Windows
Analysis Report
file.exe
Overview
General Information
Detection
Poverty Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Poverty Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
AV process strings found (often used to terminate AV products)
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Classification
- System is w10x64
file.exe (PID: 6992 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: EEDA5350767DB40425DB9C5F477F39F7) WerFault.exe (PID: 7104 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 992 -s 745 72 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"C2 url": "69.46.15.167:2220"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.369.46.15.1674971022202047066 09/19/23-14:28:00.763272 |
SID: | 2047066 |
Source Port: | 49710 |
Destination Port: | 2220 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_004033C0 | |
Source: | Code function: | 0_2_008B3627 |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Code function: | 0_2_00404EE0 | |
Source: | Code function: | 0_2_00402F50 | |
Source: | Code function: | 0_2_00405D70 | |
Source: | Code function: | 0_2_00401710 | |
Source: | Code function: | 0_2_008B5147 |
Networking |
---|