poullight | 87eb0ce5d7bb6cec573eea2b2a1fc70d89c346898ea9a7ab526fc7452654bb68

Analysis

max time kernel
0s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader/Loader.exe
Size

3.1MB
MD5

101e969cb9e549d113836856f526d4b5
SHA1

9361431a7d69e92e20f163f10fc5a3b40c27bd0a
SHA256

8cf069c7b965893d12c9df25b24a60594693a158b8209d21f5d7213fc5ed41eb
SHA512

01f858a4c9b329f8696880fbff6b886cfae6e793afb448f79734cb7ea149baeaa3deaeec0bf62a34bfed5f634331ac4d6be7fee971588cba8921d7c41761ba00
SSDEEP

49152:XpFctP0vfTi05cfHQDVaztRT5hvEy87QS6J:XpFWPOCQQd2QSm

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2424-16-0x0000000000D70000-0x0000000000D90000-memory.dmp	family_poullight
behavioral1/memory/1680-15-0x0000000000400000-0x0000000000720000-memory.dmp	family_poullight
behavioral1/files/0x000b00000001224e-7.dat	family_poullight
behavioral1/files/0x000b00000001224e-3.dat	family_poullight
behavioral1/files/0x000b00000001224e-2.dat	family_poullight

Executes dropped EXE 1 IoCs

pid	Process
2424	build.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	Loader.exe
1680	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2424	1680	Loader.exe	16
PID 1680 wrote to memory of 2424	1680	Loader.exe	16
PID 1680 wrote to memory of 2424	1680	Loader.exe	16
PID 1680 wrote to memory of 2424	1680	Loader.exe	16

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\build.exe

Filesize
100KB

MD5
2b2cda144cda7dd36685a589ccd1b5df

SHA1
fc775128f9285e8cd13af2edfc4fcf4f96e5b7bc

SHA256
41e659e385de92f57df98c0740daeda0162e02414e3bfa82d0f3d3e31bdfe961

SHA512
c362bc2e2d9f07c85c4901b07eb8fa133796708c3afe05fb0a984d95bed3cc283710c203a95360d04fd42cd82c7b4011102335337a6b25171e0d296d61c7df8a

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
92KB

MD5
c65fd5f725c22f5db8d78eb1e21998f4

SHA1
285df78e9c88d3bdff80210500097083333b977d

SHA256
0e748a7d0762418df2ba9d5344a9e79a4f812326c608921d2b0a0c0995c74a8b

SHA512
33c1bf86133b18ccbbd829383fdcb0fadf9c277d8c5e29da352dd9b069305a419f72e03b0e6a1639df534759dffdac0b2b2d35080209fd23790b8bca27d51274

Download Submit
memory/1680-15-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2424-16-0x0000000000D70000-0x0000000000D90000-memory.dmp

Filesize
128KB

Download
memory/2424-21-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2424-20-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-95-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-96-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2756-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2756-19-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2756-97-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download