Analysis Overview
SHA256
b60c3215377f38a632dab305b8793a1e663cf95f8c98b884aa1cba5700e227ee
Threat Level: Known bad
The file 725a272d58c38263bac81cc348f27923.exe was found to be: Known bad.
Malicious Activity Summary
Poverty Stealer
Detect Poverty Stealer Payload
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-07 06:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-07 06:50
Reported
2024-02-07 06:52
Platform
win7-20231215-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe
"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 146.70.169.164:2227 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 138b89cd7998a23858a944fc0580fe45 |
| SHA1 | 3d0c907b4b9f546f59d5a42d8b4826785907b715 |
| SHA256 | 8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230 |
| SHA512 | 7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9 |
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 38d71977d7eb1451e0497d888b8b40d1 |
| SHA1 | 12abfe0a3074280d31afe0dd66066bbc550bfb50 |
| SHA256 | d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c |
| SHA512 | d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9 |
\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | f9e173adb416e37d28dc8951d191cba8 |
| SHA1 | c295b73b6fdc10acd8e39cc8e2f3e4c7f455ec29 |
| SHA256 | 4727037d9e824b99cc05e95cc2ca5b8219010293539639a68a7cd8e2bf24c70d |
| SHA512 | ef45f15f8cd61e11ce8b74c27b2361c681523bf7540395adeb3a1ca6bfdd04ca30038319a1190b029be00f778108ef0bd3a45fea38cbc0e5f282e49c76abdc87 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | f8726a5903161d645a8957c01fd39e31 |
| SHA1 | 55d4a01a1fe198a1da2d64d671e700f856f1e10a |
| SHA256 | d061ff38a7374571b9bbfaee92125476f7743088e38fe4fbd21a14d22fe53b7a |
| SHA512 | 63388b7955d8bd2cc083f189e4c03375ef54907f851f5a4c1d232e8832a4d9af172ad1b7ee4fc554a6ab20c94bc4246b7feb007b842f8f6534d5eff639511553 |
memory/2204-36-0x0000000003750000-0x0000000003ABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | b63122d0d3ac4f6e693a913111cb5249 |
| SHA1 | d9a44f300be5eb2bec528ebb061368f209f97b2b |
| SHA256 | da8cbe41fb81ab910d12cc246bd167832ec5e4449637f4a8d2e4dde09a372d2c |
| SHA512 | 769e7840446af9670a188f49d0adb791e4a2e2575e3b54e3aa6d489c1bee89fbffc53a0864487b3a912d27be4518aaf1cd0586342f525b976c9a68ddd3193d35 |
memory/2204-38-0x0000000003750000-0x0000000003ABC000-memory.dmp
memory/2204-39-0x0000000003750000-0x0000000003ABC000-memory.dmp
memory/2816-40-0x0000000001090000-0x00000000013FC000-memory.dmp
\??\c:\users\admin\appdata\local\temp\rarsfx1\hftsef.exe
| MD5 | 3a238589449be9cff3db73672cfe0615 |
| SHA1 | dc5a50ff166a75c545980bb4ee9215b98ec48566 |
| SHA256 | d6c3a8a89ce45d2dfd2588869ce17e06ecf08b315c2be774c5e1a24bb84555ae |
| SHA512 | c9a43e5fad3798c27fd8abe125205fb702a4e15af65264c67e8ec1ba047fe6f04eef2bcf5f8dfb9e4a6a8b3c34e5f4a20828aa6cf260e44be127ea827972ca03 |
memory/2816-42-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2816-43-0x0000000001090000-0x00000000013FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-07 06:50
Reported
2024-02-07 06:52
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe
"C:\Users\Admin\AppData\Local\Temp\725a272d58c38263bac81cc348f27923.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 138b89cd7998a23858a944fc0580fe45 |
| SHA1 | 3d0c907b4b9f546f59d5a42d8b4826785907b715 |
| SHA256 | 8b01d914e3ab190a3c305acb8b124841064d2d9f15163d193dfe7969d7f93230 |
| SHA512 | 7380d75c60c6297f8e0742da297bec0ff425a08d7254a0758f740cc66691a40b2283e6993d2ad6ce50ee29e103d97f32ad24d81d6bdcc1a15027ec3fac958dc9 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hftsef.exe
| MD5 | 38d71977d7eb1451e0497d888b8b40d1 |
| SHA1 | 12abfe0a3074280d31afe0dd66066bbc550bfb50 |
| SHA256 | d720711e2a7717437c0116adeeb382ef61a717bc91faa90a0e06a63f9d7c763c |
| SHA512 | d3150d7ba767bd1a455b0875ab70a1cc436e59dd2f88d40941f3f4605d44e72e82c106381d2706e01528159d411d3f6d3b0964bb7de58d3a26582e353d3f25b9 |
memory/4876-19-0x0000000000C20000-0x0000000000F8C000-memory.dmp
memory/4876-20-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/4876-21-0x0000000000C20000-0x0000000000F8C000-memory.dmp