206fc7652acb64b309bb3e8d6dc46dfda7cb7f42c8730e4f8b70afd10a60a1b0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Halkbank_Ekstre_20230817_080757_783952.exe
Size

637KB
Sample

230817-gqbxdahe3v
MD5

b50f3ee04580d700318f8a61fdfc8635
SHA1

a60db03ea60d18e02de5ec4bebf29d72b1cc9df9
SHA256

206fc7652acb64b309bb3e8d6dc46dfda7cb7f42c8730e4f8b70afd10a60a1b0
SHA512

7a6337de3d187a1dc7be890c66103c66f2c0755d05b4076edeb8b18ecda2043d616ecba037cfce6713f06f034b8a369f68b2571a1ba394dbd9e91ff6741093e4
SSDEEP

12288:iAfCgPDl+CYxklpElDiZzxHv2GTIk5U687hEv+qCnWDn1Fqi1uZ3KMUY:LBEg42IbZq0WDOiS3KG

Score

10^/10

persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.asainsaatmakina.com.tr
Port:
587
Username:
[email protected]
Password:
asa2021

Targets

- Target
  
  Halkbank_Ekstre_20230817_080757_783952.exe
- Size
  
  637KB
- MD5
  
  b50f3ee04580d700318f8a61fdfc8635
- SHA1
  
  a60db03ea60d18e02de5ec4bebf29d72b1cc9df9
- SHA256
  
  206fc7652acb64b309bb3e8d6dc46dfda7cb7f42c8730e4f8b70afd10a60a1b0
- SHA512
  
  7a6337de3d187a1dc7be890c66103c66f2c0755d05b4076edeb8b18ecda2043d616ecba037cfce6713f06f034b8a369f68b2571a1ba394dbd9e91ff6741093e4
- SSDEEP
  
  12288:iAfCgPDl+CYxklpElDiZzxHv2GTIk5U687hEv+qCnWDn1Fqi1uZ3KMUY:LBEg42IbZq0WDOiS3KG
Score

10^/10

persistence spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2

persistencespywarestealer