MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PovertyStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 18 File information Comments

SHA256 hash:	593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3
SHA3-384 hash:	1b696d6732de7c16c411f0335082ad4d96f4f3f774e22f601489ed21c05e626791bd00faa81a685c9fed980e09d5409a
SHA1 hash:	e892506c5af85088ca8b35dd645fe19299a5d4cf
MD5 hash:	d6f7e3d35d83cdb0023f2dd7e45b081f
humanhash:	missouri-yankee-oven-low
File name:	Setup_Loader v2.1.exe
Download:	download sample
Signature	PovertyStealer Create hunting rule
File size:	15'308'801 bytes
First seen:	2023-09-13 10:52:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep	196608:FeuVE9sVAPRkLJkTtOI7zkMDkRS9GvSCL:auVxLJkTtOI7zkMDkRS98
Threatray	10 similar samples on MalwareBazaar
TLSH	T10DF617D0FDDB14F1E5034A3048A7A27F62301E098F29CAD7DA547F9AF8379E21932569
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d08eb2b2b2b28ef0 (2 x RedLineStealer, 1 x PovertyStealer, 1 x RecordBreaker)
Reporter	JAMESWT_WT
Tags:	exe feel-easy-games PovertyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup_Loader v2.1.exe

Verdict:

Malicious activity

Analysis date:

2023-09-13 10:53:13 UTC

Tags:

povertystealer stealer

Link:

https://app.any.run/tasks/4b07b506-17f3-47fb-9ef9-a6c5d31e7fe1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Lazy.391034.25922.27163.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Launching a process

Сreating synchronization primitives

Reading critical registry keys

Sending a custom TCP request

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade overlay packed warp

Link:

https://www.filescan.io/uploads/650194909bae8a37855523c0/reports/a5fc457b-7a39-429a-9b9e-b22ac1a9b1c1/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a051bd1d-7e6a-4b4f-8063-b736f597a967

Result

Threat name:

Poverty Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1308241

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Poverty Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2023-09-12 16:33:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=le62qbmn4ysaqmn6yrzqrh6hsrrmosxszglqd26guxnixildlxjq._file

Verdict:

malicious

PovertyStealer

6967908608491cddb0fe97a2c550f204d61e32142556d78aa9ad4c24fd6ae376

PovertyStealer

79bcd1456826ac8e36a6a0caf78600609f2cdb7d4b991e63313bc5651dbc4e93

PovertyStealer

7eeabb966bb76b7feea6cf3963677d7634fba3c4b5ed2c10c541c40738ccc64f

PovertyStealer

d24cac5596825fe9f802f9aa40201452c16f40fea1b4c46b5a23423c13d7f180

PovertyStealer

d781b7b78acd5226e08ea048cd35d70b2b2344ef67c76fae2e9cf524940a472a

PovertyStealer

eaa4f4d4e90b308f6cda183dcaef8be9b8fa85404aa2635e8457d0a36bf7e46d

PovertyStealer

ec6d5a468da150d5210a8df2ffcec8163939a6f8a2c98ec5041aa3bf36c92452

PovertyStealer

f99f7b823ca1c734bd4d5c1f313f862a392fb8c45bc8aa7fbb873d1862f4e36f

PovertyStealer

fcd30e9418ee580b92c4c4632eac6b39538d5a0efba13235126f165bbc8f4d36

PovertyStealer

Result

Malware family:

povertystealer

Score:

10/10

Tags:

family:povertystealer stealer

Link:

https://tria.ge/reports/230913-myzajabd5w/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Detect Poverty Stealer Payload

Poverty Stealer

Unpacked files

SH256 hash:

689015c12680da9a9a079b4ad08af795fa29412f2637cbf043da70ff18bb6d4d

MD5 hash:

f55f2c788ce151615baab92c38cc003f

SHA1 hash:

c6f7915f3a9bcac485b6a2597ce61177666d47d0

Link:

https://www.unpac.me/results/5be3f512-2b2e-4570-b0e0-b0d8f7601f85/

SH256 hash:

593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3

MD5 hash:

d6f7e3d35d83cdb0023f2dd7e45b081f

SHA1 hash:

e892506c5af85088ca8b35dd645fe19299a5d4cf

Link:

https://www.unpac.me/results/5be3f512-2b2e-4570-b0e0-b0d8f7601f85/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/593da8058de6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/593da8058de6240831bec473089fc79462c74af2c99701ebc6a5da8ba1635dd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_PovertyStealer Create hunting rule
Author:	ditekSHen
Description:	Detects PovertyStealer

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Warp Create hunting rule
Author:	Seth Hardy
Description:	Warp

Rule name:	WarpStrings Create hunting rule
Author:	Seth Hardy
Description:	Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample