poullight | 2bd1cc1d9e1483c9d476331be8457cdef8cb445f8d20830fe299403e1233bb54

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 06:06

Target

69ad94630f3e0bf328ddee4b54e3f057.exe
Size

100KB
MD5

69ad94630f3e0bf328ddee4b54e3f057
SHA1

f52288dc5df0e42091a7ae7ea71564ce03ea0607
SHA256

2bd1cc1d9e1483c9d476331be8457cdef8cb445f8d20830fe299403e1233bb54
SHA512

59311a90b6cf057d8e7eebda421614c23f404347f346f78055aa6c0e15d97053cdbea550dbea090a99d931dc83800f6a32c5a6fe9a87020210d290e4386f18c7
SSDEEP

1536:mJv5McKmdnrc4TXN/x1vZD8ql6GrUZ5Bx5MlD7wOHUN4ZKNJf:mJeunoMXNF6+E5B/M2O0OgF

Score

10^/10

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3204-0-0x000001B539E30000-0x000001B539E50000-memory.dmp	family_poullight
behavioral2/memory/3204-2-0x000001B554430000-0x000001B554440000-memory.dmp	family_poullight

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

69ad94630f3e0bf328ddee4b54e3f057.exe

pid process

3204 69ad94630f3e0bf328ddee4b54e3f057.exe
3204 69ad94630f3e0bf328ddee4b54e3f057.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69ad94630f3e0bf328ddee4b54e3f057.exe

description pid process

Token: SeDebugPrivilege 3204 69ad94630f3e0bf328ddee4b54e3f057.exe

pid	process
3204	69ad94630f3e0bf328ddee4b54e3f057.exe
3204	69ad94630f3e0bf328ddee4b54e3f057.exe

description	pid	process
Token: SeDebugPrivilege	3204	69ad94630f3e0bf328ddee4b54e3f057.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\ox7zp49a
Filesize
92KB

MD5
3b87ceaf0a845ffa33aeb887bc115c3b

SHA1
2f758ad4812f4e3b3d6318849455e59ebdafbfb8

SHA256
4273431417b41b1abab9a6ed93e6220be0b1d1c97ef5176806132b173d78f9ba

SHA512
32f7b10f4f0da7ee2217ae4ef0d95cee30ec1dd477f1efc07d933c29a0345fb46339f29a08e9c3bd30ef4b756ecfefac971eddf742f73b05b99aebabd1177096

Download Submit
memory/3204-0-0x000001B539E30000-0x000001B539E50000-memory.dmp

Filesize
128KB

Download
memory/3204-1-0x00007FFEC18C0000-0x00007FFEC2381000-memory.dmp

Filesize
10.8MB

Download
memory/3204-2-0x000001B554430000-0x000001B554440000-memory.dmp

Filesize
64KB

Download
memory/3204-4-0x000001B53A2B0000-0x000001B53A2BA000-memory.dmp

Filesize
40KB

Download
memory/3204-29-0x000001B5554C0000-0x000001B555682000-memory.dmp

Filesize
1.8MB

Download
memory/3204-32-0x000001B555BC0000-0x000001B5560E8000-memory.dmp

Filesize
5.2MB

Download
memory/3204-48-0x000001B5543C0000-0x000001B5543D2000-memory.dmp

Filesize
72KB

Download
memory/3204-79-0x00007FFEC18C0000-0x00007FFEC2381000-memory.dmp

Filesize
10.8MB

Download
memory/3204-80-0x000001B554430000-0x000001B554440000-memory.dmp

Filesize
64KB

Download