poullight | 87eb0ce5d7bb6cec573eea2b2a1fc70d89c346898ea9a7ab526fc7452654bb68

Analysis

max time kernel
0s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader/Loader.exe
Size

3.1MB
MD5

101e969cb9e549d113836856f526d4b5
SHA1

9361431a7d69e92e20f163f10fc5a3b40c27bd0a
SHA256

8cf069c7b965893d12c9df25b24a60594693a158b8209d21f5d7213fc5ed41eb
SHA512

01f858a4c9b329f8696880fbff6b886cfae6e793afb448f79734cb7ea149baeaa3deaeec0bf62a34bfed5f634331ac4d6be7fee971588cba8921d7c41761ba00
SSDEEP

49152:XpFctP0vfTi05cfHQDVaztRT5hvEy87QS6J:XpFWPOCQQd2QSm

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral1/memory/2124-15-0x0000000000400000-0x0000000000720000-memory.dmp	family_poullight
behavioral1/memory/2360-17-0x0000000000820000-0x0000000000840000-memory.dmp	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

2360 build.exe
Loads dropped DLL 2 IoCs

Processes:

Loader.exe

pid process

2124 Loader.exe
2124 Loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2360	build.exe

pid	process
2124	Loader.exe
2124	Loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 2124 wrote to memory of 2360	2124	Loader.exe	build.exe
PID 2124 wrote to memory of 2360	2124	Loader.exe	build.exe
PID 2124 wrote to memory of 2360	2124	Loader.exe	build.exe
PID 2124 wrote to memory of 2360	2124	Loader.exe	build.exe

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
16KB

MD5
e2517123bcbc13b9dca5ca28d15813e6

SHA1
51481f1de39f5516a4faa395ac1fc51483811764

SHA256
345a4125bdb2289c5d38d381c83ba514566b624f6127ecba2ad1eac551ec0522

SHA512
d6e6bac8995ca18bcf23323d2077a715cc88c37be8192e441b5530120187a8bf96041257118cee3b613c3c2b78582b2fbffae64a9092ba9059c4cbbe0835ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
85KB

MD5
7795e0a6045d9d1bbfc1c829ae018bc4

SHA1
a1ec44681a8eb5f4d1ca5a2a926356d2ecaa92e7

SHA256
abfaa2a579933be906a69d3add6df54eda0bda610b92783600af2e314bd536a8

SHA512
b588b1c07bf41935750f7d815f8db57c56a328501116c4e8712ba0ef31ac582fcbd67a379f284998ecba5c96eb62019e2d68790a69a60cbe1b5a247d48ca2ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
68KB

MD5
0aa86218a23526ef93d27008da37bb5a

SHA1
09599a7b2d1430a03a2c15991ea186f758a64ce0

SHA256
27c1b979ca7eca39a748cecf3986709f200a95b971495c0f51c79bdc1a6f5f04

SHA512
aab3207d2f74932df73367c9efb06faecdf72ebe9e25e569d0304b9454c8b35e6b835e78978bf8d7333cdccf0ba2f98373cc80c39cbfc0687ba63e61671afce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
49KB

MD5
830d6eb4b18c904cd5a879eb8a8fc869

SHA1
8a04f14f3e65f106cd39ce238dd0abb746faa43a

SHA256
d7399aa129bed587238cf72d827f6cabbbf5fbd88f578877f395781c064f3bb9

SHA512
6c65c85f509f3546b984c1ba61e840da0d0013d9df05ccfe2739a09d1d5943028734bbb91c9a6c672a68da74d9c677074f30d5b04bd5689a0b3f63047144d38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
85KB

MD5
3e91cd45d52196d9b9c07fe0217c0460

SHA1
6c07d3d7e7dcb3a1b6e95452431c97b859a123ae

SHA256
96ed3960cc1c636674de639d1ad332bc4caa6f819c266ac3b4c7bc70233deaba

SHA512
2e997418612a0ec6b3c6bdb4b7db65c8899d5249bb2c90f0dae99e967c92cbeb8896f21a5acad3f06f121a4d7dbe56a5878f0140c847be576e3c3ad0a5bad275

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5xg-5o3miw773gk028e
Filesize
8KB

MD5
53b83adfc48fcd689636a0ad39aaf93a

SHA1
cae67acc61345c192a66aa5f522d0e94be76bbe8

SHA256
06f1722c103f75569ca87d0abf2859e1214e24816e83beed333542ab73663ea1

SHA512
ba0971032cdc4432acb17ea2bebd6b77e78288ce521830dd111562549f3451bcc85b93c5f952d2cf127918123c2de447afa68e886bcf2e8a27150712f9f47f75

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
96KB

MD5
20dc1c1b7fc46743a4949956e66af244

SHA1
b1337b9cf88d093e5270867788b518f7b680684e

SHA256
1f4898e301cc490fe195e8a5f113c630a1fc37fb94b9faf29cc32bc028ea7c92

SHA512
fd3dcfc2a483f65dae811678975c34bb87546b57dcd435dcaf5cc3e9a7a1eae948e8acd396bac69f56901738bb069a17dcce4b29a3d5a6551f1ddfce251a68e3

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
24KB

MD5
ef0a60643c147c8771b90e7efa064baa

SHA1
bf4fba360690cefb08349f4a63d8efd1f6a098ef

SHA256
3d7c82e8b3714bf34f67a36d2c76c33d4b1f0fed8584138d3f154b8d2b0e6278

SHA512
2626df6087337a0e7c8e7fb31175910c6fa312e46e6e89e6f99a4ba3663448a2dbff3fb241c200aa2afe165b5322dc5429a540998384087d7a8c1578b66b0618

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
22KB

MD5
7b7a047bfa5119ea9f4e21ea0155f537

SHA1
aeb0a83e30bca04e85b505148849a97327bf3e08

SHA256
33024b380b65cc2e217887ca4131b5efb7465aff6b8b7ee96edeb1f616a32413

SHA512
532b10202474b224b4e785470d745df555cc703ec75e2b97a3f06f88d088b64ac23a0468fa52296621e94c72c766620d5e65aaae704e8562a9981040f2342b63

Download Submit
memory/2124-15-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2360-21-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2360-20-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-45-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-46-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/2360-17-0x0000000000820000-0x0000000000840000-memory.dmp

Filesize
128KB

Download
memory/2744-19-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download