poullight | bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d

General

Target

bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
Size

100KB
MD5

87e5df4b2d1ad17687a506394018aeb8
SHA1

bfd775b8fc73d85f4127eaa4c3fb91123c5c78ff
SHA256

bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d
SHA512

b6c8d4f334d3dcee4b6380b332beb12574c35ac355211e2454dd1e91899d8de578804e1293239a5a5ca5d723b42ddf5455803dd292447f874fdde137934e65fa

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1548 created 3984 1548 WerFault.exe bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 3984 WerFault.exe bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe

description	pid	process	target process
PID 1548 created 3984	1548	WerFault.exe	bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe

pid	pid_target	process	target process
1548	3984	WerFault.exe	bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exeWerFault.exe

pid	process
3984	bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
3984	bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3984	bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
Token: SeDebugPrivilege	1548	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe
"C:\Users\Admin\AppData\Local\Temp\bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3984 -s 1644
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3984-114-0x0000022768FF0000-0x0000022768FF1000-memory.dmp

Filesize
4KB

Download
memory/3984-116-0x000002276B5A0000-0x000002276B5A2000-memory.dmp

Filesize
8KB

Download
memory/3984-117-0x00000227693F0000-0x00000227693F1000-memory.dmp

Filesize
4KB

Download
memory/3984-118-0x000002276AC10000-0x000002276AC11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing