Overview

overview

10

Static

static

59cbea1c28...a1.exe

windows7_x64

10

59cbea1c28...a1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe

  • Size

    515KB

  • MD5

    418b9e449094989ce2d8018f2b249028

  • SHA1

    d88ffaa50902882aa2678c8720ad0edb41af39bf

  • SHA256

    59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1

  • SHA512

    77ec4f9a3e842a015af0d14e043d67ea28d112222572a4569dd6020a4da8a19fe1040d9678c85492c109f6c9b931ac05a0c7dc9b1d87ca62aa3c1e1ddb3c3588

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 3 IoCs
  • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe
    "C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
          luudersmoon.sfx.exe -pluudersmoon.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
            "C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    57B

    MD5

    96e65dca579e84d0d730ec42dfa538e3

    SHA1

    7f4116aabf5991b6059a64becbb9d4bb8596df5b

    SHA256

    790c7e75d2d9a88e44d9b75809c715397ef0a9758f277827eaeaa5c148a789de

    SHA512

    44cf6b4b523ceafb158eb7e275436b207a0ae9cfd08ae48c5ec6968f21c23e52c269693384076663ed375fa517863d7955bb20cb366560d4d9c2444456c2610c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
    Filesize

    97KB

    MD5

    58be8f739eb5b24eedce748dfc19d481

    SHA1

    531521c7605101969c3128cbd9be285971ede508

    SHA256

    3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

    SHA512

    c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe
    Filesize

    97KB

    MD5

    58be8f739eb5b24eedce748dfc19d481

    SHA1

    531521c7605101969c3128cbd9be285971ede508

    SHA256

    3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

    SHA512

    c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
    Filesize

    352KB

    MD5

    16f950dcf3c99bab3e990ff3541944d9

    SHA1

    eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01

    SHA256

    54f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2

    SHA512

    95edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exe
    Filesize

    352KB

    MD5

    16f950dcf3c99bab3e990ff3541944d9

    SHA1

    eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01

    SHA256

    54f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2

    SHA512

    95edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

    Download Submit
  • memory/2076-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2612-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4376-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4784-140-0x0000029961900000-0x000002996191E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4784-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4784-141-0x00007FFABAD20000-0x00007FFABB7E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4784-142-0x00000299636B0000-0x00000299636BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4784-143-0x000002997E500000-0x000002997E6C2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4784-144-0x000002997EC00000-0x000002997F128000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4784-145-0x000002997D5D0000-0x000002997D5E2000-memory.dmp
    Filesize

    72KB

    Download