General
-
Target
f9192e96652f2dc469dadada2d64e3802caa27dc2bc3eaa2569aca8a272c50ad
-
Size
263KB
-
Sample
220521-nydjhahdfj
-
MD5
32059af577872aa699dea33a1779e5b6
-
SHA1
94ec2d2766ccc7db10e6b7438c8baa93dfe34989
-
SHA256
f9192e96652f2dc469dadada2d64e3802caa27dc2bc3eaa2569aca8a272c50ad
-
SHA512
b13dcd37d529be6e6647fa2d9366a0543ab3308c5a1dfdeb44c4e6778eda5e58c0e4f4a32e4f6fd3d7b2f4fa6757c761098c04324f808ef11875c8c6e0be64b3
Static task
static1
Behavioral task
behavioral1
Sample
HALKBANK.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
HALKBANK.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bunsadokum.com - Port:
587 - Username:
[email protected] - Password:
posta38Bunsa
Targets
-
-
Target
HALKBANK.exe
-
Size
620KB
-
MD5
a9b42ce32c33db28c6fc94a3a7f363fb
-
SHA1
1c08b215c178a267a083ee3a70baa9c0ba2e68e3
-
SHA256
45307bbc3304804c89746b960ba85f69c9ca725b0483afad2c13b3eb999800bc
-
SHA512
c76efcdffc09b4615039add1afa9c3646ffc1635e006c5a92faf66c4c8f062b3ad263cc25ebdd1c813692406954d37d76aa0e02da0bcd85221b26791b088dd21
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-