HTTP User-Agent header 85 Go-http-client/1.1 HTTP User-Agent header 97 Go-http-client/1.1 HTTP User-Agent header 61 Go-http-client/1.1 HTTP User-Agent header 86 Go-http-client/1.1 HTTP User-Agent header 115 Go-http-client/1.1 HTTP User-Agent header 126 Go-http-client/1.1 HTTP User-Agent header 128 Go-http-client/1.1 HTTP User-Agent header 148 Go-http-client/1.1 HTTP User-Agent header 153 Go-http-client/1.1 HTTP User-Agent header 17 Go-http-client/1.1 HTTP User-Agent header 55 Go-http-client/1.1 HTTP User-Agent header 108 Go-http-client/1.1 HTTP User-Agent header 117 Go-http-client/1.1 HTTP User-Agent header 124 Go-http-client/1.1 HTTP User-Agent header 142 Go-http-client/1.1 HTTP User-Agent header 146 Go-http-client/1.1 HTTP User-Agent header 154 Go-http-client/1.1 HTTP User-Agent header 27 Go-http-client/1.1 HTTP User-Agent header 52 Go-http-client/1.1 HTTP User-Agent header 95 Go-http-client/1.1 HTTP User-Agent header 96 Go-http-client/1.1 HTTP User-Agent header 113 Go-http-client/1.1 HTTP User-Agent header 131 Go-http-client/1.1 HTTP User-Agent header 150 Go-http-client/1.1 HTTP User-Agent header 156 Go-http-client/1.1 HTTP User-Agent header 36 Go-http-client/1.1 HTTP User-Agent header 44 Go-http-client/1.1 HTTP User-Agent header 109 Go-http-client/1.1 HTTP User-Agent header 121 Go-http-client/1.1 HTTP User-Agent header 143 Go-http-client/1.1 HTTP User-Agent header 12 Go-http-client/1.1 HTTP User-Agent header 37 Go-http-client/1.1 HTTP User-Agent header 59 Go-http-client/1.1 HTTP User-Agent header 118 Go-http-client/1.1 HTTP User-Agent header 132 Go-http-client/1.1 HTTP User-Agent header 157 Go-http-client/1.1 HTTP User-Agent header 28 Go-http-client/1.1 HTTP User-Agent header 51 Go-http-client/1.1 HTTP User-Agent header 53 Go-http-client/1.1 HTTP User-Agent header 99 Go-http-client/1.1 HTTP User-Agent header 111 Go-http-client/1.1 HTTP User-Agent header 114 Go-http-client/1.1 HTTP User-Agent header 116 Go-http-client/1.1 HTTP User-Agent header 31 Go-http-client/1.1 HTTP User-Agent header 105 Go-http-client/1.1 HTTP User-Agent header 56 Go-http-client/1.1 HTTP User-Agent header 94 Go-http-client/1.1 HTTP User-Agent header 100 Go-http-client/1.1 HTTP User-Agent header 123 Go-http-client/1.1 HTTP User-Agent header 129 Go-http-client/1.1 HTTP User-Agent header 136 Go-http-client/1.1 HTTP User-Agent header 16 Go-http-client/1.1 HTTP User-Agent header 141 Go-http-client/1.1 HTTP User-Agent header 45 Go-http-client/1.1 HTTP User-Agent header 119 Go-http-client/1.1 HTTP User-Agent header 149 Go-http-client/1.1 HTTP User-Agent header 138 Go-http-client/1.1 HTTP User-Agent header 147 Go-http-client/1.1 HTTP User-Agent header 139 Go-http-client/1.1 HTTP User-Agent header 151 Go-http-client/1.1 HTTP User-Agent header 125 Go-http-client/1.1 HTTP User-Agent header 127 Go-http-client/1.1 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3068 whoami.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 64 wrote to memory of 1504 64 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 85 PID 64 wrote to memory of 1504 64 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 85 PID 64 wrote to memory of 1504 64 2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe 85 PID 1504 wrote to memory of 3068 1504 cmd.exe 87 PID 1504 wrote to memory of 3068 1504 cmd.exe 87 PID 1504 wrote to memory of 3068 1504 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-08_7b0ac74f2376c54583fa3e8733a1cd48_poet-rat_sliver_snatch.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\cmd.execmd /c whoami2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-