poullight | 1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe
Size

515KB
MD5

22fc7ac275911cacec082e0bf88b8cfc
SHA1

48dbcfac99b8441dd44514506191ef8e116cd69f
SHA256

1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb
SHA512

882d847c0e1549ba9c36aed7972116d4930839742e3da62e6e93a237934ddd7cb7b612b9ff8c83cba647e01cabe0e4d7746002940408f4fc36448ed4a391e34e

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe	family_poullight
behavioral1/memory/660-73-0x00000000003C0000-0x00000000003DE000-memory.dmp	family_poullight

suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata
Executes dropped EXE 2 IoCs

Processes:

gratenbersboor.sfx.exegratenbersboor.exe

pid process

1700 gratenbersboor.sfx.exe
660 gratenbersboor.exe

pid	process
1700	gratenbersboor.sfx.exe
660	gratenbersboor.exe

Loads dropped DLL 6 IoCs

Processes:

cmd.exegratenbersboor.sfx.exe

pid	process
1752	cmd.exe
1700	gratenbersboor.sfx.exe
1700	gratenbersboor.sfx.exe
1700	gratenbersboor.sfx.exe
1700	gratenbersboor.sfx.exe
1700	gratenbersboor.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

gratenbersboor.exe

pid process

660 gratenbersboor.exe
660 gratenbersboor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gratenbersboor.exe

description pid process

Token: SeDebugPrivilege 660 gratenbersboor.exe

pid	process
660	gratenbersboor.exe
660	gratenbersboor.exe

description	pid	process
Token: SeDebugPrivilege	660	gratenbersboor.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exeWScript.execmd.exegratenbersboor.sfx.exe

description	pid	process	target process
PID 1860 wrote to memory of 1244	1860	1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe	WScript.exe
PID 1860 wrote to memory of 1244	1860	1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe	WScript.exe
PID 1860 wrote to memory of 1244	1860	1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe	WScript.exe
PID 1860 wrote to memory of 1244	1860	1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe	WScript.exe
PID 1244 wrote to memory of 1752	1244	WScript.exe	cmd.exe
PID 1244 wrote to memory of 1752	1244	WScript.exe	cmd.exe
PID 1244 wrote to memory of 1752	1244	WScript.exe	cmd.exe
PID 1244 wrote to memory of 1752	1244	WScript.exe	cmd.exe
PID 1752 wrote to memory of 1700	1752	cmd.exe	gratenbersboor.sfx.exe
PID 1752 wrote to memory of 1700	1752	cmd.exe	gratenbersboor.sfx.exe
PID 1752 wrote to memory of 1700	1752	cmd.exe	gratenbersboor.sfx.exe
PID 1752 wrote to memory of 1700	1752	cmd.exe	gratenbersboor.sfx.exe
PID 1700 wrote to memory of 660	1700	gratenbersboor.sfx.exe	gratenbersboor.exe
PID 1700 wrote to memory of 660	1700	gratenbersboor.sfx.exe	gratenbersboor.exe
PID 1700 wrote to memory of 660	1700	gratenbersboor.sfx.exe	gratenbersboor.exe
PID 1700 wrote to memory of 660	1700	gratenbersboor.sfx.exe	gratenbersboor.exe

C:\Users\Admin\AppData\Local\Temp\1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe
"C:\Users\Admin\AppData\Local\Temp\1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exe
gratenbersboor.sfx.exe -pgratenbersboor.exe -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
"C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat
Filesize
63B

MD5
832e052a8b74b20e7f992814e0a78614

SHA1
7e6f04abfbe3393dbf47d562b4ebed63b3fa8a94

SHA256
de1b472fb7f93bdb6e72cd4203ddf6683febb443fc332cf1d939d743cc714215

SHA512
16ba2ff63f334dc6f38ff54272db2e40f30c83345016e7fbdddd0be0d10b30a1df23ad98d32a4b70147f52665a8966943b791cbfdddf1ea4f009e0942897557e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exe
Filesize
352KB

MD5
ca78826a9fc3413b20f7e0fc940ed16c

SHA1
0b21722dc501392445a8b0c70c95f764e8fdaa4f

SHA256
619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71

SHA512
4db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exe
Filesize
352KB

MD5
ca78826a9fc3413b20f7e0fc940ed16c

SHA1
0b21722dc501392445a8b0c70c95f764e8fdaa4f

SHA256
619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71

SHA512
4db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exe
Filesize
352KB

MD5
ca78826a9fc3413b20f7e0fc940ed16c

SHA1
0b21722dc501392445a8b0c70c95f764e8fdaa4f

SHA256
619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71

SHA512
4db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4

Download Submit
memory/660-70-0x0000000000000000-mapping.dmp

Download
memory/660-73-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/1244-55-0x0000000000000000-mapping.dmp

Download
memory/1700-62-0x0000000000000000-mapping.dmp

Download
memory/1752-58-0x0000000000000000-mapping.dmp

Download
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download