poullight | 70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20220414-en
submitted
20/05/2022, 22:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe
Size

92KB
MD5

afd0fd73b658168e31480fa3f0fef267
SHA1

a2579217dd963ac5a5d474bac08085c632124cfe
SHA256

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2
SHA512

d773200722ce9f3cd2fa15dfca5d18368b3df6d2cb70a62e8d4f251a1228b253fdf2ecaeb457c1a7192e328686ee385c55246ebc48fed68231c518602c689c4a

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1872-54-0x0000000001000000-0x000000000101E000-memory.dmp	family_poullight

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe
1872	70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe

C:\Users\Admin\AppData\Local\Temp\70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe
"C:\Users\Admin\AppData\Local\Temp\70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

DNS

poullight.ru

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe

Remote address:

8.8.8.8:53

Request

poullight.ru

IN A

Response

No results found

8.8.8.8:53

poullight.ru

dns

70236db972081f891c2f239e67e7924bae492ddc5fe5073c838eab0a730413b2.exe

58 B
119 B
1
1

DNS Request

poullight.ru

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-54-0x0000000001000000-0x000000000101E000-memory.dmp

Filesize
120KB

Download