poullight | 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a

Analysis

max time kernel
149s
max time network
182s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/01/2023, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
Size

520KB
MD5

5ba7d69bea5783cb7b6161fe55edfb02
SHA1

c443a1c1d861b436c2542f60746e2ce9e673b7f0
SHA256

68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a
SHA512

a7a845353729ab178a2cbe52f980d14e4a00985225cc5de8f87a9efca17e89c86af63adb3764bb0089aa051e1b9e07ac31a69117c7a3d24e5eb1b2c121057652
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbmbxbNUO+X1Y/eBHCqiQWAEd:U2G/nvxW3Ww0tmbXUHXHiw

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 8 IoCs

resource	yara_rule
behavioral1/files/0x00070000000142d7-62.dat	family_poullight
behavioral1/files/0x00070000000142d7-66.dat	family_poullight
behavioral1/files/0x00070000000142d7-65.dat	family_poullight
behavioral1/files/0x00070000000142d7-64.dat	family_poullight
behavioral1/files/0x00070000000142d7-63.dat	family_poullight
behavioral1/files/0x00070000000142d7-68.dat	family_poullight
behavioral1/files/0x00070000000142d7-69.dat	family_poullight
behavioral1/memory/1920-70-0x0000000000CD0000-0x0000000000CF0000-memory.dmp	family_poullight

Executes dropped EXE 2 IoCs

pid	Process
516	Stealer.sfx.exe
1920	Stealer.exe

Loads dropped DLL 6 IoCs

pid	Process
952	cmd.exe
516	Stealer.sfx.exe
516	Stealer.sfx.exe
516	Stealer.sfx.exe
516	Stealer.sfx.exe
516	Stealer.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1920	Stealer.exe
1920	Stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	Stealer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 952	1712	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	28
PID 1712 wrote to memory of 952	1712	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	28
PID 1712 wrote to memory of 952	1712	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	28
PID 1712 wrote to memory of 952	1712	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	28
PID 952 wrote to memory of 516	952	cmd.exe	30
PID 952 wrote to memory of 516	952	cmd.exe	30
PID 952 wrote to memory of 516	952	cmd.exe	30
PID 952 wrote to memory of 516	952	cmd.exe	30
PID 516 wrote to memory of 1920	516	Stealer.sfx.exe	31
PID 516 wrote to memory of 1920	516	Stealer.sfx.exe	31
PID 516 wrote to memory of 1920	516	Stealer.sfx.exe	31
PID 516 wrote to memory of 1920	516	Stealer.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
"C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe
    Stealer.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe

Filesize
353KB

MD5
c95fb0b77377c86900271823d1ab5fb3

SHA1
94e8bb91a3556e475d0bcca83008f78bec04d16c

SHA256
1517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64

SHA512
7290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe

Filesize
353KB

MD5
c95fb0b77377c86900271823d1ab5fb3

SHA1
94e8bb91a3556e475d0bcca83008f78bec04d16c

SHA256
1517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64

SHA512
7290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat

Filesize
30B

MD5
b63b38224c3907ee3df33fe2b5e6243a

SHA1
41a656aed88e0e659a12bd9fa2bc24ad3d8a617f

SHA256
c7e9ae03a742323eb9aabef9ef86656106b479f3af10aa3ed1092044f5ffb6a2

SHA512
ae8a0fe5496241e764d36b1e409f3c3432866b901f5d1e86e13e80ee279488d885702ae48066a4a2fc77f298f8e5cb43e1106dec33a77fd22b06e6c149bdba4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe

Filesize
353KB

MD5
c95fb0b77377c86900271823d1ab5fb3

SHA1
94e8bb91a3556e475d0bcca83008f78bec04d16c

SHA256
1517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64

SHA512
7290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
memory/1712-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1920-70-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download