Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 09:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20231215-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
loader.exe
-
Size
3.6MB
-
MD5
ddb1b7702e173bfefc5dfae5f52551fc
-
SHA1
838bc885a60ec91d870599334aef030d1a2bf9cb
-
SHA256
6bdcb5dbda59419025cf464f9600b6090c0ebc3a9e669df90d0dc08f7a13b0cb
-
SHA512
a6dc819b8cce8da2c0226ec39edce35fd53187c4a6c2531026d3df0e8c9d7a852f416b6568d6e21db1d48de4939be300cac26e82834c8cda16fff08cbaf65c64
-
SSDEEP
49152:lNiV4d3Hm64LGcm7yqTUswcEjoG9JZD3J3nKaUxcWAtIZL+/qELe:5xmDG/JUzqEy
Score
10/10
Malware Config
Signatures
-
Detect Poverty Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1512-4-0x0000000001230000-0x000000000123A000-memory.dmp family_povertystealer behavioral2/memory/1512-7-0x0000000001230000-0x000000000123A000-memory.dmp family_povertystealer behavioral2/memory/1512-9-0x0000000001230000-0x000000000123A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
loader.exedescription pid process target process PID 4852 set thread context of 1512 4852 loader.exe ADelRCP.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
loader.exedescription pid process target process PID 4852 wrote to memory of 1512 4852 loader.exe ADelRCP.exe PID 4852 wrote to memory of 1512 4852 loader.exe ADelRCP.exe PID 4852 wrote to memory of 1512 4852 loader.exe ADelRCP.exe PID 4852 wrote to memory of 1512 4852 loader.exe ADelRCP.exe PID 4852 wrote to memory of 1512 4852 loader.exe ADelRCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"2⤵PID:1512