povertystealer | 676ec587aca9ddec64b732ac7f1b36938ff6eabd06cde4e5828836211391198d

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

908KB
MD5

a39e40963c6dd0f0731c447d98a4b67f
SHA1

e6b5980deea1d36f91b7d9863cc562c9fa843051
SHA256

676ec587aca9ddec64b732ac7f1b36938ff6eabd06cde4e5828836211391198d
SHA512

87f51ef2a658b7629420f4376e6fc076431187f2fe31aacecb0ceb6b7e1f25dced884816cb73af617d09f22332512ead8b05b610267e5846c2cf053e7767544f
SSDEEP

12288:AKWO/f+XtZqyMok4Dd1iga/fOYwewK8ZHkKMSubove3tuzv4Q:5f+XtZqyMokQiN7wew0iesr

Score

10^/10

povertystealer stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 12 IoCs

resource	yara_rule
behavioral1/memory/2104-6-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-8-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-11-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-13-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-15-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-16-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-17-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-19-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-20-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-22-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-25-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/2104-26-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2104	2988	file.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	2988	WerFault.exe	27

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2104	2988	file.exe	29
PID 2988 wrote to memory of 2532	2988	file.exe	30
PID 2988 wrote to memory of 2532	2988	file.exe	30
PID 2988 wrote to memory of 2532	2988	file.exe	30
PID 2988 wrote to memory of 2532	2988	file.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 52
  2⤵
  - Program crash
  PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-19-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2104-22-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2104-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads