Overview

overview

10

Static

static

10

2025-03-30...ch.exe

windows7-x64

1

2025-03-30...ch.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-30_ef3d97bc2ee0c97cba2343bf0bb08964_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe

  • Size

    10.0MB

  • MD5

    ef3d97bc2ee0c97cba2343bf0bb08964

  • SHA1

    431317661ec22187b51894d865260c9e46f15c68

  • SHA256

    21031c2aaf9d8b9bb527d4056928512899e21c5c2f12cf3c29a0bf757008ed77

  • SHA512

    e3fab26b4215131af34f663803261c17a60d8f0e7f8dae324e517320d61cb4632af812206b777e864ac7f85a9036284322e994ac9b05b16bb01744e138f8e130

  • SSDEEP

    98304:vJpHIt857719GKtu5RUDINJmDYBC1L2/0XkE:vDqKdujUumDMmR

Score
7/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Kills process with taskkill 15 IoCs
    defense_evasion
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-30_ef3d97bc2ee0c97cba2343bf0bb08964_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-30_ef3d97bc2ee0c97cba2343bf0bb08964_frostygoop_knight_luca-stealer_poet-rat_sliver_snatch.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3816
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4184
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM brave.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4444
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM opera.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM kometa.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM orbitum.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM centbrowser.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1988
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM 7star.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM sputnik.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM vivaldi.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM epicprivacybrowser.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM msedge.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM uran.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1528
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM yandex.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM iridium.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\system32\reagentc.exe
      reagentc.exe /disable
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads