poullight | 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a

General

Target

68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
Size

520KB
MD5

5ba7d69bea5783cb7b6161fe55edfb02
SHA1

c443a1c1d861b436c2542f60746e2ce9e673b7f0
SHA256

68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a
SHA512

a7a845353729ab178a2cbe52f980d14e4a00985225cc5de8f87a9efca17e89c86af63adb3764bb0089aa051e1b9e07ac31a69117c7a3d24e5eb1b2c121057652
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbmbxbNUO+X1Y/eBHCqiQWAEd:U2G/nvxW3Ww0tmbXUHXHiw

Score

10^/10

poullight spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023167-138.dat	family_poullight
behavioral2/files/0x0007000000023167-139.dat	family_poullight
behavioral2/memory/2176-140-0x000001A0C3980000-0x000001A0C39A0000-memory.dmp	family_poullight

Executes dropped EXE 2 IoCs

pid	Process
448	Stealer.sfx.exe
2176	Stealer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Stealer.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	Stealer.exe
2176	Stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	Stealer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4444	4948	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	81
PID 4948 wrote to memory of 4444	4948	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	81
PID 4948 wrote to memory of 4444	4948	68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe	81
PID 4444 wrote to memory of 448	4444	cmd.exe	84
PID 4444 wrote to memory of 448	4444	cmd.exe	84
PID 4444 wrote to memory of 448	4444	cmd.exe	84
PID 448 wrote to memory of 2176	448	Stealer.sfx.exe	85
PID 448 wrote to memory of 2176	448	Stealer.sfx.exe	85

C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
"C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe
    Stealer.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe

Filesize
353KB

MD5
c95fb0b77377c86900271823d1ab5fb3

SHA1
94e8bb91a3556e475d0bcca83008f78bec04d16c

SHA256
1517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64

SHA512
7290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exe

Filesize
353KB

MD5
c95fb0b77377c86900271823d1ab5fb3

SHA1
94e8bb91a3556e475d0bcca83008f78bec04d16c

SHA256
1517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64

SHA512
7290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat

Filesize
30B

MD5
b63b38224c3907ee3df33fe2b5e6243a

SHA1
41a656aed88e0e659a12bd9fa2bc24ad3d8a617f

SHA256
c7e9ae03a742323eb9aabef9ef86656106b479f3af10aa3ed1092044f5ffb6a2

SHA512
ae8a0fe5496241e764d36b1e409f3c3432866b901f5d1e86e13e80ee279488d885702ae48066a4a2fc77f298f8e5cb43e1106dec33a77fd22b06e6c149bdba4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe

Filesize
100KB

MD5
bdc4abb8012df11d440f7864153c7f82

SHA1
d1429a0bc97196edbac2a2beb40fc6c8270a0298

SHA256
6865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03

SHA512
7ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889

Download Submit
memory/2176-140-0x000001A0C3980000-0x000001A0C39A0000-memory.dmp

Filesize
128KB

Download
memory/2176-141-0x00007FFBCE090000-0x00007FFBCEB51000-memory.dmp

Filesize
10.8MB

Download
memory/2176-142-0x000001A0DF020000-0x000001A0DF02A000-memory.dmp

Filesize
40KB

Download
memory/2176-143-0x000001A0E00F0000-0x000001A0E02B2000-memory.dmp

Filesize
1.8MB

Download
memory/2176-144-0x000001A0E07F0000-0x000001A0E0D18000-memory.dmp

Filesize
5.2MB

Download
memory/2176-145-0x000001A0DFF20000-0x000001A0DFF32000-memory.dmp

Filesize
72KB

Download
memory/2176-146-0x00007FFBCE090000-0x00007FFBCEB51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing