Overview

overview

10

Static

static

5

Halkbank E...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2025, 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Halkbank Ekstresi.pdf.exe

  • Size

    1021KB

  • MD5

    46105f278f88316cb3a1f602732a29ec

  • SHA1

    840332cc7cd500f908c2c30cb1a895989c5ca2bb

  • SHA256

    3badbaff81cbfede25404376a04a6a1504ac3148bc2bfdfd6e6bf441b2a40373

  • SHA512

    72d65134807a89d286dcfbb4d74e43889906ff5c0f749847a6e753ede5e4f8a509f6740a71fafe48bfb0bb29724c4dbf3dc5178d06a46e5643cdc68e3b244e0e

  • SSDEEP

    24576:Yu6J33O0c+JY5UZ+XC0kGso6FaJETuWKLNXWY:Su0c++OCvkGs9Fa3WKcY

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank Ekstresi.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank Ekstresi.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Halkbank Ekstresi.pdf.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 680
      2⤵
      • Program crash
      PID:1812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
    1⤵
      PID:4100

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2872-12-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2872-13-0x00000000742CE000-0x00000000742CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-14-0x0000000005C00000-0x00000000061A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2872-15-0x0000000005650000-0x00000000056EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2872-16-0x00000000742C0000-0x0000000074A70000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2872-17-0x0000000006850000-0x00000000068A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2872-18-0x00000000742CE000-0x00000000742CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-19-0x0000000006A70000-0x0000000006C32000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2872-20-0x0000000006940000-0x00000000069D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2872-21-0x00000000068D0000-0x00000000068DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2872-22-0x00000000742C0000-0x0000000074A70000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4808-11-0x0000000000B70000-0x0000000000F70000-memory.dmp

      Filesize

      4.0MB

      Download