d336273cee697dec1b8f9e1643005a2cd8b80305e9f8dc257ab69d2322f38927

Analysis

max time kernel
91s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe
Size

14.6MB
MD5

0d53256905411410fcfbbbcda13abdbb
SHA1

cdea834f452864559cf7471614948cbc575e0fcb
SHA256

d336273cee697dec1b8f9e1643005a2cd8b80305e9f8dc257ab69d2322f38927
SHA512

d6d2f8973cfda896edd0869a76773d14dc9a866be31fd1629c8cc9139ff18f1c7d84a6321cac1369d254eb64edb6bc7f7ba3d905c0622a6e5dc84faa813122f9
SSDEEP

98304:3FM5G8lhjLZgAZV+zSnlRh+4k54AjnK0NW9cDF0F3gpLDv0hsi2J//ZczCJR7NW+:346ze+BjjMELDRim//ZcuJR7NWjMZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Kills process with taskkill 15 IoCs

evasion

pid	Process
704	taskkill.exe
2372	taskkill.exe
3516	taskkill.exe
4588	taskkill.exe
1920	taskkill.exe
2956	taskkill.exe
5040	taskkill.exe
4924	taskkill.exe
1204	taskkill.exe
4784	taskkill.exe
3608	taskkill.exe
3076	taskkill.exe
232	taskkill.exe
3592	taskkill.exe
2936	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2372	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	87
PID 228 wrote to memory of 2372	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	87
PID 228 wrote to memory of 1204	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	89
PID 228 wrote to memory of 1204	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	89
PID 228 wrote to memory of 3516	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	90
PID 228 wrote to memory of 3516	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	90
PID 228 wrote to memory of 4588	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	91
PID 228 wrote to memory of 4588	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	91
PID 228 wrote to memory of 3608	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	92
PID 228 wrote to memory of 3608	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	92
PID 228 wrote to memory of 1920	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	93
PID 228 wrote to memory of 1920	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	93
PID 228 wrote to memory of 2956	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	94
PID 228 wrote to memory of 2956	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	94
PID 228 wrote to memory of 5040	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	95
PID 228 wrote to memory of 5040	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	95
PID 228 wrote to memory of 4924	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	96
PID 228 wrote to memory of 4924	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	96
PID 228 wrote to memory of 3076	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	97
PID 228 wrote to memory of 3076	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	97
PID 228 wrote to memory of 232	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	98
PID 228 wrote to memory of 232	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	98
PID 228 wrote to memory of 4784	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	99
PID 228 wrote to memory of 4784	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	99
PID 228 wrote to memory of 3592	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	100
PID 228 wrote to memory of 3592	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	100
PID 228 wrote to memory of 704	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	101
PID 228 wrote to memory of 704	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	101
PID 228 wrote to memory of 2936	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	102
PID 228 wrote to memory of 2936	228	2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_0d53256905411410fcfbbbcda13abdbb_frostygoop_luca-stealer_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM kometa.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM orbitum.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM centbrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM 7star.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM sputnik.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM vivaldi.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM epicprivacybrowser.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM uran.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM yandex.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM iridium.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.5

Filesize
16B

MD5
9f36605efba98dab15728fe8b5538aa0

SHA1
6a7cff514ae159a59b70f27dde52a3a5dd01b1c8

SHA256
9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd

SHA512
1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit