Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 10:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe
-
Size
8.5MB
-
MD5
6f88e3e2ecfbd8461e41f4cb739d4dc6
-
SHA1
b14f444f59a6c9558a0bf5197f8d0c7a42863a4c
-
SHA256
ee8069f0f29c0d77377e9280367ec42a46430dc988dcff428c12a2566f02ff63
-
SHA512
7592850b9dea8f6ff6062d1e557cddeca7cf6978dde064a9b1950d012c359904a007fe3756663d77b20d708651d7ba80059183614a9e87c6e7833e5530e39087
-
SSDEEP
98304:GO+lCFVnx3wIowdE9wvXckt06y/5P9DB3f49mFSmFh53qt:T+Gj3wI+9YSf5PZVImFTpM
Malware Config
Signatures
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exepid Process 2148 chrome.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4964 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 2148 chrome.exe 2148 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exechrome.exedescription pid Process Token: SeDebugPrivilege 4964 taskkill.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe Token: SeCreatePagefilePrivilege 2148 chrome.exe Token: SeShutdownPrivilege 2148 chrome.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exechrome.exedescription pid Process procid_target PID 3088 wrote to memory of 4964 3088 2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe 85 PID 3088 wrote to memory of 4964 3088 2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe 85 PID 3088 wrote to memory of 2148 3088 2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe 89 PID 3088 wrote to memory of 2148 3088 2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe 89 PID 2148 wrote to memory of 3276 2148 chrome.exe 90 PID 2148 wrote to memory of 3276 2148 chrome.exe 90 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 4460 2148 chrome.exe 91 PID 2148 wrote to memory of 3172 2148 chrome.exe 92 PID 2148 wrote to memory of 3172 2148 chrome.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_6f88e3e2ecfbd8461e41f4cb739d4dc6_frostygoop_luca-stealer_poet-rat_snatch.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory=Default --restore-last-session --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data"2⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\google\chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\google\chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbba6ccc40,0x7ffbba6ccc4c,0x7ffbba6ccc583⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1484,i,2933793761937621976,12601741636072194883,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1472 /prefetch:23⤵PID:4460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1848,i,2933793761937621976,12601741636072194883,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1844 /prefetch:33⤵PID:3172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e