Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Halkbank_E...DF.exe

windows7-x64

10

Halkbank_E...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2023, 07:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Halkbank_Ekstre_20230501_085144_348375,PDF.exe

  • Size

    581KB

  • MD5

    4c92dfdb8014a72e00b246324b7eab7e

  • SHA1

    545b35416b76f8c2141238a34807d50fb4135037

  • SHA256

    bc2c9a0032b4118b2d862043c73ebbc2627c31f8fb8afb7bd28b8a27be225800

  • SHA512

    565bbd067ba5558e80d23b9815e375e505ecba95870762b3234062d989c94c1be07dd73a51c502fbaec77f1e05badc1402d14bd76e553540d3fe5349a6ffefac

  • SSDEEP

    12288:UuRSSGReozVI8t0gPOkqdYGkUWeDP1n5VNeVSwAgfSL5:bozV1t0TkRXenOK

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6277254729:AAH9hHYZNSDZac0nNvgmchkZF8WVRKU5dJ0/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230501_085144_348375,PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230501_085144_348375,PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SaaqscsRqypzCi.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4956
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SaaqscsRqypzCi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B4D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4200
    • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230501_085144_348375,PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20230501_085144_348375,PDF.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1032

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    63.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.13.109.52.in-addr.arpa
    IN PTR
    Response
  • 93.184.220.29:80
    322 B
     7
  • 40.125.122.176:443
    260 B
     5
  • 20.189.173.12:443
    322 B
     7
  • 8.238.20.126:80
    322 B
     7
  • 173.223.113.164:443
    322 B
     7
  • 173.223.113.131:80
    322 B
     7
  • 131.253.33.203:80
    322 B
     7
  • 40.125.122.176:443
    260 B
     5
  • 209.197.3.8:80
    322 B
     7
  • 40.125.122.176:443
    260 B
     5
  • 40.125.122.176:443
    260 B
     5
  • 40.125.122.176:443
    260 B
     5
  • 40.125.122.176:443
    208 B
     4
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    63.13.109.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    63.13.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whr2ex3b.qxl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6B4D.tmp
    Filesize

    1KB

    MD5

    0a7319246f99a931fefd0e88a3434762

    SHA1

    4bbace82137c14494edda51b051beead0835b38b

    SHA256

    e9f9542780ad2a5bc9b09e48720569cbba6df6b34f3d9a6709d8d5996298646a

    SHA512

    97dbc08f485ad1e4cfdacd9f3baeb5ac372207e503779e031159863279b583ac2fc77685c3f31921b2849f8a9c4a0a235e82c634f262716be073d929af7a7e96

    Download Submit

  • memory/1032-152-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1032-193-0x0000000005870000-0x0000000005880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1032-182-0x0000000006DF0000-0x0000000006FB2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1032-181-0x0000000006BA0000-0x0000000006BF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1032-166-0x0000000005870000-0x0000000005880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1032-154-0x0000000005880000-0x00000000058E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4956-167-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4956-170-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4956-150-0x0000000000F20000-0x0000000000F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-151-0x0000000004D30000-0x0000000005358000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4956-190-0x00000000070C0000-0x00000000070C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4956-155-0x0000000004BE0000-0x0000000004C02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4956-147-0x0000000000CF0000-0x0000000000D26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4956-156-0x0000000004C80000-0x0000000004CE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4956-189-0x00000000070E0000-0x00000000070FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4956-188-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4956-168-0x0000000000F20000-0x0000000000F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-187-0x0000000007020000-0x00000000070B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4956-169-0x0000000006090000-0x00000000060C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4956-149-0x0000000000F20000-0x0000000000F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-180-0x0000000006040000-0x000000000605E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4956-186-0x000000007F740000-0x000000007F750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4956-183-0x00000000073E0000-0x0000000007A5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4956-185-0x0000000006E10000-0x0000000006E1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4956-184-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5076-140-0x0000000004B40000-0x0000000004B4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5076-141-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-142-0x0000000006B00000-0x0000000006B9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5076-138-0x0000000004A80000-0x0000000004B12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5076-137-0x00000000050F0000-0x0000000005694000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5076-136-0x0000000000050000-0x00000000000E8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/5076-139-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.