Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 01:50
General
-
Target
2025-03-02_3934bc80a696844a7884d3c4b07da36a_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
-
Size
20.7MB
-
MD5
3934bc80a696844a7884d3c4b07da36a
-
SHA1
5ed52ce373c56115e7695b80981f6e9f67b1834b
-
SHA256
e8b231e5a70d4aeec591be8766c2efb5c2cd0eccf65747d3a9757ac59e4cfdf5
-
SHA512
4fd9c17b3dd2b1aee0236b36b2fd601ed989136ed6e40048469054bcf3bdb48d6a421baef6ce772af1565b4bdbab84ccb063a7f76c08a2bfef0e18f5c10b27dd
-
SSDEEP
196608:o/OB+puiE6/Ztd0noa4JmeVAMWeZAPbcFewOvq41Xyn1bNR+oKOwpe/n0ky:Si+puila4JPVpZWbXhS1bn+owpe/nX
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 2 IoCs
-
Looks for VMWare services registry key. 1 TTPs 7 IoCs
-
Looks for Xen service registry key. 1 TTPs 5 IoCs
-
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 7 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-02_3934bc80a696844a7884d3c4b07da36a_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-02_3934bc80a696844a7884d3c4b07da36a_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"1⤵
- Enumerates VirtualBox DLL files
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Looks for Parallels drivers on disk.
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare Tools registry key
- Looks for VMWare drivers on disk
- Looks for VMWare services registry key.
- Looks for Xen service registry key.
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks system information in the registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\preview_4.mp42⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object Id, ProcessName | ConvertTo-Json | Out-File -FilePath \"C:\Users\Admin\AppData\Local\Temp\Fravvdae\ProcessSnapshot.json\" -Encoding utf8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff899cdcc40,0x7ff899cdcc4c,0x7ff899cdcc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1460,i,14212843342973215930,12117816584027225527,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1452 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1400,i,14212843342973215930,12117816584027225527,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1544 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --remote-debugging-port=49422 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2520,i,14212843342973215930,12117816584027225527,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:13⤵
- Uses browser remote debugging
- Drops file in Program Files directory
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff899ce46f8,0x7ff899ce4708,0x7ff899ce47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,9095622975245303591,6154372074036045702,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1484 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,9095622975245303591,6154372074036045702,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1880 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1456,9095622975245303591,6154372074036045702,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1960 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1456,9095622975245303591,6154372074036045702,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_4.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
12Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD520810d165c316378abc650cfa1e8d26a
SHA11e93a79cbb16e8836bc669ecbff8bd614b8fd05b
SHA25606131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27
SHA51258fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098
-
Filesize
1KB
MD52b8000b4dc0136b30a5b8de262f2cb70
SHA101a291a184fc0d996fce1553a9b97008976ff620
SHA25682f4e49e5f31bc4da4ba076b9203cad5ebbe73b5fc0e9ae6ed3ffab06a121ad3
SHA5123b698cae7a7360260869da1b62c16b71f8fb5c1cb65c16746ae5525545832f876d5abbc1cc7886d2ec4f494a04c91dbede506c91cc2913b2ac6bf733cbbd9530
-
Filesize
1KB
MD54592d0cd2c027869bdefcce01e4659ea
SHA16a9c14722201562a8205da9d9e192667b4825ad3
SHA256a405d8a9040c891cb7b50f1f1653a0820fbaffc77a988ae3c164abef94729905
SHA51252ba4a0c79f47786c7480bf28105085c5b03cb11ce0bfdc2d138e362fe539273ed9c5b31c25a5145c4d8333c6f7d34e6593ca94a583128d659accf38bb50b4cb
-
Filesize
1KB
MD5770f043bb129df21df14e6d52bfaad3c
SHA1086ec819d0bd5b19d6459f75bd091bd10118dca8
SHA256b2f2612132f221bd00ac4fe0f18aee8a74b4bb6df76da3e27f01d5620af10ed1
SHA512651f2b58c88e47650497451e011b58bad5d4436b0117c9d7e84d768613cdad2e2bc0da1ae6a1fffd883a81ffd33079f005fa822d90c159f83b141ff967266ccf
-
Filesize
1KB
MD5d97fe30bf7a4fc1eccf6bfded803ed7b
SHA1cf9ac1c53f2516dfa9fd287a162f4fb7c079a55b
SHA256dbfd3af3a58085ff8d0fdd83e1042a02032d3183bd292a9dd37fbd00f6c09c01
SHA5127bcf20771a69c0568914117870a0af31c3f0f1e45537a142c61497f361f17c873dfc50c307c81bdd3210e8ebe68cafb6029819df70773bc231406bced7c55200
-
Filesize
6KB
MD54480ab0d9cbdff151724d936c4cd7e9a
SHA1e96ac1a0496930f383ac048dd72e9d7e31f98f65
SHA25672b02040bb776a6cff055eedab741d480a12e4fd5d971cd8e7bfe1d248d1d45b
SHA51278f528b8077ffd08814fd129032d6b91c21aabbff3231fa5d37b37bb4b873fb5a58538a2a01ac4b0c48fdaf19ccb7753b0b40efd3fdeb7f499c3ccf1dd0b04eb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.4MB
MD5a15bdc7b7be3e048881dac9d208d54a0
SHA19cdf4ca6d50ffbaee0a8e4f6179b1f9fce81a07e
SHA2566aaf127b9f216f8345f3942b2678f368207368b7062c77670ca64d316e40c0bd
SHA512afdf468e20f87dfc5738434529d6a104659818a66ad16a20a90c2c1a593a1b44ad3f1ac2943b0c9e1833588f0a295a86dd255ca675ec10c8c9c93ff03495b095
-
Filesize
116KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
260KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
2.0MB
-
Filesize
2.7MB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
68KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
136KB