poullight | f27893a397e299561cd5aae7d4598aa2623fedb3155f6003c111126599887bb4 | Triage

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 23:35

Sharing

Report Analysis Logs

General

Target

439442042b8f97837925b5a858b7fb3e.exe
Size

213KB
MD5

439442042b8f97837925b5a858b7fb3e
SHA1

0a524b97d4e1e1b0407a1348c154877964470de2
SHA256

f27893a397e299561cd5aae7d4598aa2623fedb3155f6003c111126599887bb4
SHA512

fd0297f321b3b35a9eabd0dda667fe65ff07a800baf9109c1aeb3443ee210bb22b4c6e9ff5106ff4b720f51138e0240a8a9baf176053954c6c6715a0ac10d525
SSDEEP

6144:FOmaqXgRvpbQda7JumO8U7UFyiEf4DFXXfARSLZVn:FpQnJuJh7UFIf4RLZ

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1932-0-0x0000000001070000-0x00000000010AC000-memory.dmp	family_poullight

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	439442042b8f97837925b5a858b7fb3e.exe
1932	439442042b8f97837925b5a858b7fb3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	439442042b8f97837925b5a858b7fb3e.exe

C:\Users\Admin\AppData\Local\Temp\439442042b8f97837925b5a858b7fb3e.exe
"C:\Users\Admin\AppData\Local\Temp\439442042b8f97837925b5a858b7fb3e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-0-0x0000000001070000-0x00000000010AC000-memory.dmp

Filesize
240KB

Download
memory/1932-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-2-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/1932-7-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download