poullight | ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

General

Target

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
Size

5.2MB
MD5

9f67824dedc0e11e50cddb66e307895e
SHA1

dd25ef4977585f1eea01a26604bd92c3fc82a49d
SHA256

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479
SHA512

6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857

Score

10^/10

poullight stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral1/memory/1116-65-0x0000000000B10000-0x0000000000B2E000-memory.dmp	family_poullight

suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata
Executes dropped EXE 2 IoCs

Processes:

LITEJY_v0.8.0_3.exebuild.exe

pid process

1768 LITEJY_v0.8.0_3.exe
1116 build.exe

pid	process
1768	LITEJY_v0.8.0_3.exe
1116	build.exe

Loads dropped DLL 4 IoCs

Processes:

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe

pid	process
1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

1768 LITEJY_v0.8.0_3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

LITEJY_v0.8.0_3.exebuild.exe

pid process

1768 LITEJY_v0.8.0_3.exe
1116 build.exe
1116 build.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 1116 build.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

1768 LITEJY_v0.8.0_3.exe
1768 LITEJY_v0.8.0_3.exe
1768 LITEJY_v0.8.0_3.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

1768 LITEJY_v0.8.0_3.exe
1768 LITEJY_v0.8.0_3.exe
1768 LITEJY_v0.8.0_3.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

1768 LITEJY_v0.8.0_3.exe
1768 LITEJY_v0.8.0_3.exe

pid	process
1768	LITEJY_v0.8.0_3.exe

pid	process
1768	LITEJY_v0.8.0_3.exe
1116	build.exe
1116	build.exe

description	pid	process
Token: SeDebugPrivilege	1116	build.exe

pid	process
1768	LITEJY_v0.8.0_3.exe
1768	LITEJY_v0.8.0_3.exe
1768	LITEJY_v0.8.0_3.exe

pid	process
1768	LITEJY_v0.8.0_3.exe
1768	LITEJY_v0.8.0_3.exe
1768	LITEJY_v0.8.0_3.exe

pid	process
1768	LITEJY_v0.8.0_3.exe
1768	LITEJY_v0.8.0_3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exeLITEJY_v0.8.0_3.exe

description	pid	process	target process
PID 1356 wrote to memory of 1768	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 1356 wrote to memory of 1768	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 1356 wrote to memory of 1768	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 1356 wrote to memory of 1768	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 1356 wrote to memory of 1116	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 1356 wrote to memory of 1116	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 1356 wrote to memory of 1116	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 1356 wrote to memory of 1116	1356	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 1768 wrote to memory of 820	1768	LITEJY_v0.8.0_3.exe	cacls.exe
PID 1768 wrote to memory of 820	1768	LITEJY_v0.8.0_3.exe	cacls.exe
PID 1768 wrote to memory of 820	1768	LITEJY_v0.8.0_3.exe	cacls.exe
PID 1768 wrote to memory of 820	1768	LITEJY_v0.8.0_3.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
"C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
"C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Prefetch /e /t /p everyone:N
3⤵
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
Filesize
4.4MB

MD5
e8ac146573780159921b1d49912c5f92

SHA1
0c4dff8234382f36fb9369a91d8496dc73bb42a0

SHA256
b0120d63f54451b62e90c9dc75c9f97ad047c66ccc2e139e82f7be952afc01bb

SHA512
88014e5ef37e89e87b2bf1bb762d15b4de67d4f8ff992cda18f0d5fd7ee6ee6ea681eec56aa9ba7ac8fb8eb1b7a688bb35e5fcc716f7cae687db9204100c76b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
Filesize
5.1MB

MD5
3fce64777b22faba14eb427c11e10ec7

SHA1
d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3

SHA256
f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422

SHA512
96a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc

Download Submit
\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
Filesize
5.1MB

MD5
3fce64777b22faba14eb427c11e10ec7

SHA1
d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3

SHA256
f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422

SHA512
96a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
memory/820-70-0x0000000000000000-mapping.dmp

Download
memory/1116-62-0x0000000000000000-mapping.dmp

Download
memory/1116-65-0x0000000000B10000-0x0000000000B2E000-memory.dmp

Filesize
120KB

Download
memory/1356-54-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1768-57-0x0000000000000000-mapping.dmp

Download
memory/1768-66-0x0000000000400000-0x0000000000F9F000-memory.dmp

Filesize
11.6MB

Download
memory/1768-69-0x0000000000400000-0x0000000000F9F000-memory.dmp

Filesize
11.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads