Poulight Stealer:来自俄罗斯的窃密恶意软件 - FreeBuf网络安全行业门户
Tags
Show in Graph
Common Information
Type Value
UUID f00b68bf-50ad-421c-bbfb-c3d501584ad9
Fingerprint 40f8d8732237f67c
Analysis status DONE
Considered CTI value 0
Text language
Published June 26, 2020, 3 p.m.
Added to db Jan. 18, 2023, 11:19 p.m.
Last updated Nov. 17, 2024, 12:57 p.m.
Headline UNKNOWN
Title Poulight Stealer:来自俄罗斯的窃密恶意软件 - FreeBuf网络安全行业门户
Detected Hints/Tags/Attributes 15/0/15
Source URLs
Redirection Url
Details Source https://www.freebuf.com/articles/others-articles/236232.html
URL Provider
Details Provider Source level domain
Details freebuf.com www.freebuf.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
fff.gearhostpreview.com
Details Domain 3 
justns.ru
Details Domain 2 
poullight.ru
Details Domain 7 
freebuf.com
Details File 83 
sbiedll.dll
Details File 20 
snxhk.dll
Details File 16 
sxin.dll
Details File 13 
sf2.dll
Details File 6 
keys.txt
Details File 2 
poullight.exe
Details File 96 
wallet.dat
Details sha256 2 
8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Details Url 2 
http[://u43692210a.ha003.t.justns.ru
Details Url 2 
http://poullight.ru/keys.txt
Details Yara rule 2 
import "pe"

rule Poulight_Stealer_May_2020 {
	meta:
		description = "Yara rule for Poulight Stealer"
		hash = "8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95"
		author = "Cybaze - Yoroi  ZLab"
		last_updated = "2020-05-07"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = "http//fff.gearhostpreview.com/ARMBot"
		$s2 = "WBcG91bGxpZ2h0Lhttp://poullight.ru/keys.txt"
		$s3 = "Poullight.exe"
		$s4 = "\\wallets\\wallet.dat" ascii wide
		$s5 = "=====================================" ascii wide
		$s6 = { 2F 7B 00 30 00 7D 00 3C 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 7B 00 ?? 00 7D 00 3C 00 2F 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 }
		$s7 = "Select * from Win32_ComputerSystem" ascii wide
	condition:
		uint16(0) == 0x5A4D and all of them
}