povertystealer | 7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2

General

Target

7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe
Size

653KB
MD5

c4176f4dd925bcc5f32cba245d667cfd
SHA1

ccb699469798894205ec57ce39cbf43012129562
SHA256

7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2
SHA512

d209ed701b863cee54f1e2200eb9964e69c8543302480ceb9c63625c132093c60e434ff1189eef243e651a2a385b58a8e22bb3e9cfadd6a356f9e875bba6df15
SSDEEP

12288:P+qfAn8i1aAJLYnVFfVPqoMU7xSwXtVBOrHanRXKCR0R9fcSJiO:P+GPaaDVFIUcom6nQCREtr

Score

10^/10

Malware Config

Signatures

Detect Poverty Stealer Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012731-12.dat	family_povertystealer
behavioral1/memory/2476-15-0x0000000000240000-0x0000000000299000-memory.dmp	family_povertystealer
behavioral1/files/0x000d000000012731-17.dat	family_povertystealer
behavioral1/files/0x000d000000012731-16.dat	family_povertystealer
behavioral1/files/0x000d000000012731-19.dat	family_povertystealer
behavioral1/files/0x000d000000012731-18.dat	family_povertystealer
behavioral1/files/0x000d000000012731-20.dat	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Executes dropped EXE 1 IoCs

pid	Process
2724	ms_updater.exe

Loads dropped DLL 4 IoCs

pid	Process
2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe
2724	ms_updater.exe
2724	ms_updater.exe
2724	ms_updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29
PID 2476 wrote to memory of 2724	2476	7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe	29

C:\Users\Admin\AppData\Local\Temp\7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe
"C:\Users\Admin\AppData\Local\Temp\7c10c67ddb586532ce0fc507c8f33f3fe05cd866afeccd2b7e4275fae567afb2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Roaming\ms_updater.exe
  "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
29KB

MD5
1138f8a5a1b22b785a9335e920c3d26b

SHA1
e381130adb5d6ebb1cca1fcfc9a1ab2d83534b55

SHA256
43fb57a3b48ccaead0716e37e7f5fe5807f7556bc4e34abc2938e46276b30600

SHA512
9be104249c396a15d1a4bfb2ad0128304df6faa378be7419a34d4e935c4fa14f4d9a41815385ecf348ec196fa2440c2fea3eaa73f0ecd68a1ffd2132084e3126

Download Submit
memory/2476-0-0x0000000000240000-0x0000000000299000-memory.dmp

Filesize
356KB

Download
memory/2476-15-0x0000000000240000-0x0000000000299000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing