povertystealer | 947ef875bd33912333be6b33291752cfc2c29393adbaa5ce78cdfa0b3aefc75d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 08:11

Target

1f4e76e35124c2fa6c41a96a30f6124a.exe
Size

6.4MB
MD5

1f4e76e35124c2fa6c41a96a30f6124a
SHA1

843de82efbd8d17d96733251ce723540a2c05e59
SHA256

947ef875bd33912333be6b33291752cfc2c29393adbaa5ce78cdfa0b3aefc75d
SHA512

2151d0ea0dc0072797ac62aeee36063c73bf8fae7fb8c0c21729f5afb08a4d2cdd4e357d6f2f4abccb815d1a4c855e3a7ad8a025fbdd4c6c3e27e7310cb728ec
SSDEEP

49152:0p0oLdmIlD/YsO/HessCMuFSYQSMN5vAjU4qfguFaWGS4NUBT+L12jO5E4hIIBWw:vEdmIlDqHeKFdPj5qfoLfEz6L/

Score

10^/10

Detect Poverty Stealer Payload 7 IoCs

resource	yara_rule
behavioral2/memory/4772-5-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-8-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-9-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-10-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-13-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-14-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer
behavioral2/memory/4772-15-0x00000000003C0000-0x00000000003CA000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90
PID 2324 wrote to memory of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90
PID 2324 wrote to memory of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90
PID 2324 wrote to memory of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90
PID 2324 wrote to memory of 4772	2324	1f4e76e35124c2fa6c41a96a30f6124a.exe	90

C:\Users\Admin\AppData\Local\Temp\1f4e76e35124c2fa6c41a96a30f6124a.exe
"C:\Users\Admin\AppData\Local\Temp\1f4e76e35124c2fa6c41a96a30f6124a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4772

memory/2324-4-0x00007FF6E3220000-0x00007FF6E38E5000-memory.dmp

Filesize
6.8MB

Download
memory/2324-6-0x00007FF6E3220000-0x00007FF6E38E5000-memory.dmp

Filesize
6.8MB

Download
memory/4772-5-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-8-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-9-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-10-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-12-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4772-13-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-14-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4772-15-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download