MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Poullight


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25
SHA3-384 hash: 25e6091839e2bbf4fc138327e6734f1603f7b1e0d43a7689f36e9490ae5d38d7809465326db1794a94fa959d2d390a0a
SHA1 hash: dfbc71dc463569956c95a5a139ed632a13a94c46
MD5 hash: 6611eb9a48a19fab4eab22de21f42d19
humanhash: foxtrot-fillet-march-winter
File name:6611eb9a48a19fab4eab22de21f42d19.exe
Download: download sample
Signature Poullight
Create hunting rule
File size:1'199'408 bytes
First seen:2021-03-17 08:21:11 UTC
Last seen:2021-03-17 10:43:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:ChuViC0dCTJaaMxr3KtfBSJV4RCZS34UfNS34Uf:ChKi70a93ySH4RCks
Threatray 14 similar samples on MalwareBazaar
TLSH 854542277EDB100DBB6FA50C3DB691394AA97205E2DB993B9CB74AD3A32710467CCD04
Reporter abuse_ch
Tags:exe Poullight signed

Code Signing Certificate

Organisation:Invincea, Inc.
Issuer:DigiCert High Assurance Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2018-01-05T00:00:00Z
Valid to:2019-12-31T12:00:00Z
Serial number: 0be3f393d1ef0272aed0e2319c1b5dd0
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b88acbbee18f369f37cef087fabc3473805bf9fa75f591070a1c1c779d35741b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6611eb9a48a19fab4eab22de21f42d19.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 08:40:09 UTC
Tags:
stealer poullight trojan
Link:
https://app.any.run/tasks/2fa176ef-6455-4a60-858b-0194b1003d2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.530.7697.28939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a file
Reading critical registry keys
Deleting a recently created file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/641883
Signature
Found C&C like URL pattern
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 02:28:55 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 47 (59.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5c3l6n75diynyda6upvkwtfitrvupezgfauhlehy37uoxy7nmsq._file
Verdict:
unknown
Similar samples:
0920951a2739c975661a70c9a7532d65a0abe3d8cee5d476af53b2b60cb63bd3
Poullight
1ef6094514b3aeb5b99aa24f1ac9297004fbd7fc509171e3e501e5effad6ecfe
Poullight
481bf324192405f2b1c59092c3c207f12d16ac0ab47e7eef304fcf401a2ed2cf
Poullight
4fbea091009ae3c79eae3794ef4477055b3e8902e08a8565ef25f90489a2f08c
Poullight
4fcb20f32c0c827e9f3977a2874dd0acc7163dedcddf56004e03a38a53d720f9
Poullight
7e7076c3ea0c14873923567195208738da17678b03c1bbc5d10a80c3570b26b3
Poullight
d6f4a9224a002a3e247cd5453775f721fc6a040db9df38e59cd4d9575222ffac
Poullight
e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152
Poullight
f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09
Poullight
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
Poullight
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210317-7z5txwznvx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
90d2a90a077cccb4cb6f5255459b6aa397d080e7fb3b7b95f3e409710178a0fb
MD5 hash:
c0db02419efc353e6955d730ec90fd24
SHA1 hash:
7bea19e141ceb217c016bb7a536946f36f27dcac
Detections:
win_poulight_stealer_w0
Create hunting rule
Link:
https://www.unpac.me/results/247c1e25-61fe-455a-894e-e9b8c8b7dba5/
SH256 hash:
20d3ac54795e54231413a1e7a2bc0e5b0e7b42612a50ac1e60f5572ae3db80f6
MD5 hash:
7e163a61dd6c6588e43c892b8033fc34
SHA1 hash:
ba2d4c67b550e2fa677d8a23d1ec5ad39a7df43f
Link:
https://www.unpac.me/results/247c1e25-61fe-455a-894e-e9b8c8b7dba5/
SH256 hash:
4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25
MD5 hash:
6611eb9a48a19fab4eab22de21f42d19
SHA1 hash:
dfbc71dc463569956c95a5a139ed632a13a94c46
Link:
https://www.unpac.me/results/247c1e25-61fe-455a-894e-e9b8c8b7dba5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MALWARE_Win_Poullight
Create hunting rule
Author:ditekSHen
Description:Detects Poullight infostealer
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_poulight_stealer_w0
Create hunting rule
Author:James_inthe_box
Description:Poullight stealer
Reference:https://app.any.run/tasks/d9e4933b-3229-4cb4-84e6-c45a336b15be/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Poullight

Executable exe 4745b5f9bfe8d186e060f51f555a6544e35a3c99314143ac87c6ff475f1f6b25

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1072588/
  
Delivery method
Distributed via web download

Comments