Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Halkbank_Ekstre_20230922_080757_783952.pdf.exe
-
Size
681KB
-
Sample
230922-scqzxsaf96
-
MD5
53483243c640b8970c9a3ff9104566fa
-
SHA1
d37897805dbb2cb3baa073632a945d09f2e63681
-
SHA256
8c9aaf55abdaf2a893d56dc0ff3f3e37ec100a6e0ad0adf82f2cff4997112e12
-
SHA512
7389847c1c3b7ace48043bb43c2daa5bdf9f9ad7bf57b74062e8f6f044fcc4d4150a5627409a7676178bf9aee91eba6cf2089c472e2da10151bd405d38411eb6
-
SSDEEP
12288:JrD6YuMnVTZsTvHAJ/FvspW+Pz7IEfwxechfKTxdIl0HKSzTKp0K:hD9uMnVdsTYJ/Ts/IYwxDudbhK
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20230922_080757_783952.pdf.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20230922_080757_783952.pdf.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.netre-agro.com - Port:
587 - Username:
[email protected] - Password:
Calidon@2023
Extracted
agenttesla
Protocol: smtp- Host:
mail.netre-agro.com - Port:
587 - Username:
[email protected] - Password:
Calidon@2023 - Email To:
[email protected]
Targets
-
-
Target
Halkbank_Ekstre_20230922_080757_783952.pdf.exe
-
Size
681KB
-
MD5
53483243c640b8970c9a3ff9104566fa
-
SHA1
d37897805dbb2cb3baa073632a945d09f2e63681
-
SHA256
8c9aaf55abdaf2a893d56dc0ff3f3e37ec100a6e0ad0adf82f2cff4997112e12
-
SHA512
7389847c1c3b7ace48043bb43c2daa5bdf9f9ad7bf57b74062e8f6f044fcc4d4150a5627409a7676178bf9aee91eba6cf2089c472e2da10151bd405d38411eb6
-
SSDEEP
12288:JrD6YuMnVTZsTvHAJ/FvspW+Pz7IEfwxechfKTxdIl0HKSzTKp0K:hD9uMnVdsTYJ/Ts/IYwxDudbhK
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-