Analysis Overview
SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
Threat Level: Known bad
The file b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee was found to be: Known bad.
Malicious Activity Summary
Detect Poverty Stealer Payload
Poverty Stealer
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-07 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-07 04:52
Reported
2024-02-07 04:57
Platform
win7-20231215-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
"C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 146.70.169.164:2227 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 2efcaa81c411f9cf1ed3d24127639b4c |
| SHA1 | 2746cf37d3df500e9a4cdd4fc2642fde20fd7f32 |
| SHA256 | ed79727bda4315ea3470c15743540eac82ee746b704eb06f63520900b0949cfd |
| SHA512 | fac99f968f5f1b4af9464ee7d98281391672bb3dec30abe23d67db3d95c722bb8fa1ca5739824321c2332c8e8de657c884378ab32ed6a46e0f745394a6e0b1f0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 53ae8f5d6314d6c207a663b41fabcc87 |
| SHA1 | 47e1986ab99b7adf7492995e34ff562ba726f876 |
| SHA256 | acc5eb4ade53ca501753e87bc3088d4bc808a334fda865a66a9e50363bc124be |
| SHA512 | fe5ed310512ac9997d616c44ee7bef38b6d725a6b6fa59bbc4bc26bcde23ccadaf8dfe2ff63097aab5233e07af23a324d1a47eac278469af986dd1b70001ba13 |
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | bc13a62b3cfd41ee742ee6fc1693dab7 |
| SHA1 | d82c721c3f8a8f5205be82004969565163a3a2af |
| SHA256 | 69db8d9e10c9f8b606fcb868e3bd716e77695a76a7fbab2998e47db8854f06b5 |
| SHA512 | 47f93ce70f7e34ff0cad86112381c50f493aae2a29cecf6d1d190f5d0789c71bb407d0ba536bbdeeb8fa5c77cb76aa79288a300358572f57fefa8e61f8b288c9 |
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 1d35a458657e280ba07b7a7c41f258a0 |
| SHA1 | 3a822fc261fec5ea069448c1e5fbb7f2b9c86b17 |
| SHA256 | f10c4257d68e253b67a8ee09e259fef1c8cf0c1d390becc11bd52993df528777 |
| SHA512 | 7ea8ea92a19583ab2e183ebaa858ddc731776a74357c40875ed09e2cc13ddf28e16d265e3bc1b0ab9dc6f4ae0c22eef0aa51179b9b3608621cc0b348d6768305 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 6d106de00e220960af9c55e6a1bd426b |
| SHA1 | 5c41ac77c2d6c08b6d52acd3dc4df50c84e96e0c |
| SHA256 | 96a98c676e2e36a279f87346215fb4118aa11ddc4163861af771874bf7e493e8 |
| SHA512 | 4c8d7d8eb282118a8aba5397926b1f102e2d87dcdf74a401b45e35703067812fcfb560da55fd3254a6c17ae788dfb0ec09743019666975efb88f8362979071c4 |
\??\c:\users\admin\appdata\local\temp\rarsfx1\hftsef.exe
| MD5 | 9ad4921f5377b49135bdc93d602e6015 |
| SHA1 | ec7228f6ad217ac03d589790931bd359fce6b38a |
| SHA256 | 9f2eebdf3c579cb10526aad6e405cfd04eda73a015feb5c33cdd31eae15635cb |
| SHA512 | cfbdbeb03192bd7929a41dfa4c1c81acb9235a4ae2f39fd6916493d80ea9195b98d8b4e391c36e3bb79118282310e7d027072bc145c7d4034baca8d6a83ea444 |
memory/2276-40-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2276-39-0x0000000001160000-0x00000000014CC000-memory.dmp
memory/2988-37-0x0000000003630000-0x000000000399C000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 86f90d5d2909ad718abd8c869c576ecc |
| SHA1 | 6979e598dd16a40585cf567499fddea0349ac4c7 |
| SHA256 | 1e9ce85901903594ad5efc1e769a0708c0792f85826dbf4f86a44d63a8317658 |
| SHA512 | e73eb20839e0d5a904f9283fe3344662c7122359328948bbeb16bcba4664783fd905b055c8343fe1385a6d96fcb1e5100d71efc4244c6f4c8d7bee4ad48970d3 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | c8f8c03d058263c8f173f08e9b501347 |
| SHA1 | 594d877e9dc7f8fe5066926ca8e2626250db9601 |
| SHA256 | f69a8d21b1730811a02cf89d5eff5226c904e5246241bf5fe5ede52a68653822 |
| SHA512 | 69cdb329cd96c88af3f716037d4ba7da9fc6b488551d50921323d33ba8090099183a0e256544e581791b9ad34910816b72f6c3f8d4b131f8bb565fabb80df6d5 |
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 508ed35ac87bec7ef03bbee3b22c9ab8 |
| SHA1 | 92268ae3bcf9445d2bf3878823a0bbfb8bf1ed2c |
| SHA256 | b0dd3a7da3b9e6622a60b6c9684250e493d541eefad27430417ba3c9bd2651a7 |
| SHA512 | 34833ee99a1cd1b2e8d7d0d232d150d573ba4dd567a981af34e2f5ca0194b301628ded3a01452311e395f4c308b64d9f05fff569198c198e5ffa2ae0e44ce2ec |
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 5c087c5d6a51b5edf252403cb510a044 |
| SHA1 | e77011a386d64ad51080f7ac34bbfbfa672aa495 |
| SHA256 | 166b53ed11035f2ecbd67bd3670294cd43c09546bb903780dd0a1d1581f24cb2 |
| SHA512 | 8a5cff04546695bda4289b4657d6ae1605e79e667cf4652e483daedc7b4832b93c0d328aed1bb3958fb04c9f5fe31b1a5cb7a55c770ba7c42a3d00733b562522 |
memory/2276-41-0x0000000001160000-0x00000000014CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-07 04:52
Reported
2024-02-07 04:57
Platform
win10-20231215-en
Max time kernel
71s
Max time network
184s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe
"C:\Users\Admin\AppData\Local\Temp\b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 138b89cd7998a23858a944fc0580fe45 |
| SHA1 | 3d0c907b4b9f546f59d5a42d8b4826785907b715 |
| SHA256 | 8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230 |
| SHA512 | 7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 38d71977d7eb1451e0497d888b8b40d1 |
| SHA1 | 12abfe0a3074280d31afe0dd66066bbc550bfb50 |
| SHA256 | d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c |
| SHA512 | d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9 |
memory/1920-20-0x0000000000E70000-0x00000000011DC000-memory.dmp
memory/1920-21-0x00000000032C0000-0x00000000032C1000-memory.dmp
memory/1920-22-0x0000000000E70000-0x00000000011DC000-memory.dmp