Extracted

• • Target

    7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe

  • Size

    311KB

  • MD5

    0daebde971a5f21690f26c1ed8bf8813

  • SHA1

    361417ed0552958448b0fde6aeb980fcbec9572a

  • SHA256

    7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e

  • SHA512

    1ac209e287a79aa14a8448418b78383b3fab3712f8f3d59946f39aabab9b035628735ef9362eec5146966562cc15b0bfa0dbc00d6e104789e1e799d3f9259a7a

  • SSDEEP

    6144:QKILYpVy5qgOWp99sfQ+a/HTXbvOREnsE0aV:zIspVy5qgP2fQv/HbbZns

  Score

  10^/10

  smokeloaderbackdoorpersistencetrojanupxpovertystealerbootkitdiscoveryspywarestealer

  • Detect Poverty Stealer Payload

  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2