poullight

General

Target

a456f1d4fa5aa51e8605e6fcb43579c41593c6ae7eb110c5bbdddd071b3ab1f8
Size

6.2MB
Sample

220520-fx7rysbdf9
MD5

6f931c28532be11c8492783d89b4cc84
SHA1

955ce2909398152312137f700c4449ad7069771a
SHA256

a456f1d4fa5aa51e8605e6fcb43579c41593c6ae7eb110c5bbdddd071b3ab1f8
SHA512

b7c9dd2eee7f18c7c4cbff70fd8870a9d6ed754a69ce31c2cfa54c608a0717f0986cf59a1426dc4718fb2fe4364d650961e13c4335d477cdbd39396fe794a75b

Score

10^/10

Malware Config

Targets

- Target
  
  salikhack.exe
- Size
  
  6.8MB
- MD5
  
  92290d3c06e414319fb42fc0f7d981d0
- SHA1
  
  6396501c4acd9e06a44f75f136528535e8003dce
- SHA256
  
  3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
- SHA512
  
  2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
Score

10^/10

poullight spyware stealer suricata trojan persistence
- Poullight
  Poullight is an information stealer first seen in March 2020.
  trojan stealer poullight
- Poullight Stealer Payload
- suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
  suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2