Analysis
-
max time kernel
18s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30/11/2020, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
Halkbank_Ekstre_20201130_080203_744632.pdf.exe
-
Size
652KB
-
MD5
245dc64c936592d8f1638b852ab605c3
-
SHA1
ce8b04e1e8bcbc7e89b1128337745dc64704fd59
-
SHA256
3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
-
SHA512
902bdc8507d1eec7af5732f8bccd7d0dcaa424a9298c16d6e371d1e85b7ad2a6e4c88542b86e7c199607cd92963c2a6aadd0b5e39e40b3ed1f2eadd21a87b571
Score
10/10
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
resource yara_rule behavioral2/memory/4076-9-0x0000000007620000-0x00000000076B8000-memory.dmp family_masslogger -
Deletes itself 1 IoCs
pid Process 2708 powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 2708 powershell.exe 2708 powershell.exe 2708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe Token: SeDebugPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2708 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 77 PID 4076 wrote to memory of 2708 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 77 PID 4076 wrote to memory of 2708 4076 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe'2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-