povertystealer | d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
Size

3.0MB
MD5

a8048bd6fc7d336d7f6e0fd6800da673
SHA1

f28db14f2884ac1db0ce53a7ec7bee572541d902
SHA256

d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
SHA512

570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066
SSDEEP

49152:zR5PaMqlX9BK+ndEBk6/HOg7wFXW3zrFlvmh+JJRV8EeCrXy7295sAZub1R:zR59qtaBk0HOXXWHbbbrNub

Score

10^/10

povertystealer stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1904-86-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/1904-94-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/1904-96-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer
behavioral1/memory/1904-95-0x0000000000400000-0x000000000040A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Executes dropped EXE 7 IoCs

pid	Process
2632	7z.exe
2656	7z.exe
2552	7z.exe
2380	7z.exe
2456	7z.exe
2896	7z.exe
2676	nmYIeCI7gcMH.exe

Loads dropped DLL 12 IoCs

pid	Process
2584	cmd.exe
2632	7z.exe
2584	cmd.exe
2656	7z.exe
2584	cmd.exe
2552	7z.exe
2584	cmd.exe
2380	7z.exe
2584	cmd.exe
2456	7z.exe
2584	cmd.exe
2896	7z.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 1904	2676	nmYIeCI7gcMH.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2676	nmYIeCI7gcMH.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7z.exe
Token: 35	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeSecurityPrivilege	2632	7z.exe
Token: SeRestorePrivilege	2656	7z.exe
Token: 35	2656	7z.exe
Token: SeSecurityPrivilege	2656	7z.exe
Token: SeSecurityPrivilege	2656	7z.exe
Token: SeRestorePrivilege	2552	7z.exe
Token: 35	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeRestorePrivilege	2380	7z.exe
Token: 35	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeRestorePrivilege	2456	7z.exe
Token: 35	2456	7z.exe
Token: SeSecurityPrivilege	2456	7z.exe
Token: SeSecurityPrivilege	2456	7z.exe
Token: SeRestorePrivilege	2896	7z.exe
Token: 35	2896	7z.exe
Token: SeSecurityPrivilege	2896	7z.exe
Token: SeSecurityPrivilege	2896	7z.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2584	2284	d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe	28
PID 2284 wrote to memory of 2584	2284	d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe	28
PID 2284 wrote to memory of 2584	2284	d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe	28
PID 2284 wrote to memory of 2584	2284	d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe	28
PID 2584 wrote to memory of 2532	2584	cmd.exe	30
PID 2584 wrote to memory of 2532	2584	cmd.exe	30
PID 2584 wrote to memory of 2532	2584	cmd.exe	30
PID 2584 wrote to memory of 2632	2584	cmd.exe	31
PID 2584 wrote to memory of 2632	2584	cmd.exe	31
PID 2584 wrote to memory of 2632	2584	cmd.exe	31
PID 2584 wrote to memory of 2656	2584	cmd.exe	32
PID 2584 wrote to memory of 2656	2584	cmd.exe	32
PID 2584 wrote to memory of 2656	2584	cmd.exe	32
PID 2584 wrote to memory of 2552	2584	cmd.exe	33
PID 2584 wrote to memory of 2552	2584	cmd.exe	33
PID 2584 wrote to memory of 2552	2584	cmd.exe	33
PID 2584 wrote to memory of 2380	2584	cmd.exe	34
PID 2584 wrote to memory of 2380	2584	cmd.exe	34
PID 2584 wrote to memory of 2380	2584	cmd.exe	34
PID 2584 wrote to memory of 2456	2584	cmd.exe	35
PID 2584 wrote to memory of 2456	2584	cmd.exe	35
PID 2584 wrote to memory of 2456	2584	cmd.exe	35
PID 2584 wrote to memory of 2896	2584	cmd.exe	36
PID 2584 wrote to memory of 2896	2584	cmd.exe	36
PID 2584 wrote to memory of 2896	2584	cmd.exe	36
PID 2584 wrote to memory of 2668	2584	cmd.exe	37
PID 2584 wrote to memory of 2668	2584	cmd.exe	37
PID 2584 wrote to memory of 2668	2584	cmd.exe	37
PID 2584 wrote to memory of 2676	2584	cmd.exe	38
PID 2584 wrote to memory of 2676	2584	cmd.exe	38
PID 2584 wrote to memory of 2676	2584	cmd.exe	38
PID 2584 wrote to memory of 2676	2584	cmd.exe	38
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43
PID 2676 wrote to memory of 1904	2676	nmYIeCI7gcMH.exe	43

