povertystealer | 892535a44436246917c024c5ee1b88329f40a349e50b62ad418a6fb4f7455c2f

Analysis

max time kernel
48s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sansayrex.exe
Size

2.6MB
MD5

a25d399bfbb718f733d4113e44f33020
SHA1

1334d12a30e493d3a766462bccd81750b5268b9c
SHA256

892535a44436246917c024c5ee1b88329f40a349e50b62ad418a6fb4f7455c2f
SHA512

d3f19995ba0ca103b0f2973ea3b357e039c1bc66584c3028c462bfac9e443895de85fffc70ac2ada6e9fe95ecb613f0e4691f02f2d9cd237745710b5ab266cca
SSDEEP

49152:X45mFWH5uxSa7+iZhNCuyjANW8PPwcr6DNbX3NsN3RfD2VwciCkOAF:X45mUYy+6opWZXdWpu7NkOK

Score

10^/10

povertystealer discovery stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral2/memory/744-50-0x0000000000530000-0x000000000053A000-memory.dmp	family_povertystealer
behavioral2/memory/744-55-0x0000000000530000-0x000000000053A000-memory.dmp	family_povertystealer
behavioral2/memory/744-56-0x0000000000530000-0x000000000053A000-memory.dmp	family_povertystealer
behavioral2/memory/744-58-0x0000000000530000-0x000000000053A000-memory.dmp	family_povertystealer
behavioral2/memory/744-59-0x0000000000530000-0x000000000053A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	sansayrex.exe

Executes dropped EXE 6 IoCs

pid	Process
1644	7z.exe
4792	7z.exe
3760	7z.exe
2684	7z.exe
2732	7z.exe
1252	svchosts64.exe

Loads dropped DLL 5 IoCs

pid	Process
1644	7z.exe
4792	7z.exe
3760	7z.exe
2684	7z.exe
2732	7z.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 744	1252	svchosts64.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sansayrex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts64.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1644	7z.exe
Token: 35	1644	7z.exe
Token: SeSecurityPrivilege	1644	7z.exe
Token: SeSecurityPrivilege	1644	7z.exe
Token: SeRestorePrivilege	4792	7z.exe
Token: 35	4792	7z.exe
Token: SeSecurityPrivilege	4792	7z.exe
Token: SeSecurityPrivilege	4792	7z.exe
Token: SeRestorePrivilege	3760	7z.exe
Token: 35	3760	7z.exe
Token: SeSecurityPrivilege	3760	7z.exe
Token: SeSecurityPrivilege	3760	7z.exe
Token: SeRestorePrivilege	2684	7z.exe
Token: 35	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeRestorePrivilege	2732	7z.exe
Token: 35	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1204	1748	sansayrex.exe	87
PID 1748 wrote to memory of 1204	1748	sansayrex.exe	87
PID 1204 wrote to memory of 3088	1204	cmd.exe	90
PID 1204 wrote to memory of 3088	1204	cmd.exe	90
PID 1204 wrote to memory of 1644	1204	cmd.exe	91
PID 1204 wrote to memory of 1644	1204	cmd.exe	91
PID 1204 wrote to memory of 4792	1204	cmd.exe	92
PID 1204 wrote to memory of 4792	1204	cmd.exe	92
PID 1204 wrote to memory of 3760	1204	cmd.exe	93
PID 1204 wrote to memory of 3760	1204	cmd.exe	93
PID 1204 wrote to memory of 2684	1204	cmd.exe	94
PID 1204 wrote to memory of 2684	1204	cmd.exe	94
PID 1204 wrote to memory of 2732	1204	cmd.exe	95
PID 1204 wrote to memory of 2732	1204	cmd.exe	95
PID 1204 wrote to memory of 1820	1204	cmd.exe	96
PID 1204 wrote to memory of 1820	1204	cmd.exe	96
PID 1204 wrote to memory of 1252	1204	cmd.exe	97
PID 1204 wrote to memory of 1252	1204	cmd.exe	97
PID 1204 wrote to memory of 1252	1204	cmd.exe	97
PID 1252 wrote to memory of 744	1252	svchosts64.exe	117
PID 1252 wrote to memory of 744	1252	svchosts64.exe	117
PID 1252 wrote to memory of 744	1252	svchosts64.exe	117
PID 1252 wrote to memory of 744	1252	svchosts64.exe	117
PID 1252 wrote to memory of 744	1252	svchosts64.exe	117

