Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 01:50
General
-
Target
2025-03-02_37c310c0b6a96543a2457d5d3df100a5_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
-
Size
14.7MB
-
MD5
37c310c0b6a96543a2457d5d3df100a5
-
SHA1
e34f3701aebc8e4a0711e230ae11e10df5b1c682
-
SHA256
a613ba091bc25535b066c9b3ffa6c809cc2e981634c916a23b38b6c8402729fb
-
SHA512
c31b746731c2726b299fd36656dd1578daa6fa7f2bb301709a381785b3833d5b2e5632a43b44034c8deb0fec4f0c6a2c7bcebd0e85004b9ef11f94ab9b4fd5d6
-
SSDEEP
196608:Gcj8C4Fu4W7YRpzBT74JmeVPQrWF06TRf:dL4FupU74JPV4rO0+
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 2 IoCs
-
Looks for VMWare services registry key. 1 TTPs 7 IoCs
-
Looks for Xen service registry key. 1 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-02_37c310c0b6a96543a2457d5d3df100a5_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-02_37c310c0b6a96543a2457d5d3df100a5_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"1⤵
- Enumerates VirtualBox DLL files
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Looks for Parallels drivers on disk.
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare Tools registry key
- Looks for VMWare drivers on disk
- Looks for VMWare services registry key.
- Looks for Xen service registry key.
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks system information in the registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\preview_2.mp42⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_2.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x244 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
12Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5071e40c48b137a5d464968fcac2ed5f9
SHA126d7916861ada434d4457569055aeffebb2e1617
SHA25696127b0d042da66bf8332ddd5a22ba4046c47fa2306d18319c22097560d28f5e
SHA5128d6d81091f04e06c3c4562f606d3b3ab2d3ecf015d8f6c0ac75b1477450aaa3d98b7ddf79b682ff69c3fef1c109443a8cb23d257442cff6d0bcb575cb6c0e67e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD52117911eeea43985a4ad5b5610dbabab
SHA1b52f696309d1bae96292e7ff78d5846d66ca4cfa
SHA256d8989c44587e62deb19e775b7cc1bff4226ff616811237dce51cecf92fcdc8b7
SHA512ad30a728fdd8f2dca58956495e117520ddb88bfd7afe633f272c0230801b70bd24eea22a11112e5f2e638d8f3dd64629bc0f36d0736d9ee13fb60e839c64b1b5
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
992KB
-
Filesize
92KB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
24.4MB
-
Filesize
208KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
260KB
-
Filesize
16.7MB
-
Filesize
24.4MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
16.7MB
-
Filesize
136KB