poullight | 9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837

Analysis

max time kernel
156s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe
Size

515KB
MD5

4f49935909c402b073e2bcf0df3320ec
SHA1

ce5eb1fa3286c03169823393efb7ed93fabf1e0f
SHA256

9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837
SHA512

c68243a392bbc200e82af219d6011a80d73d23dd3d91ed2106ae1e1c480741a986871913eae077b8c0bf2758e16b4184c899a2569a801dd7d3fb4ff18b6c77eb

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014836-65.dat	family_poullight
behavioral1/files/0x0008000000014836-66.dat	family_poullight
behavioral1/files/0x0008000000014836-67.dat	family_poullight
behavioral1/files/0x0008000000014836-68.dat	family_poullight
behavioral1/files/0x0008000000014836-69.dat	family_poullight
behavioral1/files/0x0008000000014836-71.dat	family_poullight
behavioral1/files/0x0008000000014836-72.dat	family_poullight
behavioral1/memory/556-73-0x0000000001260000-0x000000000127E000-memory.dmp	family_poullight

Executes dropped EXE 2 IoCs

pid	Process
1764	XorBerToorXora.sfx.exe
556	XorBerToorXora.exe

Loads dropped DLL 6 IoCs

pid	Process
1100	cmd.exe
1764	XorBerToorXora.sfx.exe
1764	XorBerToorXora.sfx.exe
1764	XorBerToorXora.sfx.exe
1764	XorBerToorXora.sfx.exe
1764	XorBerToorXora.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
556	XorBerToorXora.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	XorBerToorXora.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1416	1972	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	27
PID 1972 wrote to memory of 1416	1972	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	27
PID 1972 wrote to memory of 1416	1972	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	27
PID 1972 wrote to memory of 1416	1972	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	27
PID 1416 wrote to memory of 1100	1416	WScript.exe	28
PID 1416 wrote to memory of 1100	1416	WScript.exe	28
PID 1416 wrote to memory of 1100	1416	WScript.exe	28
PID 1416 wrote to memory of 1100	1416	WScript.exe	28
PID 1100 wrote to memory of 1764	1100	cmd.exe	30
PID 1100 wrote to memory of 1764	1100	cmd.exe	30
PID 1100 wrote to memory of 1764	1100	cmd.exe	30
PID 1100 wrote to memory of 1764	1100	cmd.exe	30
PID 1764 wrote to memory of 556	1764	XorBerToorXora.sfx.exe	31
PID 1764 wrote to memory of 556	1764	XorBerToorXora.sfx.exe	31
PID 1764 wrote to memory of 556	1764	XorBerToorXora.sfx.exe	31
PID 1764 wrote to memory of 556	1764	XorBerToorXora.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe
"C:\Users\Admin\AppData\Local\Temp\9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe
      XorBerToorXora.sfx.exe -pXorBerToorXora.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe

Filesize
352KB

MD5
d2c555d83e2612a7c2caac86397ad913

SHA1
008465515322349ed3f93474609b47c507c46099

SHA256
6ea4cd482594b425f42bd078fb47cf31f2be0abb9b4d4c69400244a0e1445fbd

SHA512
5e4011f754e2bd6f12c0bb762b25e43196e047be75e8f8fa6ff8db06b251ead98466ab59160537075f25c83e934695562ea416ad6113424aa70f20135bb1a67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe

Filesize
352KB

MD5
d2c555d83e2612a7c2caac86397ad913

SHA1
008465515322349ed3f93474609b47c507c46099

SHA256
6ea4cd482594b425f42bd078fb47cf31f2be0abb9b4d4c69400244a0e1445fbd

SHA512
5e4011f754e2bd6f12c0bb762b25e43196e047be75e8f8fa6ff8db06b251ead98466ab59160537075f25c83e934695562ea416ad6113424aa70f20135bb1a67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
63B

MD5
1099b20a193ec5df7bb5cb2d951385a2

SHA1
1c37bd2c43cefff17fd33098fade3996af04577e

SHA256
9528fda99ef3ac998c9546cc08090226a419f288330282630cb412cc8eaa9a5b

SHA512
22112523d8bf77ded2d974931f0e41c08761a4248be7279f747fcde8632433d78139d75d31826f8c4a021f08335bf8099957a2b4b20930d9690a305d28194276

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe

Filesize
352KB

MD5
d2c555d83e2612a7c2caac86397ad913

SHA1
008465515322349ed3f93474609b47c507c46099

SHA256
6ea4cd482594b425f42bd078fb47cf31f2be0abb9b4d4c69400244a0e1445fbd

SHA512
5e4011f754e2bd6f12c0bb762b25e43196e047be75e8f8fa6ff8db06b251ead98466ab59160537075f25c83e934695562ea416ad6113424aa70f20135bb1a67e

Download Submit
memory/556-73-0x0000000001260000-0x000000000127E000-memory.dmp

Filesize
120KB

Download
memory/1972-54-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

Filesize
8KB

Download