agenttesla | 47ed8a371b2d67ff11d04a5e2473e2bedeb5c074bb6f90f452e8bfd837ef6a11

Analysis

max time kernel
139s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2023, 16:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Halkbank_Ekstre_20191102_073809_405251-PDF.exe
Size

988KB
MD5

0f93c17cac1c2dd8b332bf2d53aa2f8c
SHA1

8848bf63c85f1743d63d458819ab4632f80b4cc9
SHA256

4b01f24d97fef59510e2a99a4d75d48f7dbe8445e5fe05a3602fb7a12094ade9
SHA512

b1b7968abe71cdf12c1aa3bed07fdde8282126faf2bd1386c8fccc0bfdc3ae39b10d94155a96770bc72dee60d6265ce45a8211e4624b3e25c1e08bc7794a2c89
SSDEEP

12288:o6UYBXALb35v+g4IwbmB1fRcmjMx7jghB/8SBJxVtQD2b62SgM5DqanwP7r9r/+l:1SbIPIhbNM1sh9BR1q

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.rolexlogisticsservice.com
Port:
587
Username:
thursday@rolexlogisticsservice.com
Password:
0.p-TydLJ-3Z

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.rolexlogisticsservice.com
Port:
587
Username:
thursday@rolexlogisticsservice.com
Password:
0.p-TydLJ-3Z
Email To:
thursday@rolexlogisticsservice.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	api.ipify.org
48	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
5012	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
5012	Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe
Token: SeDebugPrivilege	5012	Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1760	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	98
PID 1436 wrote to memory of 1760	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	98
PID 1436 wrote to memory of 1760	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	98
PID 1436 wrote to memory of 4748	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	99
PID 1436 wrote to memory of 4748	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	99
PID 1436 wrote to memory of 4748	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	99
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100
PID 1436 wrote to memory of 5012	1436	Halkbank_Ekstre_20191102_073809_405251-PDF.exe	100

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20191102_073809_405251-PDF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5012

Network

DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

6.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.181.190.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 425794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 92E7982194524BBC8DE3837BC53327E8 Ref B: LON04EDGE1007 Ref C: 2023-12-08T16:51:02Z
date: Fri, 08 Dec 2023 16:51:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 361903
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 40D294EDCF104C75964285C2EB9231A4 Ref B: LON04EDGE1007 Ref C: 2023-12-08T16:51:02Z
date: Fri, 08 Dec 2023 16:51:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 416984
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E156EEB796A4FA2A77443BE7C443C4C Ref B: LON04EDGE1007 Ref C: 2023-12-08T16:51:02Z
date: Fri, 08 Dec 2023 16:51:02 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 408529
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB96069EACD74DE5A95259849CEA9E7B Ref B: LON04EDGE1007 Ref C: 2023-12-08T16:51:02Z
date: Fri, 08 Dec 2023 16:51:02 GMT
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

api.ipify.org

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN CNAME

api4.ipify.org

api4.ipify.org

IN A

173.231.16.77

api4.ipify.org

IN A

104.237.62.212

api4.ipify.org

IN A

64.185.227.156
DNS

api.ipify.org

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A
GET

https://api.ipify.org/

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Remote address:

173.231.16.77:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.25.1
Date: Fri, 08 Dec 2023 16:51:22 GMT
Content-Type: text/plain
Content-Length: 12
Connection: keep-alive
Vary: Origin
DNS

77.16.231.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.16.231.173.in-addr.arpa

IN PTR

Response

77.16.231.173.in-addr.arpa

IN PTR

apiipifyorg
DNS

mail.rolexlogisticsservice.com

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Remote address:

8.8.8.8:53

Request

mail.rolexlogisticsservice.com

IN A

Response

mail.rolexlogisticsservice.com

IN CNAME

rolexlogisticsservice.com

rolexlogisticsservice.com

IN A

131.153.148.82
DNS

mail.rolexlogisticsservice.com

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

Remote address:

8.8.8.8:53

Request

mail.rolexlogisticsservice.com

IN A
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

82.148.153.131.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.148.153.131.in-addr.arpa

IN PTR

Response

82.148.153.131.in-addr.arpa

IN PTR

wghp11 wghserverscom
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

61.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.179.17.96.in-addr.arpa

IN PTR

Response

61.179.17.96.in-addr.arpa

IN PTR

a96-17-179-61deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&w=1080&h=1920&c=4

tls, http2

57.0kB
1.7MB
1218
1210

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
173.231.16.77:443

https://api.ipify.org/

tls, http

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

998 B
7.0kB
12
12

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
131.153.148.82:587

mail.rolexlogisticsservice.com

smtp-submission

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

2.9kB
6.3kB
22
22
131.153.148.82:587

mail.rolexlogisticsservice.com

smtp-submission

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

2.8kB
6.5kB
24
25

8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

6.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

6.181.190.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

118 B
126 B
2
1

DNS Request

api.ipify.org

DNS Request

api.ipify.org

DNS Response

173.231.16.77

104.237.62.212

64.185.227.156
8.8.8.8:53

77.16.231.173.in-addr.arpa

dns

72 B
99 B
1
1

DNS Request

77.16.231.173.in-addr.arpa
8.8.8.8:53

mail.rolexlogisticsservice.com

dns

Halkbank_Ekstre_20191102_073809_405251-PDF.exe

152 B
106 B
2
1

DNS Request

mail.rolexlogisticsservice.com

DNS Request

mail.rolexlogisticsservice.com

DNS Response

131.153.148.82
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

82.148.153.131.in-addr.arpa

dns

73 B
108 B
1
1

DNS Request

82.148.153.131.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

61.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

61.179.17.96.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20191102_073809_405251-PDF.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1436-10-0x0000000006BE0000-0x0000000006C7C000-memory.dmp

Filesize
624KB

Download
memory/1436-14-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-3-0x0000000007E30000-0x0000000007EC2000-memory.dmp

Filesize
584KB

Download
memory/1436-1-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-5-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

Filesize
40KB

Download
memory/1436-6-0x00000000053B0000-0x00000000053CA000-memory.dmp

Filesize
104KB

Download
memory/1436-7-0x0000000005400000-0x0000000005408000-memory.dmp

Filesize
32KB

Download
memory/1436-8-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/1436-2-0x0000000008340000-0x00000000088E4000-memory.dmp

Filesize
5.6MB

Download
memory/1436-9-0x00000000092A0000-0x000000000931E000-memory.dmp

Filesize
504KB

Download
memory/1436-4-0x0000000008010000-0x0000000008020000-memory.dmp

Filesize
64KB

Download
memory/1436-0-0x0000000000E50000-0x0000000000F4C000-memory.dmp

Filesize
1008KB

Download
memory/5012-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-15-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-16-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/5012-17-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/5012-18-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download
memory/5012-19-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-20-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.