poullight | 83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382

General

Target

83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe
Size

515KB
MD5

f2d7ffe4f989d68b3a862072d5cc7149
SHA1

eb63becb7cc2bd74e785d65e7dedec2308e310a2
SHA256

83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382
SHA512

2967e2cfc4b759980a8a40ddd02eea0b815649f223fbdf15959b18b11adbfe0893afcdd391e83e807f9b378f15802738c3ab3223eef828253b47719f471b999f

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe	family_poullight
behavioral2/memory/768-144-0x0000024EF9CC0000-0x0000024EF9CDE000-memory.dmp	family_poullight

Executes dropped EXE 2 IoCs

Processes:

DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exeDgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

pid process

4508 DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
768 DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

pid	process
4508	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
768	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exeWScript.exeDgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

pid process

768 DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
768 DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

description pid process

Token: SeDebugPrivilege 768 DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

pid	process
768	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
768	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

description	pid	process
Token: SeDebugPrivilege	768	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exeWScript.execmd.exeDgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe

description	pid	process	target process
PID 3376 wrote to memory of 3544	3376	83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe	WScript.exe
PID 3376 wrote to memory of 3544	3376	83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe	WScript.exe
PID 3376 wrote to memory of 3544	3376	83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe	WScript.exe
PID 3544 wrote to memory of 224	3544	WScript.exe	cmd.exe
PID 3544 wrote to memory of 224	3544	WScript.exe	cmd.exe
PID 3544 wrote to memory of 224	3544	WScript.exe	cmd.exe
PID 224 wrote to memory of 4508	224	cmd.exe	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
PID 224 wrote to memory of 4508	224	cmd.exe	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
PID 224 wrote to memory of 4508	224	cmd.exe	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
PID 4508 wrote to memory of 768	4508	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
PID 4508 wrote to memory of 768	4508	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe	DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe

C:\Users\Admin\AppData\Local\Temp\83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe
"C:\Users\Admin\AppData\Local\Temp\83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe -pDgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
"C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
Filesize
97KB

MD5
2995b91e9b88499e68ec3c861fe3b1b2

SHA1
81e1dd982bd944959f885abb60fbb7dd4ad32211

SHA256
9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

SHA512
174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
Filesize
97KB

MD5
2995b91e9b88499e68ec3c861fe3b1b2

SHA1
81e1dd982bd944959f885abb60fbb7dd4ad32211

SHA256
9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

SHA512
174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
Filesize
352KB

MD5
2d38acd7d80c3e914486f1da2ce52e7a

SHA1
cd78ff37776c98281f3c56a378076549b8bd1af0

SHA256
6e64814d39519a16009148bd5caad74a78bb39f0ea1c970891855831becc80c8

SHA512
b7b3af351694bca77a8be4590bd453677409e41341e491e88e9835024fd8e895ca2e9984d73ce1d31f66fb85f2ff06e5ee04678f7e16734487fdddb37aab9384

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
Filesize
352KB

MD5
2d38acd7d80c3e914486f1da2ce52e7a

SHA1
cd78ff37776c98281f3c56a378076549b8bd1af0

SHA256
6e64814d39519a16009148bd5caad74a78bb39f0ea1c970891855831becc80c8

SHA512
b7b3af351694bca77a8be4590bd453677409e41341e491e88e9835024fd8e895ca2e9984d73ce1d31f66fb85f2ff06e5ee04678f7e16734487fdddb37aab9384

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat
Filesize
117B

MD5
97a035592222ff797781b0c589e2bb29

SHA1
21017a378b177dfbee1c64a1bf68fbff4439efb8

SHA256
c5e074a63a9fb0872e4ed9b810a4d772c3ccd092dc9b8416dfcaf316a54161b2

SHA512
4fdae6bf743f8a7eac08f3cd09ff1cecae834aa13fe3faa446006d5cad4784e9a2ee386abb577b8f79a9fdac9b1debfb8a4fa5465032a043a7fafffdda59c0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
memory/224-136-0x0000000000000000-mapping.dmp

Download
memory/768-146-0x0000024EFA0E0000-0x0000024EFA0E2000-memory.dmp

Filesize
8KB

Download
memory/768-141-0x0000000000000000-mapping.dmp

Download
memory/768-144-0x0000024EF9CC0000-0x0000024EF9CDE000-memory.dmp

Filesize
120KB

Download
memory/768-145-0x00007FFA98980000-0x00007FFA99441000-memory.dmp

Filesize
10.8MB

Download
memory/768-147-0x0000024EFA0A0000-0x0000024EFA0AA000-memory.dmp

Filesize
40KB

Download
memory/768-148-0x0000024EFE880000-0x0000024EFEA42000-memory.dmp

Filesize
1.8MB

Download
memory/768-149-0x0000024EFEF80000-0x0000024EFF4A8000-memory.dmp

Filesize
5.2MB

Download
memory/768-150-0x0000024EFD890000-0x0000024EFD8A2000-memory.dmp

Filesize
72KB

Download
memory/3544-134-0x0000000000000000-mapping.dmp

Download
memory/4508-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads