General
-
Target
Halkbank_Ekstre_202106017_080203_744632.exe
-
Size
1.1MB
-
Sample
210617-5flksvdt9a
-
MD5
b5a1c74a7bc0340d92d5d5e75ee21673
-
SHA1
047014d069b1d0567c46a5b32f176778d15f9cbf
-
SHA256
55da32fe4aedb4496414bc49241f166d72819b08dc27e6ce96b551a66ec1c1fb
-
SHA512
aff0929b60c43e024aacffe26bf556168e2a948a7d6373e717dfd5ad369a27c52f64d39b48ecb21e40686c9d25c0aa38bfb355b8d8b871ebd4e4c2a72a047b43
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_202106017_080203_744632.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_202106017_080203_744632.exe
Resource
win10v20210410
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.jpentertainment.com.sg - Port:
587 - Username:
info@jpentertainment.com.sg - Password:
Esi@jpe3
Targets
-
-
Target
Halkbank_Ekstre_202106017_080203_744632.exe
-
Size
1.1MB
-
MD5
b5a1c74a7bc0340d92d5d5e75ee21673
-
SHA1
047014d069b1d0567c46a5b32f176778d15f9cbf
-
SHA256
55da32fe4aedb4496414bc49241f166d72819b08dc27e6ce96b551a66ec1c1fb
-
SHA512
aff0929b60c43e024aacffe26bf556168e2a948a7d6373e717dfd5ad369a27c52f64d39b48ecb21e40686c9d25c0aa38bfb355b8d8b871ebd4e4c2a72a047b43
-
Modifies WinLogon for persistence
-
Snake Keylogger Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-