Overview

overview

10

Static

static

Halkbank_E...62.exe

windows7_x64

10

Halkbank_E...62.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea41301e4a2d98c24382db9b027f550c800650725d2fbb3dee52cc4b3c2adf0c

  • Size

    97KB

  • Sample

    220521-ccjylsdfb9

  • MD5

    42bac53401a84c84d83e7e840be21071

  • SHA1

    961b2af6a32370e5e7d6bb2c62a7cdb772390c8b

  • SHA256

    ea41301e4a2d98c24382db9b027f550c800650725d2fbb3dee52cc4b3c2adf0c

  • SHA512

    462dd7d5342d83a7526e5115b3d638ab0df50d28bf10052ef4d1fc21a62b2d946759ca14bffd5085af78daa4559ef11df3d6a2ef896e26d268758f9d30da74ec

Score
10/10
coreentityrezer0

Malware Config

Targets

    • Target

      Halkbank_Ekstre_20200410_080918_330462.exe

    • Size

      210KB

    • MD5

      60624eac1bb29e821f4355ccb7e7340c

    • SHA1

      6f67adec0cb13f1622e9b608cb8cb84220d8ee13

    • SHA256

      acacc7f3cc09e7a711e1f7f4f9fc6633b4c48b21f17e793ec9a91c26173c1232

    • SHA512

      a426db69c5d178af4a8a7d99109e7f0112192f43dd769b84366162178a7ba449ba41c93c82cf48db4923cd4198a4a821788696b9818c731f342e138ae3023015

    Score
    10/10
    coreentityrezer0

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks