MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Poullight

Vendor detections: 10

Intelligence 10 IOCs YARA 9 File information Comments

SHA256 hash:	a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980
SHA3-384 hash:	d39e4b083de0a5a9c09c065a224f93625f0af8fdbe6e097c777dce9c5bfad1b945c04b731813d77a8da342371e69ec82
SHA1 hash:	0f7f0503d5c120ad5acac2f16a6ccf1cf50e889b
MD5 hash:	45759d997c2bfdbc3a9fa7e869c50b66
humanhash:	oscar-potato-artist-nevada
File name:	45759d997c2bfdbc3a9fa7e869c50b66.exe
Download:	download sample
Signature	Poullight Create hunting rule
File size:	960'816 bytes
First seen:	2021-03-17 08:11:11 UTC
Last seen:	2021-03-17 10:44:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:zB14qJ3W8z9FGMoKvebbG43nl1qQenUTGR9a+YxxplxjiBRBMec47CGtXrqhq2mn:T4S3W8zti32LniGBvzS34UfNS34Uf
Threatray	8 similar samples on MalwareBazaar
TLSH	83155FD3DCC36CA08701BB9566F8D3FA0A23B27B10ACE63D5B055BA21783594A197F74
Reporter	abuse_ch
Tags:	exe Poullight

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

45759d997c2bfdbc3a9fa7e869c50b66.exe

Verdict:

Malicious activity

Analysis date:

2021-03-17 08:31:23 UTC

Tags:

stealer poullight trojan

Link:

https://app.any.run/tasks/3684e68c-ed7b-4c66-b3fd-e407fb3c14c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.531.8328.30604.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Sending a UDP request

Reading critical registry keys

Deleting a recently created file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Poullight

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/642048

Signature

Contains functionality to capture screen (.Net source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Poullight Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-06 13:36:49 UTC

AV detection:

31 of 47 (65.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uq55zmrvqj6jegb4bpz5lxdhadrbz7p2vxvkcfmgqka2f54tlgaa._file

Verdict:

malicious

Poullight

527183278f94607bba64b6c88b839621f75135a95bbd485b3c628f32b59ada40

Poullight

52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc

Poullight

943c46fdf2aae666c9fcc76fb3cc87e63b91ef0cedc6061e574e3394073e2111

Poullight

ba468ce1204233cbcb5d473ac13cd5554588480c0186f52e0bd7f091eb3f081c

Poullight

c9095e2b57e8bcf1fff243c50fd9f455abb44cd18534062d10de93eb9dcb5dbf

Poullight

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

Poullight

e9b2559e5ba7876b670ecced318041832ffbf732cf41eec6961059d266db7846

Poullight

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/210317-bk2gecebk2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

e3ea3c82d70ea9fae7ef7163c5656279460e30fd82c698b44af8acef5f4713db

MD5 hash:

f9febd7e1549dcbbb749faf491143c19

SHA1 hash:

ece7b62fbd6778311fb2db1501833e9bae596150

Detections:

win_poulight_stealer_w0

Link:

https://www.unpac.me/results/73c2b0c9-aa0c-481d-874e-d5c0108d32da/

SH256 hash:

15006e0b7ffc6580ff4c019f3f1fedc695b82422f10f3ac9edafbeaad02262a5

MD5 hash:

d9338bab40c18d11ec3955f06e039c0a

SHA1 hash:

f4a929069f817167bcf20d1ba7a1d6cfdeecb0f5

Link:

https://www.unpac.me/results/73c2b0c9-aa0c-481d-874e-d5c0108d32da/

SH256 hash:

a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980

MD5 hash:

45759d997c2bfdbc3a9fa7e869c50b66

SHA1 hash:

0f7f0503d5c120ad5acac2f16a6ccf1cf50e889b

Link:

https://www.unpac.me/results/73c2b0c9-aa0c-481d-874e-d5c0108d32da/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	MALWARE_Win_Poullight Create hunting rule
Author:	ditekSHen
Description:	Detects Poullight infostealer

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_poulight_stealer_w0 Create hunting rule
Author:	James_inthe_box
Description:	Poullight stealer
Reference:	https://app.any.run/tasks/d9e4933b-3229-4cb4-84e6-c45a336b15be/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Poullight

exe a43bdcb235827c92183c0bf3d5dc6700e21cfdfaadeaa115868281a2f7935980

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1072581/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample