Overview

overview

10

Static

static

3

Halkbank.exe

windows7-x64

10

Halkbank.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 12:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Halkbank.exe

  • Size

    1.5MB

  • MD5

    17b4f6c8e030bcc1516f978f1f159ff8

  • SHA1

    e4c5faff829cb346c6bb0b15716a6a260b89101f

  • SHA256

    9ce382b1991be3ae8fa744c4abf5d450ee9d376da295dfee8ca565551e75a9b0

  • SHA512

    adb100e1f52bc096cc23c5a5a82a2d5f581b6477e84f8641ced130249264dd3cb708e3b1e1e43ae7f50e6853bb2dd1cdff6421012896361eda8688d750116be4

  • SSDEEP

    24576:xZyLaHxaFxJ3pJxhqyxmF7CZxZyLaHxaFxJ3pJxhqyxmF7CZOUa:xrHxexJ3rxhE2ZxrHxexJ3rxhE2ZO

Score
10/10
massloggerzgratcollectionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 5 IoCs
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 5 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\Halkbank.exe
      "{path}"
      2⤵
        PID:2596
      • C:\Users\Admin\AppData\Local\Temp\Halkbank.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2768

    Network

    • flag-us
      DNS
      api.ipify.org
      Halkbank.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.13.205
    • flag-us
      GET
      http://api.ipify.org/
      Halkbank.exe
      Remote address:
      104.26.12.205:80
      Request
      GET / HTTP/1.1
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Mon, 13 May 2024 12:42:10 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 8832ba168be44167-LHR
    • 104.26.12.205:80
      http://api.ipify.org/
      http
      Halkbank.exe
      345 B
       672 B
       6
      5

      HTTP Request

      GET http://api.ipify.org/

      HTTP Response

      200
    • 8.8.8.8:53
      api.ipify.org
      dns
      Halkbank.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.12.205
      172.67.74.152
      104.26.13.205

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1300-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-1-0x0000000001060000-0x00000000011E8000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1300-2-0x00000000003E0000-0x00000000003EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1300-3-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1300-4-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-5-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1300-6-0x0000000005080000-0x0000000005120000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1300-7-0x0000000004C40000-0x0000000004CDA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/1300-23-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-18-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-9-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-22-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-21-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-16-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-12-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-8-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2768-10-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2768-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-25-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-26-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.