Overview

overview

10

Static

static

e2dab2f3fd...6c.exe

windows7_x64

10

e2dab2f3fd...6c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe

  • Size

    169KB

  • MD5

    a77881f2e21529033b3aac22a0048812

  • SHA1

    f33e435c3eeae4e085d66cddf35b3974b534b237

  • SHA256

    e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c

  • SHA512

    d8448319f4f8579279055eaff010c5551f34eb9c44b563b366f0ac1f56007838651df02a83b42b3f9b2860a844750905f909633364d6b15c99785b233909f8a4

Score
10/10
metastealerpoullightstealertrojan

Malware Config

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
    "C:\Users\Admin\AppData\Local\Temp\e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2424
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1068-139-0x00000000052C0000-0x00000000052CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1068-136-0x0000000004DC0000-0x0000000004E52000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1068-143-0x0000000006F70000-0x0000000006F82000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1068-142-0x00000000076E0000-0x0000000007C0C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1068-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1068-135-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1068-141-0x0000000006FE0000-0x00000000071A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1068-137-0x0000000004DB0000-0x0000000004DBA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1068-140-0x0000000004D20000-0x00000000052C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1068-138-0x0000000004FD0000-0x0000000005036000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2424-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3084-130-0x0000000000120000-0x0000000000150000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3084-131-0x0000000004C30000-0x0000000004CCC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3084-132-0x0000000005280000-0x0000000005824000-memory.dmp
      Filesize

      5.6MB

      Download