avatar

Raviyelna

Simple guy who in fond of white/silver hair girl also DFIR and RE

Discord
Discord
Spotify
Spotify
Categories

Malware Analyze

5

Blog

4

CTFs Write-up

8
Tags

PE

Blogging

Malware Analyze

C2 server emulating

API Hashing

HashDB

IAT

Process Injection

Process Hollowing

CTFs

DFIR

RE

Stegnography

View More

Malware Analyzing Series Blog 02

Blog02: Metatrader.exe

note: sorry I couldn’t continue with the part 2 of the Blog01, if I want to continue to play around with the Malware I have to set-up a domain then analyze how the C2 work, but sadly I’m kind of busy that week so I couldn’t investigate more, so to make it up to y’all I decided to log on MalwareBazaar, while I’m on there I found a very interesting one so this is that one, hope you like it, it’s a bit short so… I’m sorry :<

Ravi, Mar 10, 2025, 10:23PM GMT+7

image

By openning the PE file in IDA, after analyze and rename some of the functions, we can clearly know what this malware is.

image

image

image

image

Get Information Functions

image

After, gathering all the data that it needed the 2nd phase begin, it will try to call and recursive into every programfile that in your computer.

image

10:09:19.1047407 PM	metatrader.exe	7324	Process Start		SUCCESS	Parent PID: 6500, Command line: "C:\Users\Raviel\Desktop\194247b2d4724928446b4cdea53167be6cf0ebd60858ca0c2d4bdc6cdb5a4c54\metatrader.exe" , Current directory: C:\Users\Raviel\Desktop\194247b2d4724928446b4cdea53167be6cf0ebd60858ca0c2d4bdc6cdb5a4c54\, Environment: 
	=::=::\
	ALLUSERSPROFILE=C:\ProgramData
	APPDATA=C:\Users\Raviel\AppData\Roaming
	CommonProgramFiles=C:\Program Files\Common Files
	CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
	CommonProgramW6432=C:\Program Files\Common Files
	COMPUTERNAME=DESKTOP-Q1QOHS1
	ComSpec=C:\Windows\system32\cmd.exe
	DriverData=C:\Windows\System32\Drivers\DriverData
	FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
	FPS_BROWSER_USER_PROFILE_STRING=Default
	HOMEDRIVE=C:
	HOMEPATH=\Users\Raviel
	LOCALAPPDATA=C:\Users\Raviel\AppData\Local
	LOGONSERVER=\\DESKTOP-Q1QOHS1
	NUMBER_OF_PROCESSORS=2
	OneDrive=C:\Users\Raviel\OneDrive
	OS=Windows_NT
	Path=C:\Program Files\Common Files\Oracle\Java\javapath;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Raviel\AppData\Local\Programs\Python\Python312;C:\Users\Raviel\AppData\Local\Programs\Python\Python312\Scripts;C:\Users\Raviel\AppData\Local\Programs\Python\Python311\Scripts\;C:\Users\Raviel\AppData\Local\Programs\Python\Python311\;C:\Users\Raviel\AppData\Local\Programs\Python\Python312\Scripts\;C:\Users\Raviel\AppData\Local\Programs\Python\Python312\;C:\Users\Raviel\AppData\Local\Microsoft\WindowsApps;
	PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
	PROCESSOR_ARCHITECTURE=AMD64
	PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 140 Stepping 1, GenuineIntel
	PROCESSOR_LEVEL=6
	PROCESSOR_REVISION=8c01
	ProgramData=C:\ProgramData
	ProgramFiles=C:\Program Files
	ProgramFiles(x86)=C:\Program Files (x86)
	ProgramW6432=C:\Program Files
	PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
	PUBLIC=C:\Users\Public
	SESSIONNAME=Console
	SystemDrive=C:
	SystemRoot=C:\Windows
	TEMP=C:\Users\Raviel\AppData\Local\Temp
	TMP=C:\Users\Raviel\AppData\Local\Temp
	USERDOMAIN=DESKTOP-Q1QOHS1
	USERDOMAIN_ROAMINGPROFILE=DESKTOP-Q1QOHS1
	USERNAME=Raviel
	USERPROFILE=C:\Users\Raviel
	windir=C:\Windows	1168	C:\Users\Raviel\Desktop\194247b2d4724928446b4cdea53167be6cf0ebd60858ca0c2d4bdc6cdb5a4c54\metatrader.exe

image

Then send it to the Receiver sever, luckily the IP address of that domain got hard coded inside the malware.

metatrader_getData

image

metrader_ConnectIP

Family name

While searching around the PE, I actually found this string, this determine it’s own Family

image

Poverty is the parent of crime. This is the String that dedicated it’s own family name -> PovertyStealer

Connection

So the main target right now is how does it send the data through the hard-coded IP&port (185.244.212.106:2227)

image

So, at this part, I started Debugging a little bit to understand how the Malware run, after jumpping in the function where it start connecting to the server, I found something quite interesting

Metatrader_connect

start_Socket

It used “Winsock 2.0” calling the “connect()” funtion to connect to the hard-coded IP and port, it will loop infinitely if it can’t connect to the server, to continue from this part we need to setup a fake server to receive the data that the Stealer sent. So I have my Kali-Linux set-up as a fake endpoint receiver.

image

image

image

Extracting the Pkzip from the received data, open it up we can get the following information

image

POC:

PovertyStealer
185[.]244[.]212[.]106
Sample:
194247b2d4724928446b4cdea53167be6cf0ebd60858ca0c2d4bdc6cdb5a4c54 (Metatrader.exe)

image

Thank you for reading till this point, It’s my honor that I have y’all as my readers, also thanks my friends those who have been sticking around every night when I livestream doing reverse & analyze, thanks Sol, Deit, Sinido and Table.

image

Malware Analyzing Series Blog 02

Author

Raviyelna

Publish Date

03 - 10 - 2025

License CC BY-NC-SA 4.0
Avatar
Raviyelna

Simple guy who in fond of white/silver hair girl also DFIR and RE

Categories

Malware Analyze

5

Blog

4

CTFs Write-up

8
Tags

PE

Blogging

Malware Analyze

C2 server emulating

API Hashing

HashDB

IAT

Process Injection

Process Hollowing

CTFs

DFIR

RE

Stegnography

View More