povertystealer | 947ef875bd33912333be6b33291752cfc2c29393adbaa5ce78cdfa0b3aefc75d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 08:11

Target

1f4e76e35124c2fa6c41a96a30f6124a.exe
Size

6.4MB
MD5

1f4e76e35124c2fa6c41a96a30f6124a
SHA1

843de82efbd8d17d96733251ce723540a2c05e59
SHA256

947ef875bd33912333be6b33291752cfc2c29393adbaa5ce78cdfa0b3aefc75d
SHA512

2151d0ea0dc0072797ac62aeee36063c73bf8fae7fb8c0c21729f5afb08a4d2cdd4e357d6f2f4abccb815d1a4c855e3a7ad8a025fbdd4c6c3e27e7310cb728ec
SSDEEP

49152:0p0oLdmIlD/YsO/HessCMuFSYQSMN5vAjU4qfguFaWGS4NUBT+L12jO5E4hIIBWw:vEdmIlDqHeKFdPj5qfoLfEz6L/

Score

10^/10

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2628-10-0x0000000000080000-0x000000000008A000-memory.dmp	family_povertystealer
behavioral1/memory/2628-7-0x0000000000080000-0x000000000008A000-memory.dmp	family_povertystealer
behavioral1/memory/2628-13-0x0000000000080000-0x000000000008A000-memory.dmp	family_povertystealer
behavioral1/memory/2628-12-0x0000000000080000-0x000000000008A000-memory.dmp	family_povertystealer
behavioral1/memory/2628-18-0x0000000000080000-0x000000000008A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28
PID 1440 wrote to memory of 2628	1440	1f4e76e35124c2fa6c41a96a30f6124a.exe	28

C:\Users\Admin\AppData\Local\Temp\1f4e76e35124c2fa6c41a96a30f6124a.exe
"C:\Users\Admin\AppData\Local\Temp\1f4e76e35124c2fa6c41a96a30f6124a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:2628

memory/1440-4-0x000000013F960000-0x0000000140025000-memory.dmp

Filesize
6.8MB

Download
memory/1440-11-0x000000013F960000-0x0000000140025000-memory.dmp

Filesize
6.8MB

Download
memory/2628-5-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2628-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-10-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2628-7-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2628-13-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2628-12-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2628-17-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2628-18-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download