metastealer | e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c

General

Target

e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
Size

169KB
MD5

a77881f2e21529033b3aac22a0048812
SHA1

f33e435c3eeae4e085d66cddf35b3974b534b237
SHA256

e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c
SHA512

d8448319f4f8579279055eaff010c5551f34eb9c44b563b366f0ac1f56007838651df02a83b42b3f9b2860a844750905f909633364d6b15c99785b233909f8a4

Score

10^/10

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1068-135-0x0000000000400000-0x0000000000420000-memory.dmp	family_poullight

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3084 set thread context of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
1068	AppLaunch.exe
1068	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
Token: SeDebugPrivilege	1068	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2424	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	77
PID 3084 wrote to memory of 2424	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	77
PID 3084 wrote to memory of 2424	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	77
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78
PID 3084 wrote to memory of 1068	3084	e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe	78

C:\Users\Admin\AppData\Local\Temp\e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe
"C:\Users\Admin\AppData\Local\Temp\e2dab2f3fd421cad1bd97b76afd3b63856c81dd2be3ac441e3aecb204ec3bd6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068

memory/1068-139-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/1068-136-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/1068-143-0x0000000006F70000-0x0000000006F82000-memory.dmp

Filesize
72KB

Download
memory/1068-142-0x00000000076E0000-0x0000000007C0C000-memory.dmp

Filesize
5.2MB

Download
memory/1068-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1068-141-0x0000000006FE0000-0x00000000071A2000-memory.dmp

Filesize
1.8MB

Download
memory/1068-137-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

Filesize
40KB

Download
memory/1068-140-0x0000000004D20000-0x00000000052C4000-memory.dmp

Filesize
5.6MB

Download
memory/1068-138-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/3084-130-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/3084-131-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/3084-132-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download