povertystealer | 60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe
Size

7.7MB
MD5

5b0da2986d8126c685d56dc0d9e8dad5
SHA1

c0628d0b8443a90f73ee58f16eb1ad2ab8aaf772
SHA256

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699
SHA512

f9e3f10e86607b607e0a37c106d0aa2864d7b81586ac4bd235fa85d2be031297bc2941593a4de9e8c268b8728075ac2bbc9af17d71f8e2104b61de961d9289dc
SSDEEP

196608:qEnsnPt8wA6qas/UbVIblRpU3eTcfWPLZdxcno4lxTG:uP6v6rs26pUALPLZdxcnJ

Score

10^/10

povertystealer evasion spyware stealer themida trojan

Malware Config

Signatures

Detect Poverty Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-5-0x0000000000400000-0x000000000154A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Detects executables packed with Themida 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x000000000154A000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/1284-2-0x0000000000400000-0x000000000154A000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral2/memory/1284-5-0x0000000000400000-0x000000000154A000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x000000000154A000-memory.dmp	themida
behavioral2/memory/1284-2-0x0000000000400000-0x000000000154A000-memory.dmp	themida
behavioral2/memory/1284-5-0x0000000000400000-0x000000000154A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

pid process

1284 60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

pid	process
1284	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe
1284	60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe

C:\Users\Admin\AppData\Local\Temp\60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe
"C:\Users\Admin\AppData\Local\Temp\60ff1ff227903adf83707a10175d93e241cfa777f99a2df229cf33cb9240d699.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-0-0x0000000000400000-0x000000000154A000-memory.dmp

Filesize
17.3MB

Download
memory/1284-1-0x0000000077554000-0x0000000077556000-memory.dmp

Filesize
8KB

Download
memory/1284-2-0x0000000000400000-0x000000000154A000-memory.dmp

Filesize
17.3MB

Download
memory/1284-3-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/1284-5-0x0000000000400000-0x000000000154A000-memory.dmp

Filesize
17.3MB

Download