Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
20-10-2023 11:34
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Resource
win10v2004-20230915-en
General
-
Target
Halkbank_Ekstre_20231019_574589_324568.pdf.exe
-
Size
949KB
-
MD5
9869b521f18fc52aa2ee00593f41065c
-
SHA1
aaad09ec83aa11081f2f81df2eecf0303a049a93
-
SHA256
9a2f9a2670f1a81d9e637218669c6db6a29ea962ce2cb2a81468c45aa5b40b40
-
SHA512
0140fa3cbbc1ad4e12d88fa9dc58dc4cb4b9d7d7b29be63372a937ddd2d36fc7f5342742c0ea6bede85d04fef1b56fc14b7da1b94878aa8b224698a75e65216a
-
SSDEEP
12288:IyQaMFM0Mvxv9ZtOZvkrM7aMhOt3a7kbVRpzRcv9sXfNKtHkvJlq:Iyjv9EZOSTOdVRptclmfNKhkvG
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6564714997:AAEB5Qyq9hSihv7iw6Fa5RV1VfNvFH6t4oU/sendMessage?chat_id=5328986207
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-11-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2208-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2208-15-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2208-17-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2208-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2208-22-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_snakekeylogger behavioral1/memory/2208-24-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription pid process target process PID 2392 set thread context of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exepid process 2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe 2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription pid process Token: SeDebugPrivilege 2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription pid process target process PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe PID 2392 wrote to memory of 2208 2392 Halkbank_Ekstre_20231019_574589_324568.pdf.exe Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
outlook_office_path 1 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20231019_574589_324568.pdf.exe -
outlook_win_path 1 IoCs
Processes:
Halkbank_Ekstre_20231019_574589_324568.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2208