Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
11-10-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20211110089273_0838736543566.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20211110089273_0838736543566.exe
Resource
win10-en-20210920
General
-
Target
Halkbank_Ekstre_20211110089273_0838736543566.exe
-
Size
762KB
-
MD5
a9ad148eb1e943000ff55d94820da73c
-
SHA1
4131afbaa43d4c405e5e5c046065d12456cf8d22
-
SHA256
980ff35a7cf5a6557b96df3d9956a133163d91d1691ccf7c1b752bdc0aa4ff2b
-
SHA512
5c88f18eee0ec5e04b9f582f327f1fa125657c4ca9c6b1160ca6dcb900662f7e52529475a6867dbfecca04b69d816dd52ba99bb479fd2e6e4f7165f7af460a22
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.enche.com - Port:
587 - Username:
[email protected] - Password:
Merchandise08012021
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
-
A310logger Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001abe5-129.dat a310logger behavioral2/files/0x000400000001abe5-130.dat a310logger -
Executes dropped EXE 1 IoCs
Processes:
Fox.exepid Process 2552 Fox.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Fox.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Halkbank_Ekstre_20211110089273_0838736543566.exedescription pid Process procid_target PID 1680 set thread context of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Halkbank_Ekstre_20211110089273_0838736543566.exepid Process 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Halkbank_Ekstre_20211110089273_0838736543566.exeHalkbank_Ekstre_20211110089273_0838736543566.exeWinMail.exedescription pid Process procid_target PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1680 wrote to memory of 1292 1680 Halkbank_Ekstre_20211110089273_0838736543566.exe 72 PID 1292 wrote to memory of 2552 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe 73 PID 1292 wrote to memory of 2552 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe 73 PID 1292 wrote to memory of 1424 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe 76 PID 1292 wrote to memory of 1424 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe 76 PID 1292 wrote to memory of 1424 1292 Halkbank_Ekstre_20211110089273_0838736543566.exe 76 PID 1424 wrote to memory of 2312 1424 WinMail.exe 77 PID 1424 wrote to memory of 2312 1424 WinMail.exe 77 -
outlook_office_path 1 IoCs
Processes:
Fox.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
Processes:
Fox.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2552
-
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE4⤵PID:2312
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
MD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
MD5
055c857272026583a61e1b5821c69a24
SHA1ec39d34f16487682801dd2b319554cbed57feca4
SHA256190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b