poullight | 265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 02:39

Target

265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66.exe
Size

100KB
MD5

083119acb60804c6150d895d133c445a
SHA1

b4ea74a0a0afe272478dc50a61925554d1638ea4
SHA256

265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66
SHA512

075ecf257f97de8044189fefa6fb002211f8c2430fe488d6d12bdde514f932c4c316b1d9935179debf9f788203bbc0cd8b1172ea07e0aa40dc530ba6acb02a3b
SSDEEP

1536:mJv5McKmdnrc4TXNPx1vZD8qlIGrUZ5Bx5MlD7wOHUN4ZKNJf:mJeunoMXN1I+E5B/M2O0OgF

Score

10^/10

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1764-54-0x0000000000A40000-0x0000000000A60000-memory.dmp	family_poullight

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1764	265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66.exe
1764	265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	265cf03cb735b976fa1ad587bdc35f0bddfc00f92455c9b804f01468a7e51c66.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1764-54-0x0000000000A40000-0x0000000000A60000-memory.dmp

Filesize
128KB

Download