poullight | 9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837

General

Target

9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe
Size

515KB
MD5

4f49935909c402b073e2bcf0df3320ec
SHA1

ce5eb1fa3286c03169823393efb7ed93fabf1e0f
SHA256

9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837
SHA512

c68243a392bbc200e82af219d6011a80d73d23dd3d91ed2106ae1e1c480741a986871913eae077b8c0bf2758e16b4184c899a2569a801dd7d3fb4ff18b6c77eb

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023159-139.dat	family_poullight
behavioral2/files/0x0007000000023159-138.dat	family_poullight
behavioral2/memory/4404-140-0x0000017C0E100000-0x0000017C0E11E000-memory.dmp	family_poullight

suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata

Executes dropped EXE 2 IoCs

pid	Process
3536	XorBerToorXora.sfx.exe
4404	XorBerToorXora.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	XorBerToorXora.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4404	XorBerToorXora.exe
4404	XorBerToorXora.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	XorBerToorXora.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4884	2492	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	81
PID 2492 wrote to memory of 4884	2492	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	81
PID 2492 wrote to memory of 4884	2492	9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe	81
PID 4884 wrote to memory of 4156	4884	WScript.exe	84
PID 4884 wrote to memory of 4156	4884	WScript.exe	84
PID 4884 wrote to memory of 4156	4884	WScript.exe	84
PID 4156 wrote to memory of 3536	4156	cmd.exe	83
PID 4156 wrote to memory of 3536	4156	cmd.exe	83
PID 4156 wrote to memory of 3536	4156	cmd.exe	83
PID 3536 wrote to memory of 4404	3536	XorBerToorXora.sfx.exe	86
PID 3536 wrote to memory of 4404	3536	XorBerToorXora.sfx.exe	86

C:\Users\Admin\AppData\Local\Temp\9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe
"C:\Users\Admin\AppData\Local\Temp\9593b9378472dcb8e5e4adef932671382b6a9c7e4a2a06c3cfe72de5279c3837.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156

C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe
XorBerToorXora.sfx.exe -pXorBerToorXora.exe -dC:\Users\Admin\AppData\Local\Temp
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe
  "C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.exe

Filesize
97KB

MD5
58be8f739eb5b24eedce748dfc19d481

SHA1
531521c7605101969c3128cbd9be285971ede508

SHA256
3876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550

SHA512
c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe

Filesize
352KB

MD5
d2c555d83e2612a7c2caac86397ad913

SHA1
008465515322349ed3f93474609b47c507c46099

SHA256
6ea4cd482594b425f42bd078fb47cf31f2be0abb9b4d4c69400244a0e1445fbd

SHA512
5e4011f754e2bd6f12c0bb762b25e43196e047be75e8f8fa6ff8db06b251ead98466ab59160537075f25c83e934695562ea416ad6113424aa70f20135bb1a67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XorBerToorXora.sfx.exe

Filesize
352KB

MD5
d2c555d83e2612a7c2caac86397ad913

SHA1
008465515322349ed3f93474609b47c507c46099

SHA256
6ea4cd482594b425f42bd078fb47cf31f2be0abb9b4d4c69400244a0e1445fbd

SHA512
5e4011f754e2bd6f12c0bb762b25e43196e047be75e8f8fa6ff8db06b251ead98466ab59160537075f25c83e934695562ea416ad6113424aa70f20135bb1a67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
63B

MD5
1099b20a193ec5df7bb5cb2d951385a2

SHA1
1c37bd2c43cefff17fd33098fade3996af04577e

SHA256
9528fda99ef3ac998c9546cc08090226a419f288330282630cb412cc8eaa9a5b

SHA512
22112523d8bf77ded2d974931f0e41c08761a4248be7279f747fcde8632433d78139d75d31826f8c4a021f08335bf8099957a2b4b20930d9690a305d28194276

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
memory/4404-140-0x0000017C0E100000-0x0000017C0E11E000-memory.dmp

Filesize
120KB

Download
memory/4404-141-0x00007FFDCFCC0000-0x00007FFDD0781000-memory.dmp

Filesize
10.8MB

Download
memory/4404-142-0x0000017C0FDC0000-0x0000017C0FDCA000-memory.dmp

Filesize
40KB

Download
memory/4404-143-0x0000017C2A330000-0x0000017C2A4F2000-memory.dmp

Filesize
1.8MB

Download
memory/4404-144-0x0000017C2AA30000-0x0000017C2AF58000-memory.dmp

Filesize
5.2MB

Download
memory/4404-145-0x0000017C29540000-0x0000017C29552000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing