Overview

overview

10

Static

static

10

3d10fcb6f5...43.exe

windows7_x64

10

3d10fcb6f5...43.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43

  • Size

    6.8MB

  • Sample

    220520-fx34rsecdj

  • MD5

    92290d3c06e414319fb42fc0f7d981d0

  • SHA1

    6396501c4acd9e06a44f75f136528535e8003dce

  • SHA256

    3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43

  • SHA512

    2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294

Score
10/10
poullightpersistencespywarestealersuricatatrojan

Malware Config

Targets

    • Target

      3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43

    • Size

      6.8MB

    • MD5

      92290d3c06e414319fb42fc0f7d981d0

    • SHA1

      6396501c4acd9e06a44f75f136528535e8003dce

    • SHA256

      3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43

    • SHA512

      2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294

    Score
    10/10
    poullightspywarestealersuricatatrojanpersistence

    • Poullight

      Poullight is an information stealer first seen in March 2020.

      trojanstealerpoullight

    • Poullight Stealer Payload

    • suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

      suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks