File name:	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer
Full analysis:	https://app.any.run/tasks/4f2d4c76-03b1-4454-89c1-92a2c61ff317
Verdict:	Malicious activity
Analysis date:	May 25, 2025, 12:47:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 15 sections
MD5:	33B7085DDCE164EAE0E0FD35FB7ADD1A
SHA1:	1A12722B726D1B8C583D3C5919B9ECD25C298C70
SHA256:	CCB1B2AB1E95FC3DC95812CFF3A57C307659DAC9155418250BBEC3860D2E4105
SSDEEP:	98304:Ew98OUuVMlCBZ1cfyhbNvuHdLQzptQKkkko4p1kluNmacQXcs6E3CO3KPlrWvhBx:WVt

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	726016
InitializedDataSize:	3350528
UninitializedDataSize:	-
EntryPoint:	0x71860
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI

PID	Process	Filename		Type
7576	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\Y7MKMK3hGHvC.bat		text
		MD5:70E6EAD2D1B8869CD737445895DCD78D	SHA256:D64D9448157BE8CEF0280A72741EB47625C9D00DBBD920E7E8745E1D94A0CE6A
1912	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\37Im5ONCWZkM.bat		text
		MD5:148E20271F7F3D44C164574114850598	SHA256:0C9CF75C219621FAADD7E8D83D5471C3C92C65A7DD74886F1CC033F0D5F3E0FA
4424	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\RaHJfuc1irEc.bat		text
		MD5:92A27D481337E87587E248D08149FFE6	SHA256:2062BB62B57F947405C50D5A604090DA6B1A5FD5FCB30F77FD47A23B45ED5F25
7956	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\mg17xz5Qfljr.bat		text
		MD5:0281931383B6CB4620BD3684FC093E3B	SHA256:744CE28C511203F54E7F563DD302A96C689FB03FB4712CC73A85D409C52621AB
7860	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\JLP0s5884lSD.bat		text
		MD5:EB6027C59384363DFAAA0B7ED19C280A	SHA256:062F43AFA3B55A2DE83F3485863341FEFBBC05DAE35FD2BEC8D6DD347E1864DA
7960	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\ug89IGuVvD7e.bat		text
		MD5:0E6D26F14CF7E41809248717B84C54DF	SHA256:95DCECED11BABC16A6D7F2DD5653EE99066DD6FCEBD5658200812934E6488AFD
3100	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\TYKphxdoH5FA.bat		text
		MD5:23D884CA3128834B8010A8CED3092D38	SHA256:17608374CD93DD6DF4FE01E8CB8A14CF754D45271D3332DEF55105A0E00329DB
1012	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\ZA6oouJb6oGT.bat		text
		MD5:0F230C29CB68E4699498FA7D50CE2267	SHA256:D37329C8C5628753F5C895D156C11A33602BE44890088253A0AFDFE702C1355B
6700	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\dXAqXZTZxvtH.bat		text
		MD5:EFD7918FC596A6B70A7EF326609C87C3	SHA256:0D2AD5FE2662FE0CB32504384ADE8750FDAAF628C758DF2E9C420E3648DCE7EC
8108	2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer.exe	C:\Users\admin\AppData\Local\Temp\4c6FDwM8i0sk.bat		text
		MD5:8D3E786E9E05CE102FECAFF12AE43F39	SHA256:AC2C4DC198E8CBEE3BBA93CE83D8F6CFFD6CDC74BE543964E04A310B3F05E6EA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2104	svchost.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7360	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7672	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	172.217.23.110	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
Ramsadaye-38594.portmap.io	—	malicious
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO DNS Query to a Reverse Proxy Service Observed
2196	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)

General Info

2025-05-25_33b7085ddce164eae0e0fd35fb7add1a_frostygoop_ghostlocker_knight_luca-stealer

33B7085DDCE164EAE0E0FD35FB7ADD1A

1A12722B726D1B8C583D3C5919B9ECD25C298C70

CCB1B2AB1E95FC3DC95812CFF3A57C307659DAC9155418250BBEC3860D2E4105

98304:Ew98OUuVMlCBZ1cfyhbNvuHdLQzptQKkkko4p1kluNmacQXcs6E3CO3KPlrWvhBx:WVt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Starts application with an unusual extension

Runs PING.EXE to delay simulation

Potential Corporate Privacy Violation

INFO

Create files in a temporary directory

Reads Environment values

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Checks supported languages

Changes the display of characters in the console

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings