Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/08/2024, 12:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33dc6f89d505ad4b2df91ba98bff96bb2767e12eac2ba716246615c83dffbde5.exe

  • Size

    38KB

  • MD5

    034760de34699714e37a1b98c845b750

  • SHA1

    8bdf05b7d765a84d2bc99623cc8a12532250a7f5

  • SHA256

    33dc6f89d505ad4b2df91ba98bff96bb2767e12eac2ba716246615c83dffbde5

  • SHA512

    e26a5a7dc98c0549317a144b926f2b81f15b62e51dd38c28337d1be8f1b2f9f461660186676e4ab1b398f56c24db7d6a17eebb734664ffc4177d8ac433815d98

  • SSDEEP

    768:cYaeF8BSuQHSr6bISm1tD8KOdhlx5uAIbKNNXq20y8iD:RxTuglISatD8FDlx5u5aNX18O

Score
10/10
povertystealercredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Detect Poverty Stealer Payload 7 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33dc6f89d505ad4b2df91ba98bff96bb2767e12eac2ba716246615c83dffbde5.exe
    "C:\Users\Admin\AppData\Local\Temp\33dc6f89d505ad4b2df91ba98bff96bb2767e12eac2ba716246615c83dffbde5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5348
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2612

Network

  • flag-us
    DNS
    106.212.244.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.212.244.185.in-addr.arpa
    IN PTR
    Response
    106.212.244.185.in-addr.arpa
    IN PTR
    no-mans-landm247com
  • flag-us
    DNS
    106.212.244.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    106.212.244.185.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.236.23
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdaus01.australiasoutheast.cloudapp.azure.com
    onedscolprdaus01.australiasoutheast.cloudapp.azure.com
    IN A
    104.46.162.225
  • 185.244.212.106:2227
    RegAsm.exe
    832.8kB
     16.0kB
     601
    390
  • 8.8.8.8:53
    106.212.244.185.in-addr.arpa
    dns
    148 B
     109 B
     2
    1

    DNS Request

    106.212.244.185.in-addr.arpa

    DNS Request

    106.212.244.185.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    218 B
     437 B
     3
    3

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.236.23

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    104.46.162.225

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2612-4-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-8-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-10-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-11-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-13-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2612-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-15-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-16-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5348-0-0x000000007487E000-0x000000007487F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5348-1-0x0000000000550000-0x0000000000560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5348-9-0x0000000074870000-0x0000000075021000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5348-17-0x0000000074870000-0x0000000075021000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.