Overview

overview

10

Static

static

10

2025-03-02...ch.exe

windows7-x64

1

2025-03-02...ch.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-02_e4bcc1d9c68720fad310d7a0c45d7fa4_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch

  • Size

    23.2MB

  • Sample

    250302-cj1jyazzct

  • MD5

    e4bcc1d9c68720fad310d7a0c45d7fa4

  • SHA1

    7c66a20f739b03398d5dd60ee46c128fa17e4465

  • SHA256

    c45775f62ad17ad69909050f2d6140c45d7106de6578969456d3d4299c49cb91

  • SHA512

    a2bc5991dd4a5c4575414ffe55b3d86b6ad928d7d873e604dfca7404013a2c5495fd3bac32465a31d5cfff2d0afb20fa80389e9c8c77e5b52e5c770f573a6cbb

  • SSDEEP

    393216:jzKLuXX+4JPVrpyeU15rIPPhnUed1r9S3WadV:aLubJPVVo5riPPnra

Score
10/10
hackbrowserdatacredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Targets

    • Target

      2025-03-02_e4bcc1d9c68720fad310d7a0c45d7fa4_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch

    • Size

      23.2MB

    • MD5

      e4bcc1d9c68720fad310d7a0c45d7fa4

    • SHA1

      7c66a20f739b03398d5dd60ee46c128fa17e4465

    • SHA256

      c45775f62ad17ad69909050f2d6140c45d7106de6578969456d3d4299c49cb91

    • SHA512

      a2bc5991dd4a5c4575414ffe55b3d86b6ad928d7d873e604dfca7404013a2c5495fd3bac32465a31d5cfff2d0afb20fa80389e9c8c77e5b52e5c770f573a6cbb

    • SSDEEP

      393216:jzKLuXX+4JPVrpyeU15rIPPhnUed1r9S3WadV:aLubJPVVo5riPPnra

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionspywarestealer

    • Enumerates VirtualBox DLL files

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Identifies Xen via ACPI registry values (likely anti-VM)

      defense_evasion

    • Looks for Parallels drivers on disk.

      defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VirtualBox drivers on disk

      defense_evasion

    • Looks for VirtualBox executables on disk

    • Looks for VMWare Tools registry key

      defense_evasion

    • Looks for VMWare drivers on disk

      defense_evasion

    • Looks for VMWare services registry key.

      defense_evasion

    • Looks for Xen service registry key.

      defense_evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Modify Authentication Process

1
T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

12
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

5
T1083

Peripheral Device Discovery

1
T1120

Query Registry

9
T1012

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

12
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks