Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:1310751
MD5:eeda5350767db40425db9c5f477f39f7
SHA1:93614f3e1a9484df453f29c4c658ccdf3270841d
SHA256:046edea2e16ee4e7e52c8a88294272ed2893adaf46e057e3f45d0efdef288c85
Tags:exe
Infos:

Detection

Poverty Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Poverty Stealer
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
AV process strings found (often used to terminate AV products)
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers

Classification

  • System is w10x64
  • file.exe (PID: 6992 cmdline: C:\Users\user\Desktop\file.exe MD5: EEDA5350767DB40425DB9C5F477F39F7)
    • WerFault.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 74572 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
{"C2 url": "69.46.15.167:2220"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.372576838.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
    00000000.00000003.350274075.00000000008C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      00000000.00000002.372668115.00000000008B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        00000000.00000002.372668115.00000000008B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000000.00000002.372688011.0000000000A00000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x6533:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.8b0e67.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          0.3.file.exe.8c0000.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            0.2.file.exe.400000.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              0.2.file.exe.400000.0.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                0.3.file.exe.8c0000.0.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  Click to see the 1 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.369.46.15.1674971022202047066 09/19/23-14:28:00.763272
                  SID:2047066
                  Source Port:49710
                  Destination Port:2220
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: file.exeAvira: detected
                  Source: 0.2.file.exe.8b0e67.1.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "69.46.15.167:2220"}
                  Source: file.exeReversingLabs: Detection: 42%
                  Source: file.exeVirustotal: Detection: 45%Perma Link
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004033C0 CryptUnprotectData,CryptProtectData,0_2_004033C0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3627 CryptProtectData,0_2_008B3627

                  Compliance

                  barindex
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404EE0 FindFirstFileW,LoadLibraryA,0_2_00404EE0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402F50 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00402F50
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405D70 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00405D70
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401710 FindFirstFileW,DeleteFileW,DeleteFileW,FindNextFileW,FindNextFileW,0_2_00401710
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B5147 FindFirstFileW,0_2_008B5147

                  Networking

                  barindex