Analysis
-
max time kernel
71s -
max time network
184s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
07-02-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
Resource
win10-20231215-en
General
-
Target
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
-
Size
1.6MB
-
MD5
725a272d58c38263bac81cc348f27923
-
SHA1
940380233efcda57a22341e09515696d6b80bc25
-
SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
-
SHA512
55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c
-
SSDEEP
24576:GubsnafAPyjSzZX6h6JbMwmULKfCgG07jgLkx0gW9Tm8nnlLclRPPYpyrQRlRdWV:YI4sMb+fZ3Px0gW9Tznnlc4IQrjWd7
Malware Config
Signatures
-
Detect Poverty Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1920-22-0x0000000000E70000-0x00000000011DC000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Executes dropped EXE 2 IoCs
Processes:
work.exehftsef.exepid process 3804 work.exe 1920 hftsef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
hftsef.exepid process 1920 hftsef.exe 1920 hftsef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hftsef.exepid process 1920 hftsef.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.execmd.exework.exedescription pid process target process PID 2856 wrote to memory of 1064 2856 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 2856 wrote to memory of 1064 2856 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 2856 wrote to memory of 1064 2856 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe cmd.exe PID 1064 wrote to memory of 3804 1064 cmd.exe work.exe PID 1064 wrote to memory of 3804 1064 cmd.exe work.exe PID 1064 wrote to memory of 3804 1064 cmd.exe work.exe PID 3804 wrote to memory of 1920 3804 work.exe hftsef.exe PID 3804 wrote to memory of 1920 3804 work.exe hftsef.exe PID 3804 wrote to memory of 1920 3804 work.exe hftsef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
1.4MB
MD5138b89cd7998a23858a944fc0580fe45
SHA13d0c907b4b9f546f59d5a42d8b4826785907b715
SHA2568b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230
SHA5127380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9
-
Filesize
1.1MB
MD538d71977d7eb1451e0497d888b8b40d1
SHA112abfe0a3074280d31afe0dd66066bbc550bfb50
SHA256d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c
SHA512d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9