poullight | 87eb0ce5d7bb6cec573eea2b2a1fc70d89c346898ea9a7ab526fc7452654bb68

Analysis

max time kernel
0s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader/Loader.exe
Size

3.1MB
MD5

101e969cb9e549d113836856f526d4b5
SHA1

9361431a7d69e92e20f163f10fc5a3b40c27bd0a
SHA256

8cf069c7b965893d12c9df25b24a60594693a158b8209d21f5d7213fc5ed41eb
SHA512

01f858a4c9b329f8696880fbff6b886cfae6e793afb448f79734cb7ea149baeaa3deaeec0bf62a34bfed5f634331ac4d6be7fee971588cba8921d7c41761ba00
SSDEEP

49152:XpFctP0vfTi05cfHQDVaztRT5hvEy87QS6J:XpFWPOCQQd2QSm

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-16-0x0000000000D70000-0x0000000000D90000-memory.dmp	family_poullight
behavioral1/memory/1680-15-0x0000000000400000-0x0000000000720000-memory.dmp	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

2424 build.exe
Loads dropped DLL 2 IoCs

Processes:

Loader.exe

pid process

1680 Loader.exe
1680 Loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2424	build.exe

pid	process
1680	Loader.exe
1680	Loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 1680 wrote to memory of 2424	1680	Loader.exe	build.exe
PID 1680 wrote to memory of 2424	1680	Loader.exe	build.exe
PID 1680 wrote to memory of 2424	1680	Loader.exe	build.exe
PID 1680 wrote to memory of 2424	1680	Loader.exe	build.exe

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
2b2cda144cda7dd36685a589ccd1b5df

SHA1
fc775128f9285e8cd13af2edfc4fcf4f96e5b7bc

SHA256
41e659e385de92f57df98c0740daeda0162e02414e3bfa82d0f3d3e31bdfe961

SHA512
c362bc2e2d9f07c85c4901b07eb8fa133796708c3afe05fb0a984d95bed3cc283710c203a95360d04fd42cd82c7b4011102335337a6b25171e0d296d61c7df8a

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
92KB

MD5
c65fd5f725c22f5db8d78eb1e21998f4

SHA1
285df78e9c88d3bdff80210500097083333b977d

SHA256
0e748a7d0762418df2ba9d5344a9e79a4f812326c608921d2b0a0c0995c74a8b

SHA512
33c1bf86133b18ccbbd829383fdcb0fadf9c277d8c5e29da352dd9b069305a419f72e03b0e6a1639df534759dffdac0b2b2d35080209fd23790b8bca27d51274

Download Submit
memory/1680-15-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2424-16-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/2424-21-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2424-20-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-95-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-96-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2756-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2756-19-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2756-97-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download