MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Poulight


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111
SHA3-384 hash: 356cf571be7e37d00696f7ec15091bedef007a659b9528e105e021a0af8fe3b03e918e437071dd4ecb6414b5b7ac997b
SHA1 hash: 33506da6b940393014667e2782fdb749e318f5b1
MD5 hash: 8eee25e77e3da8b32bd1577a7f8117c2
humanhash: snake-march-lion-quiet
File name:SecuriteInfo.com.Variant.Ursu.883988.30776.16553
Download: download sample
Signature Poulight
Create hunting rule
File size:978'944 bytes
First seen:2020-12-01 01:43:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 113 x njrat, 80 x RedLineStealer)
ssdeep 24576:yWIiL4kd9Yv+0k4kL8PhDnHOl4DRb0Mm3Z4hhnG2/:yW+kTzIThDE4imv
Threatray 6 similar samples on MalwareBazaar
TLSH B52533C5CB8475F7F3C9C73467438A3E4920BBA65A9BBEE9C3C875AB14B81F09811650
Reporter SecuriteInfoCom
Tags:Poulight

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'510
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106142/
Detection(s):
SecuriteInfo.com.Variant.Ursu.883988.30776.16553.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a file
Reading critical registry keys
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a window
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Poullight
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/551561
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Poullight Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
poulight
Create hunting rule
Link:
https://mwdb.cert.pl/sample/943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2020-11-29 06:34:00 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sq6en7psvltgnsp4y5x3hteh4y5zd3ym5xdamhsxjyzzibz6eeiq._file
Verdict:
malicious
Similar samples:
34e142c3ca75844c48639cfc8f60513d23c02a65addef3bce69f5b49b34277a1
Poulight
526b68a0be26a2bce634d4c37a025eca01d051e4ae0df350fa384541ebbe09c5
Poulight
5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7
Poulight
5ef8714caf9c7296847b67b27edb93c3aec23d7e77b57d23d0e8607d707a2c49
Poulight
6c90f16a6932be921cbb44b9e4531cf36e5ded6d5dd0016c4309a56ab8a96461
Poulight
b4bbfec518b34f417680149af477857ce1a27aa23eaceb4eb99d62230e376ba9
Poulight
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/201201-yc5fah2fae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Reads user/profile data of web browsers
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111
MD5 hash:
8eee25e77e3da8b32bd1577a7f8117c2
SHA1 hash:
33506da6b940393014667e2782fdb749e318f5b1
Link:
https://www.unpac.me/results/e379f050-5cb7-49e7-bbe2-c506c2a04222/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Enigma
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Poulight

Executable exe 943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/870886/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106142/

Comments