General
-
Target
Halkbank.exe
-
Size
610KB
-
Sample
221128-jd4gzafb57
-
MD5
3b3a8ec84050161f9f4c9fcbbc51f72d
-
SHA1
119b127ea5dcb49fe30ad6061e46fc0c3685cdeb
-
SHA256
759b0bf83a7cbc7ab0e88fcf11428e36ee8f1e5b61b55344408829529c0d4210
-
SHA512
93e0ab32482c74c86ef17de6a75dc12544a57a427942e854d84efbd964491a1a50b38aec22b141c2ebd819c96fc991ad595a1f52f008a829859b468f14ca6b0a
-
SSDEEP
12288:2WO+/pbKbfhpdnkUjoHP6ktw6NSj0+7aPG8WDs:2W5bKNpdkUjIP6jZ0vmo
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Halkbank.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5792996127:AAEo0wCCYZp60yQsf_X1P7t-T5AAK5KPYXY/
Targets
-
-
Target
Halkbank.exe
-
Size
610KB
-
MD5
3b3a8ec84050161f9f4c9fcbbc51f72d
-
SHA1
119b127ea5dcb49fe30ad6061e46fc0c3685cdeb
-
SHA256
759b0bf83a7cbc7ab0e88fcf11428e36ee8f1e5b61b55344408829529c0d4210
-
SHA512
93e0ab32482c74c86ef17de6a75dc12544a57a427942e854d84efbd964491a1a50b38aec22b141c2ebd819c96fc991ad595a1f52f008a829859b468f14ca6b0a
-
SSDEEP
12288:2WO+/pbKbfhpdnkUjoHP6ktw6NSj0+7aPG8WDs:2W5bKNpdkUjIP6jZ0vmo
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-