General
-
Target
Halkbank,pdf.rar
-
Size
2KB
-
Sample
221123-hzc2gaef64
-
MD5
b99c1dae20c19b41436bd52537fb55a3
-
SHA1
1b3fcb37bca79c2bd8e8898663772082b69cfd08
-
SHA256
b969c39c4378266f7e9ebdd2287ee8c32cb9bba7f6514db54bf2babca30403e8
-
SHA512
6506f41b5773fdfa1dd7e7097c66d33af019414990166f410ea9034918bcf5561076fdd646d8ae2dea7f846faaa5672394aa9d1b071c3e9ec1b306d380ae3209
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Halkbank,pdf.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rimiapparelsltd.com - Port:
587 - Username:
[email protected] - Password:
Everest10@ - Email To:
[email protected]
Targets
-
-
Target
Halkbank,pdf.exe
-
Size
6KB
-
MD5
8d936312a59afa52e18a4d665755690d
-
SHA1
aa34c27cdf073eb5c54e371714d3d68a626bbbd8
-
SHA256
ee511bade3822feb689576b65cb3e490e9459c11c5b6583b36920f742c1bd99d
-
SHA512
b36924fe5af405e6447fbf01d6d9c75cfe9dc335e36b64ea8982e59a1d9ac48dde4855f5c84cdcc21fb4d4dcbbfca1e485bbd32f04b10d67c1dc577aab9abd65
-
SSDEEP
96:awqkGAzKfGe7DVys+BWfik85EOd/vSGQeMFnU:N4DUDEPYEOdES
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-