Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
10-02-2024 11:39
Static task
static1
Behavioral task
behavioral1
Sample
ElectronR/Electron.exe
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
ElectronR/WpfAnimatedGif.dll
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
ElectronR/binkawin.dll
Resource
win10-20231215-en
Behavioral task
behavioral4
Sample
ElectronR/cef_extensions.js
Resource
win10-20231215-en
Behavioral task
behavioral5
Sample
ElectronR/metod 2/loader.exe
Resource
win10-20231215-en
General
-
Target
ElectronR/metod 2/loader.exe
-
Size
222KB
-
MD5
d21b999040db0b326696983a772f862a
-
SHA1
77f4fd6966bb5231b1e70b1513cc8c72e41ee37f
-
SHA256
13fd7e1bb427d92b65e9d9d868b653e2fbf73974268204146bb3a38618ab7082
-
SHA512
8d7a23d58c5ce24ab5c515c7bb4374639fcef4bc106563d6bf2e3a5dd1e582795864952f879dfb8bb7342825ac13740caec0633297c9dbecd2cc67920ceb0d70
-
SSDEEP
3072:XDKW1FgppLRHMY0TBfJvjcTp5XMlbchJjQfhd6S34vgI1P1fRfxA:XDKW1Fgbdl0TBBvjc/Mp4+hdov14
Malware Config
Signatures
-
Detect Poverty Stealer Payload 10 IoCs
Processes:
resource yara_rule behavioral5/memory/5028-10-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-13-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5052-15-0x00000000026A0000-0x00000000046A0000-memory.dmp family_povertystealer behavioral5/memory/5028-17-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-18-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-19-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-21-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-22-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5028-23-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral5/memory/5052-24-0x00000000026A0000-0x00000000046A0000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral5/memory/5052-0-0x0000000002460000-0x0000000002480000-memory.dmp net_reactor behavioral5/memory/5052-6-0x00000000025F0000-0x000000000260E000-memory.dmp net_reactor -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
loader.exedescription pid process target process PID 5052 set thread context of 5028 5052 loader.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
loader.exedescription pid process target process PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe PID 5052 wrote to memory of 5028 5052 loader.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe"C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5028