MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fc66f244e022341520c4af91172ec3833c36b95624ee5c510086cd8d71db7ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Poullight


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fc66f244e022341520c4af91172ec3833c36b95624ee5c510086cd8d71db7ae
SHA3-384 hash: 472fd6f6d100075287a3f2b7355ba310d3db25461df895e2280d321383e5a6913651b306ef5e65deab431ab6343e60e5
SHA1 hash: 7a2b094329f369ff5a67971c3a71c46775e93000
MD5 hash: 5ba895fb23729ffbb001e5dfe74aa132
humanhash: tennis-harry-alanine-magazine
File name:eufive_20210816-144801
Download: download sample
Signature Poullight
Create hunting rule
File size:494'080 bytes
First seen:2021-08-16 17:05:32 UTC
Last seen:2021-08-16 18:15:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+nWE9iozOsxqki5B9uuQK3fgG0O+hWQdeq4J+jJ4nD:9oNqk4Luu8t4aA
Threatray 164 similar samples on MalwareBazaar
TLSH T1D1B45181E589ED9AC53F22F2F87DE91019199F4FA274453A2B257A1564F338370AFC0E
dhash icon c4929e8682e69edc (1 x Poullight)
Reporter benkow_
Tags:exe Poullight

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eufive_20210816-144801
Verdict:
Suspicious activity
Analysis date:
2021-08-16 17:09:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a5719cb2-9ff2-4622-b660-091845b7e84c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179632/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17114.10362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef88b5f8-9429-4286-828a-73cd663ee41c
Result
Threat name:
Poullight
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833716
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Yara detected Poullight Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466143 Sample: eufive_20210816-144801 Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Yara detected Poullight Stealer 2->45 47 .NET source code contains method to dynamically call methods (often used by packers) 2->47 49 6 other signatures 2->49 8 eufive_20210816-144801.exe 2 2->8         started        process3 file4 25 C:\Users\...\eufive_20210816-144801.exe.log, ASCII 8->25 dropped 11 mshta.exe 23 8->11         started        process5 dnsIp6 31 cdn.discordapp.com 162.159.135.233, 443, 49729, 49734 CLOUDFLARENETUS United States 11->31 55 Obfuscated command line found 11->55 15 powershell.exe 14 21 11->15         started        signatures7 process8 dnsIp9 33 192.168.2.1 unknown unknown 15->33 35 cdn.discordapp.com 15->35 37 Creates an undocumented autostart registry key 15->37 39 Writes to foreign memory regions 15->39 41 Injects a PE file into a foreign processes 15->41 19 aspnet_compiler.exe 17 83 15->19         started        23 conhost.exe 15->23         started        signatures10 process11 dnsIp12 27 ru-uid-507352920.pp.ru 19->27 29 193.56.146.93, 49748, 80 LVLT-10753US unknown 19->29 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fc66f244e022341520c4af91172ec3833c36b95624ee5c510086cd8d71db7ae/
Threat name:
ByteCode-MSIL.Infostealer.Poul
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 17:06:24 UTC
AV detection:
6 of 27 (22.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2bd1cc1d9e1483c9d476331be8457cdef8cb445f8d20830fe299403e1233bb54
Poullight
527183278f94607bba64b6c88b839621f75135a95bbd485b3c628f32b59ada40
Poullight
943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111
Poullight
a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980
Poullight
a6d1ddce9ba33a244313f7e06fc432276d07f5757c7677b144399061ad6dd90a
Poullight
b7e109f67ae3bed0060aac46380bd27b3dde262df210fb95910dd783f690403d
Poullight
bb5f523d4b4d9a8bfb0f0e89eff3559d228451476467b7b193e7686031398d3d
Poullight
e9b2559e5ba7876b670ecced318041832ffbf732cf41eec6961059d266db7846
Poullight
+ 154 additional samples on MalwareBazaar
Result
Malware family:
poullight
Create hunting rule
Score:
  10/10
Tags:
family:poullight stealer trojan
Link:
https://tria.ge/reports/210816-bjvt42a9yx/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
Poullight
Poullight Stealer Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
Dropper Extraction:
https://cdn.discordapp.com/attachments/875404916150116402/875405053467459594/Minutes.txt
Unpacked files
SH256 hash:
7fc66f244e022341520c4af91172ec3833c36b95624ee5c510086cd8d71db7ae
MD5 hash:
5ba895fb23729ffbb001e5dfe74aa132
SHA1 hash:
7a2b094329f369ff5a67971c3a71c46775e93000
Link:
https://www.unpac.me/results/19c469a7-512f-4c7a-9554-eb805d668f86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7fc66f244e02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fc66f244e022341520c4af91172ec3833c36b95624ee5c510086cd8d71db7ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Gcleaner
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/179632/

Comments