MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0506ded11587b16b9941bc4bf0748f6266f7a463f832a193596cb73cc176063e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Poullight


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0506ded11587b16b9941bc4bf0748f6266f7a463f832a193596cb73cc176063e
SHA3-384 hash: b38d09672b607e1aa7f81d172d9e3d37a618cab715285105b09d406f8460839746d19d2d67e05f103fbcd215c4f30319
SHA1 hash: 0105cc75ca7e92d848015757715cedc0d0fa0ea7
MD5 hash: 315e0ad57c0807ecacf08d749db0dc29
humanhash: fillet-fish-pennsylvania-delaware
File name:315e0ad57c0807ecacf08d749db0dc29.exe
Download: download sample
Signature Poullight
Create hunting rule
File size:1'085'440 bytes
First seen:2021-05-11 07:13:14 UTC
Last seen:2021-05-11 08:19:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cMMPSCM2sUzMmFC5fFCC/TVTbiZJ14LM1t9OMHfCd7tur0Z:cFeutC/TV+4MTAi
Threatray 495 similar samples on MalwareBazaar
TLSH BE35D48631ECE596D016ADB8C85BD7F33392DCAB8B42E74330ACF55A646779AC50340B
Reporter abuse_ch
Tags:exe Poullight

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Poullight
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154898/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36588425.1164.14124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Poullight
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/778348
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Poullight Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0506ded11587b16b9941bc4bf0748f6266f7a463f832a193596cb73cc176063e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 14:32:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
04d5ba1a9911aa253eac5cbce5c3b2368687e1d61c5da4adf12209ef0d427a76
Poullight
4fd8043497a01b058aabf09d40deedfa6ca485796e1c1e62b1b404931ad83056
Poullight
542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def
Poullight
5480340b2822c69c55e9ba2251adc3efb3a258894fd4581e836268275501cfa3
Poullight
719604b516f11740266b2c7a8a61129f779caf4c1f9e16bac35d39f5792a009b
Poullight
7267a3c9d92f8bb7d87be0415df93365de22b6d78f822b590c7160ad5349e2f1
Poullight
73b77bdd8bc6a9970ee92c82221d492a3fa91db8c1ccd09c48fcf732c81f459f
Poullight
7f9e67eccc7ea11e2c8b3ff703a10b8f21f02e6d737a8d363946840de3355700
Poullight
90f47fd06de01a77ccb2ab550f369454cd837bf5694707e96c636dfa0eec1b90
Poullight
c79c207fbde525a5b0aee8317bb5d3734b18a24f664501b57abc6eca3b41c01d
Poullight
+ 485 additional samples on MalwareBazaar
Result
Malware family:
poullight
Create hunting rule
Score:
  10/10
Tags:
family:poullight spyware stealer trojan
Link:
https://tria.ge/reports/210511-rzcsaqpxd2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Poullight
Poullight Stealer Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0506ded11587b16b9941bc4bf0748f6266f7a463f832a193596cb73cc176063e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Poullight

Executable exe 0506ded11587b16b9941bc4bf0748f6266f7a463f832a193596cb73cc176063e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/154898/
  
URLhaus
https://urlhaus.abuse.ch/url/1219513/
  
Delivery method
Distributed via web download

Comments