File name:

2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch

Full analysis: https://app.any.run/tasks/430b01c0-e074-4935-a7b8-93221a2aa4c3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:50:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
vidar
stealer
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
MD5:

6D0090946D655CFCE9269A1C0236BDC2

SHA1:

E3509B66CB32271FA10BE7C7F8201DAAC7A872FA

SHA256:

B94546E89DF37BD5BD4268AEBED3DCD4BCA8058BDDE786CE3F0B833202474F18

SSDEEP:

98304:hAvjJQ1XTjKRr0Sr8/ZYcAE48gkDQUdv6OgYDsys:BH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VIDAR mutex has been found

      • BitLockerToGo.exe (PID: 6972)

    • VIDAR has been detected (YARA)

      • BitLockerToGo.exe (PID: 6972)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • BitLockerToGo.exe (PID: 6972)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • BitLockerToGo.exe (PID: 6972)

    • There is functionality for taking screenshot (YARA)

      • BitLockerToGo.exe (PID: 6972)

  • INFO

    • Application based on Golang

      • 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe (PID: 7388)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe (PID: 7388)

    • The sample compiled with english language support

      • 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe (PID: 7388)

    • Checks supported languages

      • 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe (PID: 7388)
      • BitLockerToGo.exe (PID: 6972)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6972)

    • Creates files in the program directory

      • BitLockerToGo.exe (PID: 6972)

    • Checks proxy server information

      • BitLockerToGo.exe (PID: 6972)
      • slui.exe (PID: 5800)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6972)

    • Creates files or folders in the user directory

      • BitLockerToGo.exe (PID: 6972)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6972)
      • slui.exe (PID: 5800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(6972) BitLockerToGo.exe
C2https://t.me/g02f04
URLhttps://steamcommunity.com/profiles/76561199828130190
RC40123456789
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 4107776
InitializedDataSize: 416256
UninitializedDataSize: -
EntryPoint: 0x658d0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 12.0.0.3
ProductVersionNumber: 12.0.0.3
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Treexy
FileDescription: Driver Fusion Installer
FileVersion: 12.0.0.3
InternalName: DriverFusionFreeSetup
LegalCopyright: Copyright (C) 2024 Treexy
OriginalFileName: DriverFusionFreeSetup.exe
ProductName: Driver Fusion
ProductVersion: 12.0.0.3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe no specs #VIDAR bitlockertogo.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6972"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Vidar
(PID) Process(6972) BitLockerToGo.exe
C2https://t.me/g02f04
URLhttps://steamcommunity.com/profiles/76561199828130190
RC40123456789
7388"C:\Users\admin\Desktop\2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe" C:\Users\admin\Desktop\2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exeexplorer.exe
User:
admin
Company:
Treexy
Integrity Level:
MEDIUM
Description:
Driver Fusion Installer
Exit code:
666
Version:
12.0.0.3
Modules
Images
c:\users\admin\desktop\2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 215
Read events
7 212
Write events
3
Delete events
0

Modification events

(PID) Process:(6972) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6972) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6972) BitLockerToGo.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6972BitLockerToGo.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\76561199828130190[1].htmhtml
MD5:9E0FA2909DC3FA7185C5CCFF778A2EFE
SHA256:2E5699DB6BD3861241CC979F81E3BD609ADF60C90293EA9C5EAF8CBA45DE5964
6972BitLockerToGo.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\76561199828130190[1].htmhtml
MD5:F852EFDC7B3632565705C87A8A66414B
SHA256:98E74C25878EFA8534E571535BD3550CFF987495E8080EFDCC33F05F8FE23DAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
73
DNS requests
26
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
40.126.31.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T215048Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=933b1d5e09ec41548722d0900411f649&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968029&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358559&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.31 Kb
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7440
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7888
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7888
SIHClient.exe
2.16.168.200:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7888
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
7888
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.133
  • 20.190.160.4
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.132
  • 20.190.160.131
  • 20.190.160.20
  • 40.126.31.131
  • 20.190.159.128
  • 20.190.159.129
  • 40.126.31.67
  • 40.126.31.2
  • 40.126.31.1
  • 40.126.31.129
  • 20.190.159.130
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 2.16.168.200
  • 2.16.168.199
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
t.me
  • 149.154.167.99
whitelisted

Threats

PID
Process
Class
Message
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
6972
BitLockerToGo.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_6d0090946d655cfce9269a1c0236bdc2_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch