Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1563392
MD5:9c433a245d7737ca7fa17490e460f14e
SHA1:31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9
SHA256:0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7
Tags:exeuser-Bitsight
Infos:

Detection

Poverty Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Poverty Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 1472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C433A245D7737CA7FA17490E460F14E)
    • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • file.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C433A245D7737CA7FA17490E460F14E)
  • cleanup
{"C2 url": "185.244.212.106:2227"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
    00000000.00000002.2015603073.000000000026E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      Process Memory Space: file.exe PID: 1472JoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        Process Memory Space: file.exe PID: 2172JoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.299de8.0.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            3.2.file.exe.400000.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              3.2.file.exe.400000.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                0.2.file.exe.299de8.0.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T22:50:04.835240+010020487361A Network Trojan was detected192.168.2.549706185.244.212.1062227TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: file.exeAvira: detected
                  Source: 3.2.file.exe.400000.1.raw.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "185.244.212.106:2227"}
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.4% probability
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401D21 CryptUnprotectData,CryptProtectData,3_2_00401D21
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                  Source: Binary string: ntkrnlmp.pdbOc source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb/ source: file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb"?^ source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb1 source: file.exe, 00000003.00000002.2253873303.000000000F0A4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb( source: file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000003.00000002.2192045605.000000000CCD8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2192045605.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2131509698.0000000009ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2253873303.000000000F0A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2127622104.00000000095A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb& source: file.exe, 00000003.00000002.2220603331.000000000DEF3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb%![ source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbMo{ source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdbx source: file.exe, 00000003.00000002.2192045605.000000000CCD8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2220044017.000000000DED3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2131509698.0000000009ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2253873303.000000000F0A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2128471220.000000000972C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2127622104.00000000095A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb source: file.exe, 00000003.00000002.2192045605.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdbI'" source: file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb") source: file.exe, 00000003.00000002.2128471220.000000000972C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb&% source: file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb! source: file.exe, 00000003.00000002.2220603331.000000000DEF3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb%' source: file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb$#T source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb,S source: file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbH!# source: file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbI source: file.exe, 00000003.00000002.2220044017.000000000DED3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbHa source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb0 source: file.exe, 00000003.00000002.2253873303.000000000F0A4000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbM source: file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2CB9 FindFirstFileExW,0_2_003B2CB9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2D6A FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_003B2D6A
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_003B2CB9 FindFirstFileExW,3_2_003B2CB9
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_003B2D6A FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_003B2D6A
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,3_2_00401000
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00401DC9 FindFirstFileW,FindNextFileW,3_2_00401DC9
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,3_2_00404EB2
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00404145 FindFirstFileW,FindNextFileW,3_2_00404145
                  Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00403F87 FindFirstFileW,FindNextFileW,3_2_00403F87
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\CookiesJump to behavior

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 2048736 - Severity 1 - ET MALWARE LUMAR Stealer Exfiltration M2 : 192.168.2.5:49706 -> 185.244.212.1