Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
Resource
win10-20231215-en
General
-
Target
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
-
Size
1.6MB
-
MD5
725a272d58c38263bac81cc348f27923
-
SHA1
940380233efcda57a22341e09515696d6b80bc25
-
SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
-
SHA512
55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c
-
SSDEEP
24576:GubsnafAPyjSzZX6h6JbMwmULKfCgG07jgLkx0gW9Tm8nnlLclRPPYpyrQRlRdWV:YI4sMb+fZ3Px0gW9Tznnlc4IQrjWd7
Malware Config
Signatures
-
Detect Poverty Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2276-41-0x0000000001160000-0x00000000014CC000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Executes dropped EXE 2 IoCs
Processes:
work.exehftsef.exepid process 2988 work.exe 2276 hftsef.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exework.exepid process 2664 cmd.exe 2988 work.exe 2988 work.exe 2988 work.exe 2988 work.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
hftsef.exepid process 2276 hftsef.exe 2276 hftsef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hftsef.exepid process 2276 hftsef.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.execmd.exework.exedescription pid process target process PID 1664 wrote to memory of 2664 1664 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 1664 wrote to memory of 2664 1664 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 1664 wrote to memory of 2664 1664 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 1664 wrote to memory of 2664 1664 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 2664 wrote to memory of 2988 2664 cmd.exe work.exe PID 2664 wrote to memory of 2988 2664 cmd.exe work.exe PID 2664 wrote to memory of 2988 2664 cmd.exe work.exe PID 2664 wrote to memory of 2988 2664 cmd.exe work.exe PID 2988 wrote to memory of 2276 2988 work.exe hftsef.exe PID 2988 wrote to memory of 2276 2988 work.exe hftsef.exe PID 2988 wrote to memory of 2276 2988 work.exe hftsef.exe PID 2988 wrote to memory of 2276 2988 work.exe hftsef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
442KB
MD553ae8f5d6314d6c207a663b41fabcc87
SHA147e1986ab99b7adf7492995e34ff562ba726f876
SHA256acc5eb4ade53ca501753e87bc3088d4bc808a334fda865a66a9e50363bc124be
SHA512fe5ed310512ac9997d616c44ee7bef38b6d725a6b6fa59bbc4bc26bcde23ccadaf8dfe2ff63097aab5233e07af23a324d1a47eac278469af986dd1b70001ba13
-
Filesize
306KB
MD52efcaa81c411f9cf1ed3d24127639b4c
SHA12746cf37d3df500e9a4cdd4fc2642fde20fd7f32
SHA256ed79727bda4315ea3470c15743540eac82ee746b704eb06f63520900b0949cfd
SHA512fac99f968f5f1b4af9464ee7d98281391672bb3dec30abe23d67db3d95c722bb8fa1ca5739824321c2332c8e8de657c884378ab32ed6a46e0f745394a6e0b1f0
-
Filesize
249KB
MD5c8f8c03d058263c8f173f08e9b501347
SHA1594d877e9dc7f8fe5066926ca8e2626250db9601
SHA256f69a8d21b1730811a02cf89d5eff5226c904e5246241bf5fe5ede52a68653822
SHA51269cdb329cd96c88af3f716037d4ba7da9fc6b488551d50921323d33ba8090099183a0e256544e581791b9ad34910816b72f6c3f8d4b131f8bb565fabb80df6d5
-
Filesize
245KB
MD56d106de00e220960af9c55e6a1bd426b
SHA15c41ac77c2d6c08b6d52acd3dc4df50c84e96e0c
SHA25696a98c676e2e36a279f87346215fb4118aa11ddc4163861af771874bf7e493e8
SHA5124c8d7d8eb282118a8aba5397926b1f102e2d87dcdf74a401b45e35703067812fcfb560da55fd3254a6c17ae788dfb0ec09743019666975efb88f8362979071c4
-
Filesize
265KB
MD59ad4921f5377b49135bdc93d602e6015
SHA1ec7228f6ad217ac03d589790931bd359fce6b38a
SHA2569f2eebdf3c579cb10526aad6e405cfd04eda73a015feb5c33cdd31eae15635cb
SHA512cfbdbeb03192bd7929a41dfa4c1c81acb9235a4ae2f39fd6916493d80ea9195b98d8b4e391c36e3bb79118282310e7d027072bc145c7d4034baca8d6a83ea444
-
Filesize
467KB
MD5bc13a62b3cfd41ee742ee6fc1693dab7
SHA1d82c721c3f8a8f5205be82004969565163a3a2af
SHA25669db8d9e10c9f8b606fcb868e3bd716e77695a76a7fbab2998e47db8854f06b5
SHA51247f93ce70f7e34ff0cad86112381c50f493aae2a29cecf6d1d190f5d0789c71bb407d0ba536bbdeeb8fa5c77cb76aa79288a300358572f57fefa8e61f8b288c9
-
Filesize
239KB
MD55c087c5d6a51b5edf252403cb510a044
SHA1e77011a386d64ad51080f7ac34bbfbfa672aa495
SHA256166b53ed11035f2ecbd67bd3670294cd43c09546bb903780dd0a1d1581f24cb2
SHA5128a5cff04546695bda4289b4657d6ae1605e79e667cf4652e483daedc7b4832b93c0d328aed1bb3958fb04c9f5fe31b1a5cb7a55c770ba7c42a3d00733b562522
-
Filesize
284KB
MD5508ed35ac87bec7ef03bbee3b22c9ab8
SHA192268ae3bcf9445d2bf3878823a0bbfb8bf1ed2c
SHA256b0dd3a7da3b9e6622a60b6c9684250e493d541eefad27430417ba3c9bd2651a7
SHA51234833ee99a1cd1b2e8d7d0d232d150d573ba4dd567a981af34e2f5ca0194b301628ded3a01452311e395f4c308b64d9f05fff569198c198e5ffa2ae0e44ce2ec
-
Filesize
326KB
MD586f90d5d2909ad718abd8c869c576ecc
SHA16979e598dd16a40585cf567499fddea0349ac4c7
SHA2561e9ce85901903594ad5efc1e769a0708c0792f85826dbf4f86a44d63a8317658
SHA512e73eb20839e0d5a904f9283fe3344662c7122359328948bbeb16bcba4664783fd905b055c8343fe1385a6d96fcb1e5100d71efc4244c6f4c8d7bee4ad48970d3
-
Filesize
299KB
MD51d35a458657e280ba07b7a7c41f258a0
SHA13a822fc261fec5ea069448c1e5fbb7f2b9c86b17
SHA256f10c4257d68e253b67a8ee09e259fef1c8cf0c1d390becc11bd52993df528777
SHA5127ea8ea92a19583ab2e183ebaa858ddc731776a74357c40875ed09e2cc13ddf28e16d265e3bc1b0ab9dc6f4ae0c22eef0aa51179b9b3608621cc0b348d6768305