povertystealer | b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee

General

Target

725a272d58c38263bac81cc348f27923.exe
Size

1.6MB
MD5

725a272d58c38263bac81cc348f27923
SHA1

940380233efcda57a22341e09515696d6b80bc25
SHA256

b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
SHA512

55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c
SSDEEP

24576:GubsnafAPyjSzZX6h6JbMwmULKfCgG07jgLkx0gW9Tm8nnlLclRPPYpyrQRlRdWV:YI4sMb+fZ3Px0gW9Tznnlc4IQrjWd7

Score

10^/10

Malware Config

Signatures

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2816-43-0x0000000001090000-0x00000000013FC000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Executes dropped EXE 2 IoCs

pid	Process
2204	work.exe
2816	hftsef.exe

Loads dropped DLL 5 IoCs

pid	Process
344	cmd.exe
2204	work.exe
2204	work.exe
2204	work.exe
2204	work.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2816	hftsef.exe
2816	hftsef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	hftsef.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 344	2220	725a272d58c38263bac81cc348f27923.exe	28
PID 2220 wrote to memory of 344	2220	725a272d58c38263bac81cc348f27923.exe	28
PID 2220 wrote to memory of 344	2220	725a272d58c38263bac81cc348f27923.exe	28
PID 2220 wrote to memory of 344	2220	725a272d58c38263bac81cc348f27923.exe	28
PID 344 wrote to memory of 2204	344	cmd.exe	30
PID 344 wrote to memory of 2204	344	cmd.exe	30
PID 344 wrote to memory of 2204	344	cmd.exe	30
PID 344 wrote to memory of 2204	344	cmd.exe	30
PID 2204 wrote to memory of 2816	2204	work.exe	31
PID 2204 wrote to memory of 2816	2204	work.exe	31
PID 2204 wrote to memory of 2816	2204	work.exe	31
PID 2204 wrote to memory of 2816	2204	work.exe	31

C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe
"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.4MB

MD5
138b89cd7998a23858a944fc0580fe45

SHA1
3d0c907b4b9f546f59d5a42d8b4826785907b715

SHA256
8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230

SHA512
7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Filesize
783KB

MD5
f8726a5903161d645a8957c01fd39e31

SHA1
55d4a01a1fe198a1da2d64d671e700f856f1e10a

SHA256
d061ff38a7374571b9bbfaee92125476f7743088e38fe4fbd21a14d22fe53b7a

SHA512
63388b7955d8bd2cc083f189e4c03375ef54907f851f5a4c1d232e8832a4d9af172ad1b7ee4fc554a6ab20c94bc4246b7feb007b842f8f6534d5eff639511553

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Filesize
635KB

MD5
b63122d0d3ac4f6e693a913111cb5249

SHA1
d9a44f300be5eb2bec528ebb061368f209f97b2b

SHA256
da8cbe41fb81ab910d12cc246bd167832ec5e4449637f4a8d2e4dde09a372d2c

SHA512
769e7840446af9670a188f49d0adb791e4a2e2575e3b54e3aa6d489c1bee89fbffc53a0864487b3a912d27be4518aaf1cd0586342f525b976c9a68ddd3193d35

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx1\hftsef.exe

Filesize
386KB

MD5
3a238589449be9cff3db73672cfe0615

SHA1
dc5a50ff166a75c545980bb4ee9215b98ec48566

SHA256
d6c3a8a89ce45d2dfd2588869ce17e06ecf08b315c2be774c5e1a24bb84555ae

SHA512
c9a43e5fad3798c27fd8abe125205fb702a4e15af65264c67e8ec1ba047fe6f04eef2bcf5f8dfb9e4a6a8b3c34e5f4a20828aa6cf260e44be127ea827972ca03

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Filesize
1.1MB

MD5
38d71977d7eb1451e0497d888b8b40d1

SHA1
12abfe0a3074280d31afe0dd66066bbc550bfb50

SHA256
d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c

SHA512
d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Filesize
1.1MB

MD5
f9e173adb416e37d28dc8951d191cba8

SHA1
c295b73b6fdc10acd8e39cc8e2f3e4c7f455ec29

SHA256
4727037d9e824b99cc05e95cc2ca5b8219010293539639a68a7cd8e2bf24c70d

SHA512
ef45f15f8cd61e11ce8b74c27b2361c681523bf7540395adeb3a1ca6bfdd04ca30038319a1190b029be00f778108ef0bd3a45fea38cbc0e5f282e49c76abdc87

Download Submit
memory/2204-38-0x0000000003750000-0x0000000003ABC000-memory.dmp

Filesize
3.4MB

Download
memory/2204-39-0x0000000003750000-0x0000000003ABC000-memory.dmp

Filesize
3.4MB

Download
memory/2204-36-0x0000000003750000-0x0000000003ABC000-memory.dmp

Filesize
3.4MB

Download
memory/2816-40-0x0000000001090000-0x00000000013FC000-memory.dmp

Filesize
3.4MB

Download
memory/2816-42-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2816-43-0x0000000001090000-0x00000000013FC000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing