poullight | 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1

Analysis

max time kernel
168s
max time network
175s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe
Size

515KB
MD5

418b9e449094989ce2d8018f2b249028
SHA1

d88ffaa50902882aa2678c8720ad0edb41af39bf
SHA256

59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1
SHA512

77ec4f9a3e842a015af0d14e043d67ea28d112222572a4569dd6020a4da8a19fe1040d9678c85492c109f6c9b931ac05a0c7dc9b1d87ca62aa3c1e1ddb3c3588

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
behavioral1/memory/672-73-0x0000000001320000-0x000000000133E000-memory.dmp	family_poullight
\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight
\Users\Admin\AppData\Local\Temp\luudersmoon.exe	family_poullight

Executes dropped EXE 2 IoCs

Processes:

luudersmoon.sfx.exeluudersmoon.exe

pid process

1636 luudersmoon.sfx.exe
672 luudersmoon.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeluudersmoon.sfx.exe

pid process

1836 cmd.exe
1636 luudersmoon.sfx.exe
1636 luudersmoon.sfx.exe
1636 luudersmoon.sfx.exe
1636 luudersmoon.sfx.exe
1636 luudersmoon.sfx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

luudersmoon.exe

pid process

672 luudersmoon.exe
672 luudersmoon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

luudersmoon.exe

description pid process

Token: SeDebugPrivilege 672 luudersmoon.exe

pid	process
1636	luudersmoon.sfx.exe
672	luudersmoon.exe

pid	process
1836	cmd.exe
1636	luudersmoon.sfx.exe
1636	luudersmoon.sfx.exe
1636	luudersmoon.sfx.exe
1636	luudersmoon.sfx.exe
1636	luudersmoon.sfx.exe

pid	process
672	luudersmoon.exe
672	luudersmoon.exe

description	pid	process
Token: SeDebugPrivilege	672	luudersmoon.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exeWScript.execmd.exeluudersmoon.sfx.exe

description	pid	process	target process
PID 1840 wrote to memory of 1832	1840	59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe	WScript.exe
PID 1840 wrote to memory of 1832	1840	59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe	WScript.exe
PID 1840 wrote to memory of 1832	1840	59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe	WScript.exe
PID 1840 wrote to memory of 1832	1840	59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe	WScript.exe
PID 1832 wrote to memory of 1836	1832	WScript.exe	cmd.exe
PID 1832 wrote to memory of 1836	1832	WScript.exe	cmd.exe
PID 1832 wrote to memory of 1836	1832	WScript.exe	cmd.exe
PID 1832 wrote to memory of 1836	1832	WScript.exe	cmd.exe
PID 1836 wrote to memory of 1636	1836	cmd.exe	luudersmoon.sfx.exe
PID 1836 wrote to memory of 1636	1836	cmd.exe	luudersmoon.sfx.exe
PID 1836 wrote to memory of 1636	1836	cmd.exe	luudersmoon.sfx.exe
PID 1836 wrote to memory of 1636	1836	cmd.exe	luudersmoon.sfx.exe
PID 1636 wrote to memory of 672	1636	luudersmoon.sfx.exe	luudersmoon.exe
PID 1636 wrote to memory of 672	1636	luudersmoon.sfx.exe	luudersmoon.exe
PID 1636 wrote to memory of 672	1636	luudersmoon.sfx.exe	luudersmoon.exe
PID 1636 wrote to memory of 672	1636	luudersmoon.sfx.exe	luudersmoon.exe

C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe
"C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
luudersmoon.sfx.exe -pluudersmoon.exe -dC:\Users\Admin\AppData\Local\Temp
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
"C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat
Filesize
57B

MD5
96e65dca579e84d0d730ec42dfa538e3

SHA1
7f4116aabf5991b6059a64becbb9d4bb8596df5b

SHA256
790c7e75d2d9a88e44d9b75809c715397ef0a9758f277827eaeaa5c148a789de

SHA512
44cf6b4b523ceafb158eb7e275436b207a0ae9cfd08ae48c5ec6968f21c23e52c269693384076663ed375fa517863d7955bb20cb366560d4d9c2444456c2610c

Download Submit
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
Filesize
352KB

MD5
16f950dcf3c99bab3e990ff3541944d9

SHA1
eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01

SHA256
54f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2

SHA512
95edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
Filesize
352KB

MD5
16f950dcf3c99bab3e990ff3541944d9

SHA1
eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01

SHA256
54f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2

SHA512
95edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.exe
Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
Filesize
352KB

MD5
16f950dcf3c99bab3e990ff3541944d9

SHA1
eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01

SHA256
54f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2

SHA512
95edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89

Download Submit
memory/672-70-0x0000000000000000-mapping.dmp

Download
memory/672-73-0x0000000001320000-0x000000000133E000-memory.dmp

Filesize
120KB

Download
memory/1636-62-0x0000000000000000-mapping.dmp

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download
memory/1836-58-0x0000000000000000-mapping.dmp

Download
memory/1840-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download