poullight | 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9

General

Target

9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
Size

232KB
MD5

c6c11a98c55d75f11ed88c4df931fd39
SHA1

8180a64e5bb006b8485991aef1fd8cf7e105a3c6
SHA256

9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9
SHA512

ce8a46d4e355e6a5b3e3d25de076fee1e5997e4dea3d16f729731999694039682a85ae3924713a69e435d3b39989cc5c222c62b4a4a4f4aa1ee516bd6ffaded4

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1612-57-0x0000000002000000-0x0000000002020000-memory.dmp	family_poullight
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe	family_poullight
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe	family_poullight
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe	family_poullight
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe	family_poullight
behavioral1/memory/1736-63-0x0000000000AF0000-0x0000000000B0E000-memory.dmp	family_poullight

Executes dropped EXE 1 IoCs

Processes:

hack.exe

pid process

1736 hack.exe

pid	process
1736	hack.exe

Loads dropped DLL 2 IoCs

Processes:

9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe

pid	process
1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

hack.exe

pid process

1736 hack.exe
1736 hack.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hack.exe

description pid process

Token: SeDebugPrivilege 1736 hack.exe

pid	process
1736	hack.exe
1736	hack.exe

description	pid	process
Token: SeDebugPrivilege	1736	hack.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe

description	pid	process	target process
PID 1612 wrote to memory of 1736	1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe	hack.exe
PID 1612 wrote to memory of 1736	1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe	hack.exe
PID 1612 wrote to memory of 1736	1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe	hack.exe
PID 1612 wrote to memory of 1736	1612	9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe	hack.exe

C:\Users\Admin\AppData\Local\Temp\9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
"C:\Users\Admin\AppData\Local\Temp\9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe
Filesize
97KB

MD5
027bab0544eb91583e54a27cf967b167

SHA1
b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044

SHA256
8f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4

SHA512
34d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe
Filesize
97KB

MD5
027bab0544eb91583e54a27cf967b167

SHA1
b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044

SHA256
8f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4

SHA512
34d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe
Filesize
97KB

MD5
027bab0544eb91583e54a27cf967b167

SHA1
b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044

SHA256
8f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4

SHA512
34d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe
Filesize
97KB

MD5
027bab0544eb91583e54a27cf967b167

SHA1
b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044

SHA256
8f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4

SHA512
34d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84

Download Submit
memory/1612-54-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1612-55-0x0000000000550000-0x0000000000576000-memory.dmp

Filesize
152KB

Download
memory/1612-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1612-57-0x0000000002000000-0x0000000002020000-memory.dmp

Filesize
128KB

Download
memory/1736-60-0x0000000000000000-mapping.dmp

Download
memory/1736-63-0x0000000000AF0000-0x0000000000B0E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads