Overview

overview

10

Static

static

10

ec77d58c6a...79.exe

windows7_x64

10

ec77d58c6a...79.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

  • Size

    5.2MB

  • Sample

    220525-aqx2aadab2

  • MD5

    9f67824dedc0e11e50cddb66e307895e

  • SHA1

    dd25ef4977585f1eea01a26604bd92c3fc82a49d

  • SHA256

    ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

  • SHA512

    6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Targets

    • Target

      ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

    • Size

      5.2MB

    • MD5

      9f67824dedc0e11e50cddb66e307895e

    • SHA1

      dd25ef4977585f1eea01a26604bd92c3fc82a49d

    • SHA256

      ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

    • SHA512

      6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857

    Score
    10/10
    poullightstealersuricatatrojanspyware

    • Poullight

      Poullight is an information stealer first seen in March 2020.

      trojanstealerpoullight

    • Poullight Stealer Payload

    • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

      suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/X-Files Stealer Activity

      suricata: ET MALWARE Win32/X-Files Stealer Activity

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks