Overview

overview

10

Static

static

10

927571741d...fd.exe

windows7_x64

10

927571741d...fd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe

  • Size

    3.0MB

  • MD5

    4e1ae916a283ff087b4daf71f73540cf

  • SHA1

    c9f8cb325b0dc69638984060c100604bf61cf0fd

  • SHA256

    927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

  • SHA512

    87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 5 IoCs
  • suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe
    "C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Users\Admin\AppData\Local\Temp\HB.exe
      "C:\Users\Admin\AppData\Local\Temp\HB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://jq.qq.com/?_wv=1027&k=57Cts1S
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1872 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    28760896f27c772bc1757c64a23570ef

    SHA1

    9398846101319958d9ab3620b6743a637581322b

    SHA256

    178d98d6b971b77785cc4ea2969088c8f7e40e8df1fb93050c4af10bf76041bb

    SHA512

    46ddaabc43cbbeb9c2bea619c451b1c6b3217b5e74055226d96fbf9801b23476fbbb7fe6a202adf3472bfefd7804861126dcbef108ba245b8899a08e77b7bf22

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HB.exe
    Filesize

    2.8MB

    MD5

    3f9dd912d6f833970e34e99ac80ae8f0

    SHA1

    38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

    SHA256

    9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

    SHA512

    cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    100KB

    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    100KB

    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QQMIE4X9.txt
    Filesize

    608B

    MD5

    8d41c92c3f2cb4778fd1431e6e8386b4

    SHA1

    3832e4ed88eb74ce76d162b65adf309f8ec02b5e

    SHA256

    82b52fb2e14d0af874fc8be1cbcd3cf27631cab2207f690be97ad5541feb7b01

    SHA512

    dd836f75c479cc4c26a020740b389968944ce862afbccfd91aa3b19c916e603fde74052993422212772f285e296345e4a628c45002b3e9f04240153dd1330374

    Download Submit
  • \Users\Admin\AppData\Local\Temp\HB.exe
    Filesize

    2.8MB

    MD5

    3f9dd912d6f833970e34e99ac80ae8f0

    SHA1

    38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

    SHA256

    9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

    SHA512

    cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

    Download Submit
  • \Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    100KB

    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • \Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    100KB

    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • memory/752-64-0x0000000000BC0000-0x0000000000BE0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/752-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1692-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1692-65-0x00000000020A0000-0x00000000021AD000-memory.dmp
    Filesize

    1.1MB

    Download