Overview

overview

10

Static

static

edca2f8c36...09.exe

windows7_x64

10

edca2f8c36...09.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe

  • Size

    151KB

  • MD5

    9343386c659f66a4ddf860b64cf1fc55

  • SHA1

    9977986d2c647a9a51ec2a777d510d77f6006232

  • SHA256

    edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309

  • SHA512

    0a0a13acd2677fa5584dbc54bfe88358ffd8288002c6c23c9e3f7995d5b10c19fee588daf0df2a5030559af7c820d7a36b0f62aed6e514343769d0873256fd6b

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 3 IoCs
  • suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata
  • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe
    "C:\Users\Admin\AppData\Local\Temp\edca2f8c36f24dc6520a168a499c477ff880a0fb679bf3e08b227afb42805309.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      "C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe"
      2⤵
      • Executes dropped EXE
      PID:3864
    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      "C:\Users\Admin\AppData\Local\Temp\webhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 5032 -s 1832
        3⤵
        • Program crash
        PID:3964
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 5032 -ip 5032
    1⤵
      PID:3960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      Filesize

      9KB

      MD5

      b95f17b473384cecf82f66c6a0e2e50c

      SHA1

      b232c45654c6cf7bc912c8f02cd86a31289ec2ab

      SHA256

      c38d762ec06d3fe74de40cbd46bab3989d14cfe2e83b8c63077a3602f8a7a3da

      SHA512

      29840efd18f7b3fe7702bb147e58a62193ae16f33dca206bf008dface5281a69a60a3c678b5748f2443362801b9334cb518aaba39f49f0880d5d7d525a6cf936

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Deobfusactor.exe
      Filesize

      9KB

      MD5

      b95f17b473384cecf82f66c6a0e2e50c

      SHA1

      b232c45654c6cf7bc912c8f02cd86a31289ec2ab

      SHA256

      c38d762ec06d3fe74de40cbd46bab3989d14cfe2e83b8c63077a3602f8a7a3da

      SHA512

      29840efd18f7b3fe7702bb147e58a62193ae16f33dca206bf008dface5281a69a60a3c678b5748f2443362801b9334cb518aaba39f49f0880d5d7d525a6cf936

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      Filesize

      97KB

      MD5

      4813c32e67f6a4f67b995068c3fa7445

      SHA1

      e5e4a2d10c3ea17a3c75e54cd08cad97f40526aa

      SHA256

      0dce39e05706807ad8222360c440b8ef612198fd350bced53bd8ffe69f62cad8

      SHA512

      5d3b1707115511656178a684ffd680661983fef751f9bb4973a4dcb13439c0ff71203441b392dec7c7fec4a9392e3317f40aa76d333bf272c80d6b8966c3f4e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\webhost.exe
      Filesize

      97KB

      MD5

      4813c32e67f6a4f67b995068c3fa7445

      SHA1

      e5e4a2d10c3ea17a3c75e54cd08cad97f40526aa

      SHA256

      0dce39e05706807ad8222360c440b8ef612198fd350bced53bd8ffe69f62cad8

      SHA512

      5d3b1707115511656178a684ffd680661983fef751f9bb4973a4dcb13439c0ff71203441b392dec7c7fec4a9392e3317f40aa76d333bf272c80d6b8966c3f4e1

      Download Submit
    • memory/3864-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3864-138-0x0000000000270000-0x0000000000278000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4264-131-0x0000000005E90000-0x0000000006434000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4264-132-0x0000000005980000-0x0000000005A12000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4264-133-0x0000000005960000-0x000000000596A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4264-130-0x0000000000F80000-0x0000000000F88000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5032-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5032-141-0x000002186A870000-0x000002186A88E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5032-142-0x00007FFB121F0000-0x00007FFB12CB1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5032-143-0x000002186C580000-0x000002186C58A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5032-144-0x000002186EF30000-0x000002186F0F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5032-145-0x000002186F630000-0x000002186FB58000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/5032-146-0x000002186DEE0000-0x000002186DEF2000-memory.dmp
      Filesize

      72KB

      Download