poullight | 87eb0ce5d7bb6cec573eea2b2a1fc70d89c346898ea9a7ab526fc7452654bb68

General

Target

Loader/Loader.exe
Size

3.1MB
MD5

101e969cb9e549d113836856f526d4b5
SHA1

9361431a7d69e92e20f163f10fc5a3b40c27bd0a
SHA256

8cf069c7b965893d12c9df25b24a60594693a158b8209d21f5d7213fc5ed41eb
SHA512

01f858a4c9b329f8696880fbff6b886cfae6e793afb448f79734cb7ea149baeaa3deaeec0bf62a34bfed5f634331ac4d6be7fee971588cba8921d7c41761ba00
SSDEEP

49152:XpFctP0vfTi05cfHQDVaztRT5hvEy87QS6J:XpFWPOCQQd2QSm

Score

10^/10

poullight stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral2/memory/3400-23-0x0000000000400000-0x0000000000720000-memory.dmp	family_poullight
behavioral2/memory/996-14-0x00000160EC700000-0x00000160EC720000-memory.dmp	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"
1⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
1KB

MD5
acc82b6304451ddecb88c254a5f07e29

SHA1
1bb2daeb208aa9edcac9efe1c9a8475d2aac6a53

SHA256
1ca43391de852265f8e01e623227d0245f6a338e9057f159c4a6b6877b1ff118

SHA512
ec3bb0d15b58850756a982ad0e28a804fbe2079a5d35fc0eb5c955e2a44e39b6fd28832a41b562c035cae4076cd89c40e8308f717e14a65c193523b3ccdf81df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
32KB

MD5
8c9ffb1db3075f9d352aa4330aeba1e4

SHA1
a1f5fd0b6790657ae48f8529725422c66f3c4f09

SHA256
82bf69d34e17352ec522e1dd095c7b482557830a6c3c376cdcb800a560f8354e

SHA512
a98fb72c06447ffab6d541136ea28117d961b92f0048eb24242b212afb4ff582a2e316884ceec072a2644f0a4c378b80fa2fcf0e288980fc59f5d37ac2ec2ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe
Filesize
32KB

MD5
4bc73ad3a3960713f43249362d1cd069

SHA1
496bd738ae06f35eb1bdb858c5706443ef7fa690

SHA256
7df169ca30084ab9abf95cfbe0b549240d27c607ec66b5433f677a8bfae1d11a

SHA512
9450f15cf93ceee7e7d051623caeee45c60e558ea857ac7504cb2a3886d3f371a76e48989f0d0c1ef0caf907813f469f85208cd1bb660e6b834d5158e0bc7916

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
41KB

MD5
c0154cccb7273d3598fcc58eb45fff9b

SHA1
a95c6d0774ed5b82896e89bce6500771be8cde80

SHA256
7e2cc5ab3da80625aefc4a2fe77524265b19fe1d7ebe1f3e27f67cb2af92fe44

SHA512
22c159c0ea1e4e8b61f1915950dd2694e1ec41b817e8ccfa7c822e397c704087c01356861dd2b9ae66021e72d45a0348fe5db1f3d2898e9b01f8b497e8117418

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
30KB

MD5
f992454bcc86fafae0b01687fce89731

SHA1
1a2764155647eaac66b50bef59c0bd632a4ca511

SHA256
019c779135aa41d1eddaffd73d18f1ca4d7edc086aca407617525b061e728d3e

SHA512
59acf10c725e52f0b5a67345234ed8670db4e0dedb525336ad2708ae7091398efae6b26bb4d1c599ec0f33b588a06e29dd70435740a3de31d3c07ac2ed92d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
17KB

MD5
1fc336f47b24ea0732c80d8756efa2f1

SHA1
d3cc8a94d9ca9c343b150b305316e5f5e83c610a

SHA256
dec84dd05a45c4cf62f3d45bcf88396076e79ff01e62606fddda1eb1e9a4dff5

SHA512
1a861814745e482666cbe5ac56bdb2fec1fcfeae3505aa2e0f6c745a5d149e21b2d46c6a3b61ff370a72aee9c66d012eb603f751186c3108dfbed655f9d41e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5thjn4owslh8oudc333-ngx1
Filesize
23KB

MD5
a7d157f0b9eb4813c82cd0cb14910ad5

SHA1
4608328414b39fdb0bd4529cac0fca640b47a87d

SHA256
d83dcc287f054204a007d637b933082218f0965af08f6b563171d9a6740a09ab

SHA512
3c6e49a773e7a7dec67d750e5349f8ea76db46e6baaba89ae9a01ef3a97c06b139823b3c8410f57b5bbc88d7d4c83c7e2c84e71fb5c9a88bf69c10a8d1e87d21

Download Submit
memory/996-59-0x00000160F01F0000-0x00000160F0718000-memory.dmp

Filesize
5.2MB

Download
memory/996-74-0x00000160EF940000-0x00000160EF952000-memory.dmp

Filesize
72KB

Download
memory/996-14-0x00000160EC700000-0x00000160EC720000-memory.dmp

Filesize
128KB

Download
memory/996-107-0x00000160EED10000-0x00000160EED20000-memory.dmp

Filesize
64KB

Download
memory/996-106-0x00007FFA9E630000-0x00007FFA9F0F1000-memory.dmp

Filesize
10.8MB

Download
memory/996-30-0x00000160EE460000-0x00000160EE46A000-memory.dmp

Filesize
40KB

Download
memory/996-55-0x00000160EEE20000-0x00000160EEFC9000-memory.dmp

Filesize
1.7MB

Download
memory/996-56-0x00000160EFAF0000-0x00000160EFCB2000-memory.dmp

Filesize
1.8MB

Download
memory/996-27-0x00000160EED10000-0x00000160EED20000-memory.dmp

Filesize
64KB

Download
memory/996-105-0x00000160EEE20000-0x00000160EEFC9000-memory.dmp

Filesize
1.7MB

Download
memory/996-24-0x00007FFA9E630000-0x00007FFA9F0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-28-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2332-26-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3400-23-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing