Overview

overview

10

Static

static

10

HALKBANK.exe

windows7_x64

10

HALKBANK.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    184s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HALKBANK.exe

  • Size

    2.6MB

  • MD5

    9b3462c82f69fbcc99426a93e4234b4f

  • SHA1

    2becef6e493a7e067ee02fcce536c1f2dcc8f5f3

  • SHA256

    0559341de926b16d11ab2ae2516720bad55f44a16d1cdfaf4a06437d54374612

  • SHA512

    05116b5ef4aa0aa3a1a677f5dcb56904ec479470d0b29aa02af0a984d080b1caf6229c949a760bcd2131d871756f9d3a9c32df26d64e6e15f8da561018189921

Score
10/10
agentteslamassloggercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bunsadokum.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    posta38Bunsa

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HALKBANK.exe
    "C:\Users\Admin\AppData\Local\Temp\HALKBANK.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
          "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
            "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1240
          4⤵
          • Program crash
          PID:4532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v firefoxx /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v firefoxx /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
        3⤵
        • Adds Run key to start application
        PID:5108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:768
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4300 -ip 4300
    1⤵
      PID:4720

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
      Filesize

      1KB

      MD5

      c2a3081353c47c81c743b974abbbb84c

      SHA1

      d2eb69344b2c28506e1134cd278477bb72673242

      SHA256

      f9fd57912c3aff8ff41751965a16532b60682103f3907fbb0d1d42a453eafbf8

      SHA512

      fb59fddc7e0d258aeff65fbf622cb2032fb65e11f74c37a57e4dc4de9557a799e03cf355344605004e06b2c23f5b7e968ae825f36b5b65dd04fbb991850d5555

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      9b3462c82f69fbcc99426a93e4234b4f

      SHA1

      2becef6e493a7e067ee02fcce536c1f2dcc8f5f3

      SHA256

      0559341de926b16d11ab2ae2516720bad55f44a16d1cdfaf4a06437d54374612

      SHA512

      05116b5ef4aa0aa3a1a677f5dcb56904ec479470d0b29aa02af0a984d080b1caf6229c949a760bcd2131d871756f9d3a9c32df26d64e6e15f8da561018189921

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      9b3462c82f69fbcc99426a93e4234b4f

      SHA1

      2becef6e493a7e067ee02fcce536c1f2dcc8f5f3

      SHA256

      0559341de926b16d11ab2ae2516720bad55f44a16d1cdfaf4a06437d54374612

      SHA512

      05116b5ef4aa0aa3a1a677f5dcb56904ec479470d0b29aa02af0a984d080b1caf6229c949a760bcd2131d871756f9d3a9c32df26d64e6e15f8da561018189921

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\firefoxx.exe
      Filesize

      2.6MB

      MD5

      9b3462c82f69fbcc99426a93e4234b4f

      SHA1

      2becef6e493a7e067ee02fcce536c1f2dcc8f5f3

      SHA256

      0559341de926b16d11ab2ae2516720bad55f44a16d1cdfaf4a06437d54374612

      SHA512

      05116b5ef4aa0aa3a1a677f5dcb56904ec479470d0b29aa02af0a984d080b1caf6229c949a760bcd2131d871756f9d3a9c32df26d64e6e15f8da561018189921

      Download Submit

    • memory/768-162-0x0000000000000000-mapping.dmp

      Download

    • memory/876-197-0x0000000006630000-0x0000000006680000-memory.dmp

      Filesize

      320KB

      Download

    • memory/876-195-0x00000000055A0000-0x000000000563C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/876-196-0x0000000006240000-0x00000000062A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/876-192-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/876-191-0x0000000000000000-mapping.dmp

      Download

    • memory/876-198-0x0000000006950000-0x000000000695A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3960-130-0x0000000000820000-0x0000000000ABA000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/3960-133-0x0000000005AB0000-0x0000000005AF4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3960-132-0x0000000005600000-0x0000000005692000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3960-131-0x0000000005B10000-0x00000000060B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4300-164-0x0000000000000000-mapping.dmp

      Download

    • memory/4404-145-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-158-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-156-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-155-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-153-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-150-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-149-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-147-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-135-0x0000000000400000-0x00000000004AE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4404-134-0x0000000000000000-mapping.dmp

      Download

    • memory/4732-159-0x0000000000000000-mapping.dmp

      Download

    • memory/4848-166-0x0000000000000000-mapping.dmp

      Download

    • memory/5108-160-0x0000000000000000-mapping.dmp

      Download