Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 16:57
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230831-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
1.7MB
-
MD5
7c818b38718a7e845e3e2b2a2baf0c6e
-
SHA1
fcb189782e39c8ed1b26512278e07e3cda6ab1d1
-
SHA256
8c737d639a32ba502f16936785d947f262a7670ae19dafa8d2641fed4051dd8c
-
SHA512
df31f27eb7f41ab285ef8319e12a71b97dc4687c38c2a7793042eec503ba771d8773b1ec745fb7667cfe963c5d1b28989b782f52597b9dd0e4606f26db2fe26f
-
SSDEEP
12288:czrSC63ODLASaGMLA42yarv4rHBC3+RxrfvyJic2yPEAj8b7NuZhazOD4B6Me6:C6eDLASbMc42ya8vygcDEAmI9Me6
Score
10/10
Malware Config
Signatures
-
Detect Poverty Stealer Payload 7 IoCs
resource yara_rule behavioral2/memory/784-1-0x0000000000030000-0x000000000023F000-memory.dmp family_povertystealer behavioral2/memory/1872-2-0x0000000000990000-0x000000000099F000-memory.dmp family_povertystealer behavioral2/memory/784-9-0x0000000000030000-0x000000000023F000-memory.dmp family_povertystealer behavioral2/memory/1872-8-0x0000000000990000-0x000000000099F000-memory.dmp family_povertystealer behavioral2/memory/1872-11-0x0000000000990000-0x000000000099F000-memory.dmp family_povertystealer behavioral2/memory/1872-12-0x0000000000990000-0x000000000099F000-memory.dmp family_povertystealer behavioral2/memory/1872-16-0x0000000000990000-0x000000000099F000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 784 set thread context of 1872 784 tmp.exe 83 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 784 wrote to memory of 1872 784 tmp.exe 83 PID 784 wrote to memory of 1872 784 tmp.exe 83 PID 784 wrote to memory of 1872 784 tmp.exe 83 PID 784 wrote to memory of 1872 784 tmp.exe 83 PID 784 wrote to memory of 1872 784 tmp.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1872
-