povertystealer | 42baf0d9105229ca324cb979bcd9fa893bd2585cb91a98c7406ef610b1e35291

General

Target

file.exe
Size

268KB
MD5

412f2a790774bab54a808da285637606
SHA1

176df256acbaeae1d78076becaddbb9319d657ce
SHA256

42baf0d9105229ca324cb979bcd9fa893bd2585cb91a98c7406ef610b1e35291
SHA512

2e9cc7d784c02fd06487760913785c15c23988d6412aeef62ff2293c62016d3d8b60efa692f4ee31349fd36fca4481aa0861986991420d853dc7ce9b4f94b220
SSDEEP

6144:vcLzuEPl/CBpmpCdgTiemAOGCNvLz1aGGr:vszuGZC3vX4YvXw

Score

10^/10

Malware Config

Signatures

Detect Poverty Stealer Payload 8 IoCs

resource	yara_rule
behavioral2/memory/224-0-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-2-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-3-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-4-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-6-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-10-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-12-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral2/memory/224-13-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4520 set thread context of 224	4520	file.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3964	4520	WerFault.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4644	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85
PID 4520 wrote to memory of 224	4520	file.exe	85

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 380
  2⤵
  - Program crash
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4520 -ip 4520
1⤵
PID:3600

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
71c547a724bea43f6967e99672a3f904

SHA1
444dad009daa8415539345a2f17b1f035352440b

SHA256
7325df8de3558f89ae2a1393908002ba6a23d3b1394186ce9b53281cc08fddb4

SHA512
a762156c33a99b5529bce62d1c094dcf625bfce55b72a54e8e095d499236a9b6e62996c959dd66db2074d56de925326bbf57a26030c1dc8fd10d788fc69c9364

Download Submit
memory/224-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-9-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/224-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/224-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4644-51-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-56-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-47-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-48-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-49-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-50-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-30-0x0000028902880000-0x0000028902890000-memory.dmp

Filesize
64KB

Download
memory/4644-52-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-53-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-54-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-55-0x000002890AEA0000-0x000002890AEA1000-memory.dmp

Filesize
4KB

Download
memory/4644-46-0x000002890AE70000-0x000002890AE71000-memory.dmp

Filesize
4KB

Download
memory/4644-57-0x000002890AAC0000-0x000002890AAC1000-memory.dmp

Filesize
4KB

Download
memory/4644-58-0x000002890AAB0000-0x000002890AAB1000-memory.dmp

Filesize
4KB

Download
memory/4644-60-0x000002890AAC0000-0x000002890AAC1000-memory.dmp

Filesize
4KB

Download
memory/4644-63-0x000002890AAB0000-0x000002890AAB1000-memory.dmp

Filesize
4KB

Download
memory/4644-66-0x000002890A9F0000-0x000002890A9F1000-memory.dmp

Filesize
4KB

Download
memory/4644-14-0x0000028902780000-0x0000028902790000-memory.dmp

Filesize
64KB

Download
memory/4644-78-0x000002890ABF0000-0x000002890ABF1000-memory.dmp

Filesize
4KB

Download
memory/4644-80-0x000002890AC00000-0x000002890AC01000-memory.dmp

Filesize
4KB

Download
memory/4644-81-0x000002890AC00000-0x000002890AC01000-memory.dmp

Filesize
4KB

Download
memory/4644-82-0x000002890AD10000-0x000002890AD11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing