Windows
Analysis Report
file.exe
Overview
General Information
Detection
Poverty Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Poverty Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 1472 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 9C433A245D7737CA7FA17490E460F14E) conhost.exe (PID: 1220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) file.exe (PID: 2172 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 9C433A245D7737CA7FA17490E460F14E)
- cleanup
{"C2 url": "185.244.212.106:2227"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security | ||
JoeSecurity_PovertyStealer | Yara detected Poverty Stealer | Joe Security |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-26T22:50:04.835240+0100 | 2048736 | 1 | A Network Trojan was detected | 192.168.2.5 | 49706 | 185.244.212.106 | 2227 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 3_2_00401D21 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_003B2CB9 | |
Source: | Code function: | 0_2_003B2D6A | |
Source: | Code function: | 3_2_003B2CB9 | |
Source: | Code function: | 3_2_003B2D6A | |
Source: | Code function: | 3_2_00401000 | |
Source: | Code function: | 3_2_00401DC9 | |
Source: | Code function: | 3_2_00404EB2 | |
Source: | Code function: | 3_2_00404145 | |
Source: | Code function: | 3_2_00403F87 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: |