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe
"C:\Users\Admin\AppData\Local\Temp\d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p125762329330388294023250819845 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\system32\attrib.exe
    attrib +H "nmYIeCI7gcMH.exe"
    3⤵
    - Views/modifies file attributes
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
    "nmYIeCI7gcMH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
868KB

MD5
3549373b82e0998ea4ea58326703539c

SHA1
12e12ae6828b3eefbba2730251e9e95c858c4892

SHA256
73aef45374e092d4dcb0d7119224c751b544cb368b4c8b41fad23cf5e1907c5e

SHA512
a36d9fabf61448ada584f9973f629ae808d87dfb6146282c5ddff9d25ea0bd8ec05ca4f33ad11096b60f0a0c85b73a7638ab9d1f2e92c96ed6965024729849ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
392KB

MD5
499b3de17a0b7ad45d950d41debaa72d

SHA1
b7e63f539a54db99ffd9b925d7003bec1b51e2d6

SHA256
2dd9c441d43273c8ba1872c616aee75907ee1ced240adcc744a0b2edc642b2cb

SHA512
660e5120d75716d89c2233108b5d593652b9110cbf8fb0027cb1bf0f18e767a3750848ee4949913a121785c8fa393423d15aad4e833c6564b940752bae455220

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
8KB

MD5
fc6c3ee130fb5d7aaaabb17a9d6ab43f

SHA1
a25b6e27181fcc5de582d6f74557f267a07bbfd1

SHA256
0756ef6a30a007fa0a620b80f7ba983a9454edf42ededd484e601d1b6eea05f6

SHA512
2537d355749e110a4fa88d9e98d4ef4bc19ff4ce241cb697700ca95b51beb4a9345d1c02825a64c72b8d9c31c3f4703042bd4f552060530a1506aafa1a10a529

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
47e8ed572da00474326b4cee8f85b005

SHA1
94bceabdc880c41d73d6c984a9d61c31dd29ce91

SHA256
abd52eb132c8c23669233a656f036a0e07692efd398894b724b61b66a75564af

SHA512
31da04b57f0ef1b3363a3fa4855ca576d9159d374de0d2d9defb5524e67fed740441dcc2245a246daecab6260a419c02a32770ee9be53a2ddbede9dd4848d624

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
509KB

MD5
5f79b89dbaf23387caa818b0da7b8ea2

SHA1
3c38d94819331fd551c07048841cfe6ecbf29e18

SHA256
7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726

SHA512
a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
509KB

MD5
763cb011f068f184a672e254d3ce3c39

SHA1
59eb148e6ad321cac5396e6a58c1528f7932befb

SHA256
d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105

SHA512
530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
509KB

MD5
210ee7f34c0ff268d33d598a49eb889a

SHA1
876dea438f3f365513159630a12a2192fecd8b7f

SHA256
9d8ee7edf36676633d624774cb194a45ef8ae286cb5e9591d46c20be57a9282f

SHA512
383bb66f996b858d4ef23eed2264c4f890d47aca7b3da88587e3bb6454183f8d35e44411b08eecafe3fbb0638610cd872d1d00402dd8ff0b660102a44b53bcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
509KB

