Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 10:24

General

  • Target

    2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe

  • Size

    8.5MB

  • MD5

    6f88e3e2ecfbd8461e41f4cb739d4dc6

  • SHA1

    b14f444f59a6c9558a0bf5197f8d0c7a42863a4c

  • SHA256

    ee8069f0f29c0d77377e9280367ec42a46430dc988dcff428c12a2566f02ff63

  • SHA512

    7592850b9dea8f6ff6062d1e557cddeca7cf6978dde064a9b1950d012c359904a007fe3756663d77b20d708651d7ba80059183614a9e87c6e7833e5530e39087

  • SSDEEP

    98304:GO+lCFVnx3wIowdE9wvXckt06y/5P9DB3f49mFSmFh53qt:T+Gj3wI+9YSf5PZVImFTpM

Malware Config

Signatures

  • Uses browser remote debugging 2 TTPs 1 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4964
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory=Default --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data"
      2⤵
      • Uses browser remote debugging
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\google\chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbba6ccc40,0x7ffbba6ccc4c,0x7ffbba6ccc58
        3⤵
          PID:3276
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1484,i,2933793761937621976,12601741636072194883,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1472 /prefetch:2
          3⤵
            PID:4460
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1848,i,2933793761937621976,12601741636072194883,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1844 /prefetch:3
            3⤵
              PID:3172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \??\pipe\crashpad_2148_SSCMJENWUGZTYINR

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e