povertystealer | 19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 07:30

Target

19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe
Size

14.4MB
MD5

51a74c9b3c860a932aea37b77d55c3dc
SHA1

e3cd015f08557d51eea53e4a38a97f647ae4778e
SHA256

19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83
SHA512

4797412f939bbb87650ecf76b1ac7171f5e7ded7b5905e533cb3a43ac9d05376000352a4c99201e6fe486ee8a16f72abf946e68b8748dd7df135ffa402d1f0b1
SSDEEP

49152:kz2yeHn4LzLdoW5fYrsfXPZLvhACVs4zXtjim8aJOyrwDX79spI8GFiAq9ajp8E/:3Hn4XiWfPZ1xptml7WYUEATH6Wlk

Score

10^/10

Detect Poverty Stealer Payload 6 IoCs

resource	yara_rule
behavioral2/memory/2752-5-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer
behavioral2/memory/2752-8-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer
behavioral2/memory/2752-9-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer
behavioral2/memory/2752-10-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer
behavioral2/memory/2752-12-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer
behavioral2/memory/2752-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87
PID 2632 wrote to memory of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87
PID 2632 wrote to memory of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87
PID 2632 wrote to memory of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87
PID 2632 wrote to memory of 2752	2632	19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe	87

C:\Users\Admin\AppData\Local\Temp\19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe
"C:\Users\Admin\AppData\Local\Temp\19f9b64a4f4da1175928c66979e73379ea41fb3a9c6f1d795f615eecf357bf83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:2752

memory/2632-4-0x00007FF7C2510000-0x00007FF7C3407000-memory.dmp

Filesize
15.0MB

Download
memory/2632-6-0x00007FF7C2510000-0x00007FF7C3407000-memory.dmp

Filesize
15.0MB

Download
memory/2752-5-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2752-8-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2752-9-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2752-10-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2752-12-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2752-14-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2752-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download