MD5
4ab6b1ed8f26df37c531a80147982511

SHA1
25d59710197c30eee836096dfcce139ba84f978a

SHA256
33f73488015443cc05fa02d1c0723921502de5cac3206cf9fc433472a2afb162

SHA512
a582e4cd93baf45b48aad086ffc5edab4ec899cbd029e9e740e93cf34a2aff492f14c92ed2efc0339fc4eed979311600007fca3075abda28232d9d351dd49e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
551KB

MD5
7f43ecf68bad3e64db22693bf52cd62a

SHA1
a79b491e9c04158cf598b77a18fb862931ec8e86

SHA256
c1a409c30a5952f5f7c02fa86fc36c3a21caeecd7e54b3e50189448248b42a4a

SHA512
e51abc5a06da3ec264178f2af0821bb3787454823f0bacf3674018e2655149ff1f4bd71b07545363f098cc40457ffa9668bc39523648f312e4272990eea3fc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\nmYIeCI7gcMH.exe

Filesize
619KB

MD5
53c6cf5bf9ce4922b3dc9bf9cc2374a2

SHA1
b9a0d229a47fadaaa0898d32dce3aac279ac8569

SHA256
2bb1a0a95249e3bcca1fdfc740bc91df10dc9c8cd834707a0b5a31883eb6867e

SHA512
d323cfdfc3db5c5ce70ba572c0c657def11c3b36703a029977f5c5ddfdb278dfd1eea8950686d7a566dcd550aa0c854ceb035e6e67fcb377a8fc50dc4e0cd64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.1MB

MD5
afaebf70e6daf7bf2e07cd11f93ee4a1

SHA1
4e8b08b3e50f860955bd00d16fc1653c07b7c608

SHA256
4a9d76fb9d77efaf81616e750b928ba3955599acafb2c0fec0d7ce412db0f47b

SHA512
4db3a63f03f8816b85fdb905e2a2f08967f9f3735206f08f2cae8b8cd561e8563d2f92c188d32b94fdb6d472e07c5f41f54e26673f8a81449454225220ba397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
491B

MD5
12b875e85a885c81bc04161e9df9151a

SHA1
7d9e32a575e487611abb182b4d89b1ab4f4e7a06

SHA256
97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5

SHA512
3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
595KB

MD5
d4ccdb8a15ba83d3c02a6d0d5453600a

SHA1
44aecfc7bda699b99e8ad6442207b5737fa0a90b

SHA256
d6df82eb9186015777c921b0897633c92ffd5f0dc7d0bb37a31c40d3ef263db4

SHA512
4229fe017395bf6fb1ecb65aa3f93b03142549bef2310081ca7f508bb6866129ce9bf08f6b62f8011517c36053437ac334546982f5c7e65384fdb96b33ddb7f3

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
719KB

MD5
a112304139afc52539a14d53143995d8

SHA1
e1c10fd6022a426a6aaaad949c8c4cbc49592b3b

SHA256
ddc234997236604437e08cd76db024e41c024ddcc22013ce8cd6d08438f3cab7

SHA512
66452925ba83e805e456b5ec4c9724bfd05ce60078183fb854af8cf7058e8b302248a7a67a2a3626ea0874dadf20795a5d99f7540b50bf493e685e902a82375c

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
161KB

MD5
d2a569568d5f8d45a1d0886372a38fe9

SHA1
a0c843eecb2b5529ecb7c9d0e65fa58bcb403692

SHA256
464e07fc2a82c5dd6fab433092299e2a0ffd2bd71e7cdc5e9f8dd5239b7d1762

SHA512
692454c9e4edd770c148157403ed693821e2757a6d18919f71b4f9758405b5e05019a477df439a98cc987b1f5517837b56a9a23f58bdad99fba5b0fd8719f2fc

Download Submit
memory/1904-94-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1904-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1904-86-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1904-84-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1904-96-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1904-95-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1904-99-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2676-83-0x0000000000170000-0x0000000000270000-memory.dmp

Filesize
1024KB

Download