povertystealer | 19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 03:06

Target

51a74c9b3c860a932aea37b77d55c3dc.exe
Size

14.4MB
MD5

51a74c9b3c860a932aea37b77d55c3dc
SHA1

e3cd015f08557d51eea53e4a38a97f647ae4778e
SHA256

19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83
SHA512

4797412f939bbb87650ecf76b1ac7171f5e7ded7b5905e533cb3a43ac9d05376000352a4c99201e6fe486ee8a16f72abf946e68b8748dd7df135ffa402d1f0b1
SSDEEP

49152:kz2yeHn4LzLdoW5fYrsfXPZLvhACVs4zXtjim8aJOyrwDX79spI8GFiAq9ajp8E/:3Hn4XiWfPZ1xptml7WYUEATH6Wlk

Score

10^/10

Detect Poverty Stealer Payload 6 IoCs

resource	yara_rule
behavioral2/memory/4040-4-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer
behavioral2/memory/4040-7-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer
behavioral2/memory/4040-8-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer
behavioral2/memory/4040-11-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer
behavioral2/memory/4040-9-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer
behavioral2/memory/4040-14-0x00000000001B0000-0x00000000001BA000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93
PID 1996 wrote to memory of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93
PID 1996 wrote to memory of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93
PID 1996 wrote to memory of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93
PID 1996 wrote to memory of 4040	1996	51a74c9b3c860a932aea37b77d55c3dc.exe	93

C:\Users\Admin\AppData\Local\Temp\51a74c9b3c860a932aea37b77d55c3dc.exe
"C:\Users\Admin\AppData\Local\Temp\51a74c9b3c860a932aea37b77d55c3dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4040

memory/1996-5-0x00007FF61E3A0000-0x00007FF61F297000-memory.dmp

Filesize
15.0MB

Download
memory/4040-4-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4040-7-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4040-8-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4040-11-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4040-9-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/4040-13-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/4040-14-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download