Overview
overview
10Static
static
3Binance.exe
windows10-2004-x64
10d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1locales/vk...er.dll
windows10-2004-x64
1locales/vulkan-1.dll
windows10-2004-x64
1resource/L...m.html
windows10-2004-x64
3resource/libEGL.dll
windows10-2004-x64
1resource/l...v2.dll
windows10-2004-x64
1Analysis
-
max time kernel
75s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
Binance.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
ffmpeg.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
locales/vk_swiftshader.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
locales/vulkan-1.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral6
Sample
resource/LICENSES.chromium.html
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
resource/libEGL.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
resource/libGLESv2.dll
Resource
win10v2004-20240709-en
General
-
Target
Binance.exe
-
Size
470KB
-
MD5
1b54ae4ceffb558dfbe1f0acef0a1f66
-
SHA1
fb58101496693ed1e235f5a9aabbe54474383b83
-
SHA256
90fd1c4de7f75213f1f37ecd7b4b8729e844f6e2874af5d7e55e69a04506bbaf
-
SHA512
d6482554ca5bb4e3c6ad8d1e79db4dd7df29ad64d426667a8d652f8891d6b218bfd934e9c9e57c71c6ba7756d23387b66d82498778787a53e15710762f08b0e1
-
SSDEEP
6144:0Jep2sd6Eto9Eu9P/zpTH+McvYBgB5V5TtiAF4RpZdlyg4gCOWOc6vRom:0Jc24S95+neAV5xHs748HvRom
Malware Config
Signatures
-
Detect Poverty Stealer Payload 7 IoCs
resource yara_rule behavioral1/memory/4252-6-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-8-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-9-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-10-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-12-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-14-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral1/memory/4252-15-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 28 bitbucket.org 29 bitbucket.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2492 set thread context of 4252 2492 Binance.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binance.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93 PID 2492 wrote to memory of 4252 2492 Binance.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Binance.exe"C:\Users\Admin\AppData\Local\Temp\Binance.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4252
-