poullight | ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479

General

Target

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
Size

5.2MB
MD5

9f67824dedc0e11e50cddb66e307895e
SHA1

dd25ef4977585f1eea01a26604bd92c3fc82a49d
SHA256

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479
SHA512

6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral2/memory/4652-136-0x000002B5BC170000-0x000002B5BC18E000-memory.dmp	family_poullight

suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata
Executes dropped EXE 2 IoCs

Processes:

LITEJY_v0.8.0_3.exebuild.exe

pid process

3176 LITEJY_v0.8.0_3.exe
4652 build.exe

pid	process
3176	LITEJY_v0.8.0_3.exe
4652	build.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

3176 LITEJY_v0.8.0_3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

LITEJY_v0.8.0_3.exebuild.exe

pid process

3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe
4652 build.exe
4652 build.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 4652 build.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LITEJY_v0.8.0_3.exe

pid process

3176 LITEJY_v0.8.0_3.exe
3176 LITEJY_v0.8.0_3.exe

pid	process
3176	LITEJY_v0.8.0_3.exe

pid	process
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe
4652	build.exe
4652	build.exe

description	pid	process
Token: SeDebugPrivilege	4652	build.exe

pid	process
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe

pid	process
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe

pid	process
3176	LITEJY_v0.8.0_3.exe
3176	LITEJY_v0.8.0_3.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exeLITEJY_v0.8.0_3.exe

description	pid	process	target process
PID 4632 wrote to memory of 3176	4632	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 4632 wrote to memory of 3176	4632	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 4632 wrote to memory of 3176	4632	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	LITEJY_v0.8.0_3.exe
PID 4632 wrote to memory of 4652	4632	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 4632 wrote to memory of 4652	4632	ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe	build.exe
PID 3176 wrote to memory of 4708	3176	LITEJY_v0.8.0_3.exe	cacls.exe
PID 3176 wrote to memory of 4708	3176	LITEJY_v0.8.0_3.exe	cacls.exe
PID 3176 wrote to memory of 4708	3176	LITEJY_v0.8.0_3.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
"C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
"C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Prefetch /e /t /p everyone:N
3⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
Filesize
5.1MB

MD5
3fce64777b22faba14eb427c11e10ec7

SHA1
d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3

SHA256
f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422

SHA512
96a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe
Filesize
5.1MB

MD5
3fce64777b22faba14eb427c11e10ec7

SHA1
d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3

SHA256
f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422

SHA512
96a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
97KB

MD5
a92fca033f40c9bc9c1ec15947b4913a

SHA1
5cd773bf1ec3889ff4f20788557e9cf924c2206b

SHA256
7dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59

SHA512
2cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d

Download Submit
memory/3176-130-0x0000000000000000-mapping.dmp

Download
memory/3176-137-0x0000000000400000-0x0000000000F9F000-memory.dmp

Filesize
11.6MB

Download
memory/4652-136-0x000002B5BC170000-0x000002B5BC18E000-memory.dmp

Filesize
120KB

Download
memory/4652-133-0x0000000000000000-mapping.dmp

Download
memory/4652-138-0x00007FFD891E0000-0x00007FFD89CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-142-0x000002B5BDCF0000-0x000002B5BDCFA000-memory.dmp

Filesize
40KB

Download
memory/4652-143-0x000002B5D8370000-0x000002B5D8532000-memory.dmp

Filesize
1.8MB

Download
memory/4652-144-0x000002B5D8A70000-0x000002B5D8F98000-memory.dmp

Filesize
5.2MB

Download
memory/4652-145-0x000002B5D75B0000-0x000002B5D75C2000-memory.dmp

Filesize
72KB

Download
memory/4708-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads