Overview

overview

10

Static

static

cfe1c6bcb4...5f.exe

windows7_x64

10

cfe1c6bcb4...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe

  • Size

    515KB

  • MD5

    8d5f2486b1079ca616a5777ee1780c42

  • SHA1

    726e086076e11f277df3d24fb5830b658458d42f

  • SHA256

    cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f

  • SHA512

    40157e363ceea085713dbd3a6a7ce0923f1f48923f7cc475c05f1d4f442314d0cc84b48b5684b188e3eac81d8c58eaece77dddefe48f5c6e73dce6ef6ed4f43f

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 3 IoCs
  • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe
    "C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3172
  • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exe
    GangsterKirillEeE.sfx.exe -pGangsterKirillEeE.exe -dC:\Users\Admin\AppData\Local\Temp
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe
      "C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe
    Filesize

    97KB

    MD5

    58be8f739eb5b24eedce748dfc19d481

    SHA1

    531521c7605101969c3128cbd9be285971ede508

    SHA256

    3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

    SHA512

    c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe
    Filesize

    97KB

    MD5

    58be8f739eb5b24eedce748dfc19d481

    SHA1

    531521c7605101969c3128cbd9be285971ede508

    SHA256

    3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

    SHA512

    c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exe
    Filesize

    352KB

    MD5

    7aae2bddc3ed0dadccb79baf02ff7320

    SHA1

    8c9752b1553fba86f069e09952cd0a64d7762666

    SHA256

    813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd

    SHA512

    6cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exe
    Filesize

    352KB

    MD5

    7aae2bddc3ed0dadccb79baf02ff7320

    SHA1

    8c9752b1553fba86f069e09952cd0a64d7762666

    SHA256

    813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd

    SHA512

    6cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    69B

    MD5

    efa934163bc0e44bf9f8451517e98e83

    SHA1

    c21532d9a4c1cbf698e9578621a17930bdeee2e5

    SHA256

    3821d3bd5f0b59495a717afcabcd0ee162d391c1ab1a922b671fd88444f5e5b1

    SHA512

    a5ba040da972ea41ab7a430d676732e0ea0d16dbf8f6565dfb636827aa1887a1da2eed2e5fac04d1e189d6c1cb43e855d749cc3be5d93318037d7a609f1aef9e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

    Download Submit
  • memory/8-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1284-142-0x00000287BB9C0000-0x00000287BB9CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1284-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1284-140-0x00000287BB5D0000-0x00000287BB5EE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1284-141-0x00007FFF9B1E0000-0x00007FFF9BCA1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1284-143-0x00000287D7CC0000-0x00000287D7E82000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1284-144-0x00000287D83C0000-0x00000287D88E8000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1284-145-0x00000287D6D30000-0x00000287D6D42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2280-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3172-132-0x0000000000000000-mapping.dmp
    Download