Overview

overview

10

Static

static

10

HALKBANK.exe

windows7_x64

10

HALKBANK.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HALKBANK.exe

  • Size

    2.6MB

  • MD5

    c291db2a12b8b6cac2a34c15f3ebd92e

  • SHA1

    552ecf8af82f538b251e42f0ad3e1a45f7144887

  • SHA256

    dc12d4cb1e8224bd26571c7ce1c557740851ac248f56a5e449494e55c0edd722

  • SHA512

    6d63e75a2348659fff3d50062dcafef922bcb0385e148b5d93c61671134a639b51e491dbde4b3b18aed6adc87f24549b8cc1b42eb3b249ba7eb628b33f1f1392

Score
10/10
agentteslamassloggercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bunsadokum.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    posta38Bunsa

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HALKBANK.exe
    "C:\Users\Admin\AppData\Local\Temp\HALKBANK.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
          "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1284
          4⤵
          • Program crash
          PID:3628
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v firefoxx /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v firefoxx /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
        3⤵
        • Adds Run key to start application
        PID:4372
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2520 -ip 2520
    1⤵
      PID:3476

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
      Filesize

      1KB

      MD5

      c2a3081353c47c81c743b974abbbb84c

      SHA1

      d2eb69344b2c28506e1134cd278477bb72673242

      SHA256

      f9fd57912c3aff8ff41751965a16532b60682103f3907fbb0d1d42a453eafbf8

      SHA512

      fb59fddc7e0d258aeff65fbf622cb2032fb65e11f74c37a57e4dc4de9557a799e03cf355344605004e06b2c23f5b7e968ae825f36b5b65dd04fbb991850d5555

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      c291db2a12b8b6cac2a34c15f3ebd92e

      SHA1

      552ecf8af82f538b251e42f0ad3e1a45f7144887

      SHA256

      dc12d4cb1e8224bd26571c7ce1c557740851ac248f56a5e449494e55c0edd722

      SHA512

      6d63e75a2348659fff3d50062dcafef922bcb0385e148b5d93c61671134a639b51e491dbde4b3b18aed6adc87f24549b8cc1b42eb3b249ba7eb628b33f1f1392

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      c291db2a12b8b6cac2a34c15f3ebd92e

      SHA1

      552ecf8af82f538b251e42f0ad3e1a45f7144887

      SHA256

      dc12d4cb1e8224bd26571c7ce1c557740851ac248f56a5e449494e55c0edd722

      SHA512

      6d63e75a2348659fff3d50062dcafef922bcb0385e148b5d93c61671134a639b51e491dbde4b3b18aed6adc87f24549b8cc1b42eb3b249ba7eb628b33f1f1392

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      c291db2a12b8b6cac2a34c15f3ebd92e

      SHA1

      552ecf8af82f538b251e42f0ad3e1a45f7144887

      SHA256

      dc12d4cb1e8224bd26571c7ce1c557740851ac248f56a5e449494e55c0edd722

      SHA512

      6d63e75a2348659fff3d50062dcafef922bcb0385e148b5d93c61671134a639b51e491dbde4b3b18aed6adc87f24549b8cc1b42eb3b249ba7eb628b33f1f1392

      Download Submit

    • memory/1812-159-0x0000000000000000-mapping.dmp

      Download

    • memory/1820-190-0x0000000000000000-mapping.dmp

      Download

    • memory/2520-163-0x0000000000000000-mapping.dmp

      Download

    • memory/4372-160-0x0000000000000000-mapping.dmp

      Download

    • memory/4560-192-0x0000000000000000-mapping.dmp

      Download

    • memory/4560-199-0x0000000006640000-0x000000000664A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4560-198-0x0000000006540000-0x0000000006590000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4560-197-0x00000000055F0000-0x0000000005656000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4560-196-0x00000000052E0000-0x000000000537C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4560-193-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4636-165-0x0000000000000000-mapping.dmp

      Download

    • memory/4776-130-0x0000000000E20000-0x00000000010BC000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4776-131-0x0000000006090000-0x0000000006634000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4776-132-0x0000000005B80000-0x0000000005C12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5028-153-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-137-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-133-0x0000000000000000-mapping.dmp

      Download

    • memory/5028-145-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-147-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-149-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-150-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-156-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-161-0x0000000005070000-0x00000000050B4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5028-155-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/5028-158-0x0000000000830000-0x00000000008DE000-memory.dmp

      Filesize

      696KB

      Download