Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30/11/2020, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
Resource
win10v20201028
General
-
Target
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
-
Size
652KB
-
MD5
245dc64c936592d8f1638b852ab605c3
-
SHA1
ce8b04e1e8bcbc7e89b1128337745dc64704fd59
-
SHA256
3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
-
SHA512
902bdc8507d1eec7af5732f8bccd7d0dcaa424a9298c16d6e371d1e85b7ad2a6e4c88542b86e7c199607cd92963c2a6aadd0b5e39e40b3ed1f2eadd21a87b571
Malware Config
Extracted
Protocol: smtp- Host:
mail.alfaomegaworld.com - Port:
587 - Username:
[email protected] - Password:
ALfa34
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral1/memory/756-6-0x0000000004C60000-0x0000000004CF8000-memory.dmp family_masslogger -
Executes dropped EXE 1 IoCs
pid Process 956 Onvfyn_pi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation Halkbank_Ekstre_20201130_080203_744632.pdf.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk Onvfyn_pi.exe -
Loads dropped DLL 2 IoCs
pid Process 1844 powershell.exe 956 Onvfyn_pi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 1140 powershell.exe 1844 powershell.exe 1844 powershell.exe 1140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 756 wrote to memory of 1140 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 30 PID 756 wrote to memory of 1140 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 30 PID 756 wrote to memory of 1140 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 30 PID 756 wrote to memory of 1140 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 30 PID 756 wrote to memory of 1844 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 31 PID 756 wrote to memory of 1844 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 31 PID 756 wrote to memory of 1844 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 31 PID 756 wrote to memory of 1844 756 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 31 PID 1844 wrote to memory of 956 1844 powershell.exe 34 PID 1844 wrote to memory of 956 1844 powershell.exe 34 PID 1844 wrote to memory of 956 1844 powershell.exe 34 PID 1844 wrote to memory of 956 1844 powershell.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe'2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe"C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
PID:956
-
-