poullight

General

Target

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
Size

618KB
Sample

220502-dfswcsafe9
MD5

55325b6ce1861b7982b9a3e38be7e8c1
SHA1

f936c13014e3346c0fa88aca690e0f29276cc991
SHA256

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
SHA512

34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

Artemlok134-50915.portmap.io:50915

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
WindowsDefender.exe
copy_folder
WindowsDefender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%SystemDrive%
keylog_crypt
false
keylog_file
ban.dat
keylog_flag
false
keylog_folder
LolWtf
keylog_path
%AppData%
mouse_option
false
mutex
remcos_igwinxzuvw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
qTorrent
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
- Size
  
  618KB
- MD5
  
  55325b6ce1861b7982b9a3e38be7e8c1
- SHA1
  
  f936c13014e3346c0fa88aca690e0f29276cc991
- SHA256
  
  076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
- SHA512
  
  34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593
Score

10^/10

poullight remcos host persistence rat spyware stealer suricata trojan
- Modifies WinLogon for persistence
  persistence
- Poullight
  Poullight is an information stealer first seen in March 2020.
  trojan stealer poullight
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
  suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- suricata: ET MALWARE Win32/X-Files Stealer Activity
  suricata: ET MALWARE Win32/X-Files Stealer Activity
  suricata
- Adds policy Run key to start application
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2