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sansayrex.exe
"C:\Users\Admin\AppData\Local\Temp\sansayrex.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p1803731966274227689315228169 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\attrib.exe
    attrib +H "svchosts64.exe"
    3⤵
    - Views/modifies file attributes
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
    "svchosts64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.3MB

MD5
7ec81b32f50f2f3be75fcdd71c770870

SHA1
19b57914116cc6ec81689a2278ace755ac1a791b

SHA256
59b61865020484143818596573bfde2f34120f0a2dd525d191f8a26d5ca3080c

SHA512
8bd18dd66fe486ab14c2ab37d8ab0bf211846353b0508452595a01bf11455291b602ce21418a6cd97b39ba2b65d62c819532add59be4de0c2bce6c3254c81602

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
101KB

MD5
17433c6e255de602f9c44d856024bf16

SHA1
2d896cb5c4ffe22e4e0afa9527a9d6e4e70b26f6

SHA256
7e8d58f95491f109f785663c9721617ff95d16e759701d66fa8d297a83ed8f48

SHA512
3ceaa6d2ac15f9efc81f18fa36213f3c50a29e5caa44fa130a94a575cadf723b2c726aa91851052d4a349438f8a20bf0e2734cce7cb1e28c95dc049122595dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
101KB

MD5
67109fde879af1ca9ef5e5d5d9a19f9a

SHA1
410cc3bf7c947edb1768975da32f84dcd9de5aa2

SHA256
2d026e24e9020251182e2e2b2ac3325b417352ed3b95beff416d2f1219b5b940

SHA512
d8e52c56c0eb278669e11acdb3829ec2b43d526bf0af64af7d949a703ef6357855af42512d54408ddb9526c4deb148060c9f110df90ffe2b76ce6a0f5012601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
101KB

MD5
fdec2403c7ad8bf740a2091b57f274e5

SHA1
e22542647169038d571241af64c9f71a3e5f5973

SHA256
b543750a8c4ba46d3c2d4d644b03229c3f1334074a0b8bf644030ae48e598fa6

SHA512
a13dbafdd44249bf23acc1ed9d7fbbab5b96399cad2a0a7ecd908f2e996632daac42f4d721621b67c05809f1bba44a5be20bad40d26134251de064cbdd92ed3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
fd00fa1f1c0192845e3c44cbd4d5bbab

SHA1
9e12b3cb87b1742ab44e75de1c57f9d213161a7b

SHA256
4ee135e34c3fb1fef1676edf7116ca0cb4a3d059cbff5777714fd553dfd594b7

SHA512
a152fd49a320f92d8cbb82badad16d98d9990fd1db9d13e9cdc075de1ac367414d1353e8d278954ae2c32d95fc81f0774b6ad79f88d5755488506747cb495c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.7MB

MD5
239b7b01a0a653b79e241112d31ad859

SHA1
c1a0be543bbe3dd686252a0193c33f43f80fad8f

SHA256
b295d6686aedf46611587ac06cbf214cf80dec59c05050a32d50d524bcf89963

SHA512
f42667f9be2ad592ba06361a12b89842d4717adcf93163304e5019ccdc2c53665fc9707f0652bab834c697f5827a1f0fd3275250f940833c12216900f9aca2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
479B

MD5
4ab2e0a497fed95a60c88c38490792e3

SHA1
bf384d79104af541bde5fdfa6f55ef689ba44f56

SHA256
28225a667c6a973d5cd2fb05ba2b0c9c3d258d5b9cde93bcae42fb826f959486

SHA512
d5af5132eddce82ee657c0e52386f0f44f6c99083605311a017b15ac1feaa9c239c30613a5224540c222fc7c4cff21eb9c1ae0ee18be3557bf6205beaabbfe2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe

Filesize
199KB

MD5
66cad6cec7c006160d7ee00e68d3e613

SHA1
214d38110bd8dd537f065c14d9edb1d516b215aa

SHA256
52409566790c9ce35688f0fb96596a1d62912733618ddc1a4467c58d901fc760

SHA512
a2a6c47816943641f968579bc40402f6542b44b19f81a9ed736a096d3322e274454e458da9698f13b58ac18463a6f2b7591413924239b40f11952a3c5e0ee836

Download Submit
memory/744-50-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/744-55-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/744-56-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/744-58-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/744-59-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download