Malware Analysis Report

2024-10-23 17:19

Sample ID 240207-hlx5gsedb8
Target 725a272d58c38263bac81cc348f27923.exe
SHA256 b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
Tags
povertystealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee

Threat Level: Known bad

The file 725a272d58c38263bac81cc348f27923.exe was found to be: Known bad.

Malicious Activity Summary

povertystealer spyware stealer

Poverty Stealer

Detect Poverty Stealer Payload

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-07 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 06:50

Reported

2024-02-07 06:52

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 344 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 344 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 344 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 2204 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 2204 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 2204 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
PID 2204 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

Processes

C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe

"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"

Network

Country Destination Domain Proto
DE 146.70.169.164:2227 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 138b89cd7998a23858a944fc0580fe45
SHA1 3d0c907b4b9f546f59d5a42d8b4826785907b715
SHA256 8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230
SHA512 7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9

\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 38d71977d7eb1451e0497d888b8b40d1
SHA1 12abfe0a3074280d31afe0dd66066bbc550bfb50
SHA256 d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c
SHA512 d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 f9e173adb416e37d28dc8951d191cba8
SHA1 c295b73b6fdc10acd8e39cc8e2f3e4c7f455ec29
SHA256 4727037d9e824b99cc05e95cc2ca5b8219010293539639a68a7cd8e2bf24c70d
SHA512 ef45f15f8cd61e11ce8b74c27b2361c681523bf7540395adeb3a1ca6bfdd04ca30038319a1190b029be00f778108ef0bd3a45fea38cbc0e5f282e49c76abdc87

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 f8726a5903161d645a8957c01fd39e31
SHA1 55d4a01a1fe198a1da2d64d671e700f856f1e10a
SHA256 d061ff38a7374571b9bbfaee92125476f7743088e38fe4fbd21a14d22fe53b7a
SHA512 63388b7955d8bd2cc083f189e4c03375ef54907f851f5a4c1d232e8832a4d9af172ad1b7ee4fc554a6ab20c94bc4246b7feb007b842f8f6534d5eff639511553

memory/2204-36-0x0000000003750000-0x0000000003ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 b63122d0d3ac4f6e693a913111cb5249
SHA1 d9a44f300be5eb2bec528ebb061368f209f97b2b
SHA256 da8cbe41fb81ab910d12cc246bd167832ec5e4449637f4a8d2e4dde09a372d2c
SHA512 769e7840446af9670a188f49d0adb791e4a2e2575e3b54e3aa6d489c1bee89fbffc53a0864487b3a912d27be4518aaf1cd0586342f525b976c9a68ddd3193d35

memory/2204-38-0x0000000003750000-0x0000000003ABC000-memory.dmp

memory/2204-39-0x0000000003750000-0x0000000003ABC000-memory.dmp

memory/2816-40-0x0000000001090000-0x00000000013FC000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rarsfx1\hftsef.exe

MD5 3a238589449be9cff3db73672cfe0615
SHA1 dc5a50ff166a75c545980bb4ee9215b98ec48566
SHA256 d6c3a8a89ce45d2dfd2588869ce17e06ecf08b315c2be774c5e1a24bb84555ae
SHA512 c9a43e5fad3798c27fd8abe125205fb702a4e15af65264c67e8ec1ba047fe6f04eef2bcf5f8dfb9e4a6a8b3c34e5f4a20828aa6cf260e44be127ea827972ca03

memory/2816-42-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2816-43-0x0000000001090000-0x00000000013FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 06:50

Reported

2024-02-07 06:52

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe

"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 138b89cd7998a23858a944fc0580fe45
SHA1 3d0c907b4b9f546f59d5a42d8b4826785907b715
SHA256 8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230
SHA512 7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe

MD5 38d71977d7eb1451e0497d888b8b40d1
SHA1 12abfe0a3074280d31afe0dd66066bbc550bfb50
SHA256 d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c
SHA512 d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9

memory/4876-19-0x0000000000C20000-0x0000000000F8C000-memory.dmp

memory/4876-20-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/4876-21-0x0000000000C20000-0x0000000000F8C000-memory.dmp