blackmoon | 1d0c2228e4f710999bd97385b1595cd48bc9b79a837a01eff63efb470a1f92ba | Triage

Submit
Reports

Overview

overview

Static

static

3be8fa0b38...0N.exe

windows7-x64

3be8fa0b38...0N.exe

windows10-2004-x64

Sharing

General

Target

3be8fa0b38501cdb368c5cf5a0615880N
Size

3.1MB
Sample

240915-q86n5sxdpp
MD5

3be8fa0b38501cdb368c5cf5a0615880
SHA1

52083abf2794b5f6f8a429ef5bf5fa552896832f
SHA256

1d0c2228e4f710999bd97385b1595cd48bc9b79a837a01eff63efb470a1f92ba
SHA512

4d60b1c7d41f9a03147cf1d81640d9b6cd09078c9a8e1634006f505c95cf81a3f0a2f3f31b6c925fd9c90be6c733cac7a54cadf19b0dd0b63ea2b2d8a78ea5bd
SSDEEP

49152:eFnAp4kyST0QX9i41ZmCq6M+s8KuqGaX0ToIBAUZLYRXcYz7NWu22wS3BNM8:eFw7ySwQX9iC4n0JBAUZLuMYz1BN

Score

10^/10

blackmoon poullight banker credential_access discovery spyware stealer trojan

Static task

static1

blackmoon poullight

5 signatures

Behavioral task

behavioral1

Sample

3be8fa0b38501cdb368c5cf5a0615880N.exe

Resource

win7-20240903-en

blackmoon poullight banker credential_access discovery spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

3be8fa0b38501cdb368c5cf5a0615880N.exe

Resource

win10v2004-20240802-en

blackmoon poullight banker credential_access discovery spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  3be8fa0b38501cdb368c5cf5a0615880N
- Size
  
  3.1MB
- MD5
  
  3be8fa0b38501cdb368c5cf5a0615880
- SHA1
  
  52083abf2794b5f6f8a429ef5bf5fa552896832f
- SHA256
  
  1d0c2228e4f710999bd97385b1595cd48bc9b79a837a01eff63efb470a1f92ba
- SHA512
  
  4d60b1c7d41f9a03147cf1d81640d9b6cd09078c9a8e1634006f505c95cf81a3f0a2f3f31b6c925fd9c90be6c733cac7a54cadf19b0dd0b63ea2b2d8a78ea5bd
- SSDEEP
  
  49152:eFnAp4kyST0QX9i41ZmCq6M+s8KuqGaX0ToIBAUZLYRXcYz7NWu22wS3BNM8:eFw7ySwQX9iC4n0JBAUZLuMYz1BN
Score

10^/10

blackmoon poullight banker credential_access discovery spyware stealer trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Poullight
  Poullight is an information stealer first seen in March 2020.
  trojan stealer poullight
- Poullight Stealer payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

blackmoonpoullight

behavioral1

blackmoonpoullightbankercredential_accessdiscoveryspywarestealertrojan

behavioral2

blackmoonpoullightbankercredential_accessdiscoveryspywarestealertrojan

© 2018-2025

Terms | Privacy