File name:	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch
Full analysis:	https://app.any.run/tasks/09a34de2-b867-411c-b8dc-ba98daaa2b57
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 20:27:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	golang arch-exec arch-doc python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 14 sections
MD5:	F9DFD80E29F67A04DF8A3260BFE0EAA8
SHA1:	F4ACCFCC71C88DF50087ECF56A610E78736346B0
SHA256:	7A74B7F7FDA52C8897A0B788A26425D44E7A664F99B806CD9402C58EE3C1A56A
SSDEEP:	98304:F9pZYkzdaaOhPn+jpQAGNV22Y6naY5sMKfRC5BETE3QYrCKJXowPJon86S78P4yi:FKfJ

.exe	\|	Win64 Executable (generic) (87.2)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2400768
InitializedDataSize:	256512
UninitializedDataSize:	-
EntryPoint:	0x5c350
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line


(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\python311.zip
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2876) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\python.exe		executable
		MD5:B6EF5717317F6300D663ED9559EE9967	SHA256:4FB049EEDDD221E5470CD33177299DD13F85EBA25BEEF7ACED7A0890AD85181F
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\pythonw.exe		executable
		MD5:9D0F19A3FDF077FC90CB1055018669FD	SHA256:695EC4080F596F485E4E36DE383A32F18042BC13620CF93BA5708EC354B6CA0D
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\python311.dll		executable
		MD5:5A5DD7CAD8028097842B0AFEF45BFBCF	SHA256:A811C7516F531F1515D10743AE78004DD627EBA0DC2D3BC0D2E033B2722043CE
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\_asyncio.pyd		executable
		MD5:79F71C92C850B2D0F5E39128A59054F1	SHA256:0237739399DB629FDD94DE209F19AC3C8CD74D48BEBE40AD8EA6AC7556A51980
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\python3.dll		executable
		MD5:B711598FC3ED0FE4CF2C7F3E0877979E	SHA256:520169AA6CF49D7EE724D1178DE1BE0E809E4BDCF671E06F3D422A0DD5FD294A
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\unicodedata.pyd		executable
		MD5:AA13EE6770452AF73828B55AF5CD1A32	SHA256:8FBED20E9225FF82132E97B4FEFBB5DDBC10C062D9E3F920A6616AB27BB5B0FB
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\pyexpat.pyd		executable
		MD5:9C21A5540FC572F75901820CF97245EC	SHA256:2FF8CD82E7CC255E219E7734498D2DEA0C65A5AB29DC8581240D40EB81246045
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\LICENSE.txt		text
		MD5:EBCF45A479F291A0D965EA60B5F1C30B	SHA256:616FA565945ECA2F0E0A5440B3973FED7D5291622B90849212077FE68E27DCB0
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\winsound.pyd		executable
		MD5:1C856FABFF6967DD21ADE8338E15D637	SHA256:63ED931F692B63A8D6D7948BD8EF3B6C678B57C0C0574BF649F783C602B4E7E4
1852	2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch.exe	C:\Users\admin\AppData\Roaming\Suh\python_portable\_bz2.pyd		executable
		MD5:3859239CED9A45399B967EBCE5A6BA23	SHA256:A4DD883257A7ACE84F96BCC6CD59E22D843D0DB080606DEFAE32923FC712C75A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6012	RUXIMICS.exe	GET	200	184.24.77.39:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6012	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	151.101.0.223:443	https://www.python.org/ftp/python/3.11.4/python-3.11.4-embed-amd64.zip	unknown	compressed	10.1 Mb	whitelisted
1472	rundll32.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
1472	rundll32.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6012	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.24.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6012	RUXIMICS.exe	184.24.77.39:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.74.206	whitelisted
crl.microsoft.com	184.24.77.39 184.24.77.33 184.24.77.34 184.24.77.41 184.24.77.38 184.24.77.40 184.24.77.31 184.24.77.6 184.24.77.32	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
www.python.org	151.101.0.223 151.101.64.223 151.101.192.223 151.101.128.223	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
x1.c.lencr.org	2.16.252.233	whitelisted
self.events.data.microsoft.com	20.42.72.131	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound

General Info

2025-06-21_f9dfd80e29f67a04df8a3260bfe0eaa8_cobalt-strike_poet-rat_sliver_snatch

F9DFD80E29F67A04DF8A3260BFE0EAA8

F4ACCFCC71C88DF50087ECF56A610E78736346B0

7A74B7F7FDA52C8897A0B788A26425D44E7A664F99B806CD9402C58EE3C1A56A

98304:F9pZYkzdaaOhPn+jpQAGNV22Y6naY5sMKfRC5BETE3QYrCKJXowPJon86S78P4yi:FKfJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Executable content was dropped or overwritten

Process drops python dynamic module

Connects to unusual port

INFO

Reads the software policy settings

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Detects GO elliptic curve encryption (YARA)

Application based on Golang

The sample compiled with english language support

Creates files or folders in the user directory

Python executable

Manual execution by a user

Reads security settings of Internet Explorer

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings