Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 06:50
Static task
static1
Behavioral task
behavioral1
Sample
725a272d58c38263bac81cc348f27923.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
725a272d58c38263bac81cc348f27923.exe
Resource
win10v2004-20231215-en
General
-
Target
725a272d58c38263bac81cc348f27923.exe
-
Size
1.6MB
-
MD5
725a272d58c38263bac81cc348f27923
-
SHA1
940380233efcda57a22341e09515696d6b80bc25
-
SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
-
SHA512
55d9e6a2fc3b39f8ef333cef91c9c131039a8cffd9f353c5ee68aba3c35efa4f23928196fc89a9d633413287c084ad1bd6628ba92725f8e5ee8dafca9835691c
-
SSDEEP
24576:GubsnafAPyjSzZX6h6JbMwmULKfCgG07jgLkx0gW9Tm8nnlLclRPPYpyrQRlRdWV:YI4sMb+fZ3Px0gW9Tznnlc4IQrjWd7
Malware Config
Signatures
-
Detect Poverty Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4876-21-0x0000000000C20000-0x0000000000F8C000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
725a272d58c38263bac81cc348f27923.exework.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 725a272d58c38263bac81cc348f27923.exe Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation work.exe -
Executes dropped EXE 2 IoCs
Processes:
work.exehftsef.exepid process 5096 work.exe 4876 hftsef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
hftsef.exepid process 4876 hftsef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hftsef.exepid process 4876 hftsef.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
725a272d58c38263bac81cc348f27923.execmd.exework.exedescription pid process target process PID 1308 wrote to memory of 640 1308 725a272d58c38263bac81cc348f27923.exe cmd.exe PID 1308 wrote to memory of 640 1308 725a272d58c38263bac81cc348f27923.exe cmd.exe PID 1308 wrote to memory of 640 1308 725a272d58c38263bac81cc348f27923.exe cmd.exe PID 640 wrote to memory of 5096 640 cmd.exe work.exe PID 640 wrote to memory of 5096 640 cmd.exe work.exe PID 640 wrote to memory of 5096 640 cmd.exe work.exe PID 5096 wrote to memory of 4876 5096 work.exe hftsef.exe PID 5096 wrote to memory of 4876 5096 work.exe hftsef.exe PID 5096 wrote to memory of 4876 5096 work.exe hftsef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
1.4MB
MD5138b89cd7998a23858a944fc0580fe45
SHA13d0c907b4b9f546f59d5a42d8b4826785907b715
SHA2568b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230
SHA5127380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9
-
Filesize
1.1MB
MD538d71977d7eb1451e0497d888b8b40d1
SHA112abfe0a3074280d31afe0dd66066bbc550bfb50
SHA256d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c
SHA512d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9