Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 01:48
General
-
Target
2025-03-02_2650a4aac4785490c38db0f77c1e8a6e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
-
Size
17.5MB
-
MD5
2650a4aac4785490c38db0f77c1e8a6e
-
SHA1
4daf7c529eaa414966553f72f23c23f9aebe520a
-
SHA256
b573c9603daf8c4fdf553e4e44dadd7b8c3c9b308375e957caf9532034640b90
-
SHA512
a831513378eac442288ddaa3e8de09b2d54d156aae940f78f883b87a6958e41f609899ab3efacc5a65d4667077c4799a7afeff549d0ccf011764dd6950b3cdf9
-
SSDEEP
196608:4Kr8XiuZPqwFjfMeaGk4JmeV79SBfyenWBRRuBk72GqDEi+7xUWfB:PYXiuNsGk4JPVgBfyeISBkqv8K
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 2 IoCs
-
Looks for VMWare services registry key. 1 TTPs 7 IoCs
-
Looks for Xen service registry key. 1 TTPs 5 IoCs
-
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 7 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-02_2650a4aac4785490c38db0f77c1e8a6e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-02_2650a4aac4785490c38db0f77c1e8a6e_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"1⤵
- Enumerates VirtualBox DLL files
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Looks for Parallels drivers on disk.
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare Tools registry key
- Looks for VMWare drivers on disk
- Looks for VMWare services registry key.
- Looks for Xen service registry key.
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks system information in the registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\preview_6.mp42⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object Id, ProcessName | ConvertTo-Json | Out-File -FilePath \"C:\Users\Admin\AppData\Local\Temp\Vetzejgc\ProcessSnapshot.json\" -Encoding utf8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdb19cc40,0x7fffdb19cc4c,0x7fffdb19cc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1460,i,3641894272939138944,16447265805230580789,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1452 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1720,i,3641894272939138944,16447265805230580789,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --remote-debugging-port=49422 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2004,i,3641894272939138944,16447265805230580789,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1996 /prefetch:13⤵
- Uses browser remote debugging
- Drops file in Program Files directory
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffdb1a46f8,0x7fffdb1a4708,0x7fffdb1a47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,3884285791750006837,5023983611671935129,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1536 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,3884285791750006837,5023983611671935129,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1860 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1520,3884285791750006837,5023983611671935129,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1968 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1520,3884285791750006837,5023983611671935129,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_6.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
12Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5864122e1e9e89dae92fb84932594ca6f
SHA102e927143f9fd3a8c665b8cadf6bd16d8898e954
SHA256fb74cce7191a24656063949d11c8facc0991b40672f813594f10a413698685a4
SHA512836d89cb5515f8011aa6dc8ca317cc3daa7de8520111e3190b22adeddc6c274a3602e9a2e4212ade9b21df2f9de7f9d7e309d5f645e405f7308478e83ad05e1c
-
Filesize
1KB
MD513bbd5e562606c06ce0f03133743f71d
SHA188979df73e69707d412899b532a68b5de958aa49
SHA2564b3e95d1914cc82bdbed302d54793df3a1216305399f79f5a0a55524e1204211
SHA512beea8205d83fa8c6a9b20031f91efe939f374aa503a4d84f5c84424bc2ce47fbed3d332fe6e3a4f7b44248973368693d12629749523787c9aa3e68fd52214515
-
Filesize
1KB
MD53ac9cb303c4f1d11bd3c22374b939fa4
SHA14a8840be7c0c7579f9b79bd52d6684600668649a
SHA25666cb0ba80cd01956847ae73559b675030a38571df46ddbf7fbaf966260750f74
SHA512e03aaf00d499a5be86364d9693d81d89ca3cb88b338d6df8f4a7fb21103a227427905e54ffff70f48eb2c04a31907c10a8e258aff89b6cbfc49ebe2afa079c9b
-
Filesize
1KB
MD521892d53ac50d50ea44bd5be0a99b808
SHA18a055cfa10e1da62c2caef5c1ef80ff69ffb7ffc
SHA25665b6a439c81b20097a170d9219852baba5118a89f02b620e0552ad7d104c36eb
SHA512618a4b430f780fb7a581f80eb9680027b9d660f7d29a7a71d9e5a52e635145f51379b30ad837cf076e3cf6770f9410bd049546b69971b36faff5dfdb55cf77f8
-
Filesize
1KB
MD54a7d90a84bb2556a8a0ea30564cf769e
SHA1ba7ee184373215bd8fb5e5196e01c714c755509c
SHA256d526fed16d059a59ef2c93e1582584f5b6054e3915fe45e944054293e992b5b9
SHA51259982aaa3e991f3a34b41e0953c519546b0f9ab275551a40cbdf6715ac6b9afb950e60b0aec73b77f749c635898326f12ea41802d6dc5e00e75e65f59204700c
-
Filesize
1KB
MD586d899cf16a071fb23e513bbb97b7b81
SHA18af53e46c3ea36ecc9a8fb287196f58051f5af01
SHA256f82440db6f656d42d8dded7711ed86e04f546efb11c08cf7ec53f22dbf6c9d12
SHA512e574975a1dc20bb02d594948bb61c93d1a8a89e423d43cdc5de064e383a3a52c6c7d20bb7d93c7ee090cffd8f50a301b4ffc66d2c6492cf64ed7d52c3098138f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
6KB
MD573021912ed2d91f5870a31d7b3600d59
SHA1dbf7a487d7e70b2c68b8b64b62c1e8ee92b8e7b3
SHA2566d5e658285c991f0c041b855e4db4dcdc23f0776c5826cbfdfee2629c68aa6cc
SHA51210871fa2a566cd5dd1bb83a8389464c6f8c58a189f6add1a9b41fc944c90ef6812d00593617cce765b8d6ff546c1ee44f26c0d01517590a204c88d3c565a877a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.2MB
MD517e4cce7696f283f9916ac59ef74ccdd
SHA1ee3ecd3722b712e01b7fbeb6a83e77f4cc9662ca
SHA2568a2d2007d335ff2353c0369831d19b5ac20d66a99f025967f25f68998588873f
SHA512b8eaca5c48e9817277efc657e68e2fc90e2dab5c8881c27088a6dee4cc0971e1643389210a4cb3979d596daa18259d63e507c93139e3154cb4bbdb8cedb8413b
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
68KB
-
Filesize
16.7MB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
100KB
-
Filesize
264KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
260KB
-
Filesize
116KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
288KB
-
Filesize
136KB