Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 02:07
General
-
Target
2025-03-02_e4bcc1d9c68720fad310d7a0c45d7fa4_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe
-
Size
23.2MB
-
MD5
e4bcc1d9c68720fad310d7a0c45d7fa4
-
SHA1
7c66a20f739b03398d5dd60ee46c128fa17e4465
-
SHA256
c45775f62ad17ad69909050f2d6140c45d7106de6578969456d3d4299c49cb91
-
SHA512
a2bc5991dd4a5c4575414ffe55b3d86b6ad928d7d873e604dfca7404013a2c5495fd3bac32465a31d5cfff2d0afb20fa80389e9c8c77e5b52e5c770f573a6cbb
-
SSDEEP
393216:jzKLuXX+4JPVrpyeU15rIPPhnUed1r9S3WadV:aLubJPVVo5riPPnra
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for Parallels drivers on disk. 2 TTPs 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 2 IoCs
-
Looks for VMWare services registry key. 1 TTPs 7 IoCs
-
Looks for Xen service registry key. 1 TTPs 5 IoCs
-
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 7 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-02_e4bcc1d9c68720fad310d7a0c45d7fa4_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-02_e4bcc1d9c68720fad310d7a0c45d7fa4_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch.exe"1⤵
- Enumerates VirtualBox DLL files
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Looks for Parallels drivers on disk.
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare Tools registry key
- Looks for VMWare drivers on disk
- Looks for VMWare services registry key.
- Looks for Xen service registry key.
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks system information in the registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\preview_7.mp42⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Get-Process | Select-Object Id, ProcessName | ConvertTo-Json | Out-File -FilePath \"C:\Users\Admin\AppData\Local\Temp\Rkmdbdco\ProcessSnapshot.json\" -Encoding utf8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e3aacc40,0x7ff8e3aacc4c,0x7ff8e3aacc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1464,i,3405570267268653518,10532201758800441426,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1448 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1732,i,3405570267268653518,10532201758800441426,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1728 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --remote-debugging-port=49422 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2608,i,3405570267268653518,10532201758800441426,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2592 /prefetch:13⤵
- Uses browser remote debugging
- Drops file in Program Files directory
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home2⤵
- Uses browser remote debugging
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e62f46f8,0x7ff8e62f4708,0x7ff8e62f47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1432,7343795013655140806,17856257271280532477,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1460 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,7343795013655140806,17856257271280532477,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1816 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1432,7343795013655140806,17856257271280532477,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1928 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1432,7343795013655140806,17856257271280532477,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\preview_7.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Authentication Process
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
12Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5d4df8c26cc19545b6d334db8208150f8
SHA1eaecf6510bee1d16afacb693e07ec8b1279b55e6
SHA25695a65a7e61c6239e951edda6be117d646ae51e7e52df2a3d0b8d4fcfe846fb3d
SHA5123d988db5d5e99f6d3404fd860c247572dcf5df642566bf3dfe1a2957c6430625f833cfba66914fddba41e97851bcc253a2f77e19f8baf849c2f574c840325661
-
Filesize
1KB
MD5633da34a38638896c9a56c65a984d48a
SHA11ecc48e2ec10396bbe8972facf94a28d4a20635b
SHA2562fa8e367aeb35f24f88785d48e2058b217aa3479e61c65d25a94be0d73c98dfa
SHA51279ee129be3599bb324d25e6c58c2b685499cb401d24860431dead811cc70841d892a24554398e65dc4e47e997e2e2c569d4f3a7cf38cedd36088897314e7d1fe
-
Filesize
1KB
MD59d3e9a8c12daf5cd9b4126da3e0c1c8d
SHA16bdcf5965eaf8c203a2d8187b18d7d67dd33860f
SHA2565d91d85e199c1ccb1917b9bd7426f5c8ff1fdc0d50ccb563786cd64445d458c1
SHA512624c8cf71f17c06184c237f22aa39f70523674c6df54a48b63ccb8080f815bc5a4d47c82c6c23972089866962948f421a5a9d5bf55e53d903f17f4058c72f44f
-
Filesize
1KB
MD545aba1e3490d46170c25ebe0af7c12de
SHA1eb1d23ad52aa20c93d56b98835f538abeb198047
SHA256e725a9917edb8fd25b930bb438599c49d31b2c5e95c4b06fce4597964040ad59
SHA5124a7a83292b5e080ee46eec2fb62c794982d83c42c9f816b90ec3c3c51890007fd401c2e943ed4179b81dcad6ea08b1d853b591942b7331b5bb5f991e71cb19e1
-
Filesize
1KB
MD520810d165c316378abc650cfa1e8d26a
SHA11e93a79cbb16e8836bc669ecbff8bd614b8fd05b
SHA25606131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27
SHA51258fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
6KB
MD5297582dff34fe7d32db2fb3f4498571b
SHA18178bf3f227bd826425c5d056a98070795163aaf
SHA256cadefc665dd137317348632a1747bd8314f8fc5fb6087bbe4b3afb94ac30b40a
SHA512ac8bfa51edf47702cf003d47122a4ca5161e9f73981e12c6a0a3381968c53c42a1d022a16949ca5c63bac8a4ef9c2bb00aba653e7a88ffed04b1b996cf349a11
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.9MB
MD5a361bf48fb9388c3404650b28b1d3036
SHA1600afbb6d4f87f6c748a6f08a90c3f55349a6969
SHA2561c9ae189a6e4d56f3af6779cd7d2a9e2cca4f1fcddd171dab2dbc93c23e333c6
SHA51213f258977e5175a48f01c80f3cdd85a4073e0fc9f45724287def02d580f5899c8ee976b3e86c6aa4ab1bac75a5f0db314bdb3ef9f49e816adb3f518644ec8894
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
16.7MB
-
Filesize
92KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
260KB
-
Filesize
2.0MB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
136KB