Malware Analysis Report

2025-04-14 05:15

Sample ID 210111-nlkyglbehx
Target Halkbank_Ekstre_20210111_074121_054441.pdf.exe
SHA256 85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d

Threat Level: Known bad

The file Halkbank_Ekstre_20210111_074121_054441.pdf.exe was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-01-11 08:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-01-11 08:55

Reported

2021-01-11 08:57

Platform

win10v20201028

Max time kernel

75s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1628 set thread context of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 204 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe'

Network

N/A

Files

memory/1628-2-0x0000000073840000-0x0000000073F2E000-memory.dmp

memory/1628-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1628-5-0x0000000005650000-0x0000000005651000-memory.dmp

memory/1628-6-0x0000000005C50000-0x0000000005C51000-memory.dmp

memory/1628-7-0x0000000005750000-0x0000000005751000-memory.dmp

memory/1628-8-0x00000000055F0000-0x00000000055F1000-memory.dmp

memory/1628-9-0x0000000005930000-0x0000000005931000-memory.dmp

memory/1628-10-0x0000000005910000-0x0000000005922000-memory.dmp

memory/1628-11-0x0000000006640000-0x0000000006700000-memory.dmp

memory/204-12-0x0000000000400000-0x0000000000486000-memory.dmp

memory/204-13-0x0000000000481C1E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20210111_074121_054441.pdf.exe.log

MD5 90acfd72f14a512712b1a7380c0faf60
SHA1 40ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA256 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA512 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

memory/204-15-0x0000000073840000-0x0000000073F2E000-memory.dmp

memory/204-20-0x0000000005E00000-0x0000000005E01000-memory.dmp

memory/3996-21-0x0000000000000000-mapping.dmp

memory/3996-22-0x00000000738C0000-0x0000000073FAE000-memory.dmp

memory/3996-23-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/3996-24-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

memory/3996-25-0x0000000006B80000-0x0000000006B81000-memory.dmp

memory/3996-26-0x0000000006D20000-0x0000000006D21000-memory.dmp

memory/3996-28-0x00000000076B0000-0x00000000076B1000-memory.dmp

memory/3996-29-0x00000000074D0000-0x00000000074D1000-memory.dmp

memory/3996-30-0x0000000007F40000-0x0000000007F41000-memory.dmp

memory/3996-31-0x0000000007D30000-0x0000000007D31000-memory.dmp

memory/3996-32-0x0000000009490000-0x0000000009491000-memory.dmp

memory/3996-33-0x0000000008A50000-0x0000000008A51000-memory.dmp

memory/3996-34-0x0000000008E10000-0x0000000008E11000-memory.dmp

memory/3996-35-0x00000000068D0000-0x00000000068D1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-01-11 08:55

Reported

2021-01-11 08:57

Platform

win7v20201028

Max time kernel

73s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1756 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
PID 1628 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1628 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.66.103:80 api.ipify.org tcp
N/A 8.8.8.8:53 mail.turkaykalibrasyon.com udp
N/A 95.173.177.131:587 mail.turkaykalibrasyon.com tcp

Files

memory/1756-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/1756-3-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/1756-5-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/1756-6-0x0000000005770000-0x0000000005830000-memory.dmp

memory/1628-7-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1628-8-0x0000000000481C1E-mapping.dmp

memory/1628-9-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1628-10-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1628-11-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/640-14-0x0000000000000000-mapping.dmp

memory/640-15-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/640-16-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/1628-18-0x0000000005EE0000-0x0000000005F6D000-memory.dmp

memory/1628-17-0x0000000005AC0000-0x0000000005AF9000-memory.dmp

memory/640-19-0x0000000004810000-0x0000000004811000-memory.dmp

memory/640-20-0x0000000002490000-0x0000000002491000-memory.dmp

memory/640-21-0x0000000005240000-0x0000000005241000-memory.dmp

memory/640-24-0x0000000006040000-0x0000000006041000-memory.dmp

memory/640-29-0x0000000006080000-0x0000000006081000-memory.dmp

memory/640-30-0x0000000006140000-0x0000000006141000-memory.dmp

memory/640-37-0x0000000006290000-0x0000000006291000-memory.dmp

memory/640-38-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

memory/640-52-0x0000000006300000-0x0000000006301000-memory.dmp

memory/640-53-0x0000000006310000-0x0000000006311000-memory.dmp