Edit tour

Windows Analysis Report
HSBC Havale Bildirimi.exe

Overview

General Information

Sample name:	HSBC Havale Bildirimi.exe
Analysis ID:	1430124
MD5:	bd60459b620a2eae856dcd1441c4bdec
SHA1:	62b1413836683e02a024e34724c3413408a80e2f
SHA256:	d644e92ab06e7ff19e5f10453d102137a2d057a0a97e6890cec905a211c7f467
Tags:	AgentTeslaexegeoHSBCTUR
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HSBC Havale Bildirimi.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe" MD5: BD60459B620A2EAE856DCD1441C4BDEC)

HSBC Havale Bildirimi.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe" MD5: BD60459B620A2EAE856DCD1441C4BDEC)

HSBC Havale Bildirimi.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe" MD5: BD60459B620A2EAE856DCD1441C4BDEC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://eu-west-1.sftpcloud.io", "Username": "8e065e20d50941049d65f96f62357139", "Password": "26esZMYm4svydFPPVNZDGTMnq25MRawd"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HSBC Havale Bildirimi.exe PID: 7412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HSBC Havale Bildirimi.exe PID: 7412	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3120b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3127d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31307:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31399:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31403:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31475:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3150b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3159b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6be:$s2: GetPrivateProfileString 0x2ddd3:$s3: get_OSFullName 0x2f3f8:$s5: remove_Key 0x2f5a1:$s5: remove_Key 0x30442:$s6: FtpWebRequest 0x311ed:$s7: logins 0x3175f:$s7: logins 0x344d8:$s7: logins 0x34522:$s7: logins 0x35e2a:$s7: logins 0x350c6:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.HSBC Havale Bildirimi.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.HSBC Havale Bildirimi.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.HSBC Havale Bildirimi.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3300b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3307d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33107:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33199:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33203:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33275:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3330b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3339b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.HSBC Havale Bildirimi.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304be:$s2: GetPrivateProfileString 0x2fbd3:$s3: get_OSFullName 0x311f8:$s5: remove_Key 0x313a1:$s5: remove_Key 0x32242:$s6: FtpWebRequest 0x32fed:$s7: logins 0x3355f:$s7: logins 0x362d8:$s7: logins 0x36322:$s7: logins 0x37c2a:$s7: logins 0x36ec6:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x12ac4b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16506b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x19f28b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12acbd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1650dd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x19f2fd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12ad47:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x165167:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x19f387:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12add9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1651f9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x19f419:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12ae43:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x165263:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x19f483:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12aeb5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1652d5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x19f4f5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12af4b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x16536b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x19f58b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1280fe:$s2: GetPrivateProfileString 0x16251e:$s2: GetPrivateProfileString 0x19c73e:$s2: GetPrivateProfileString 0x127813:$s3: get_OSFullName 0x161c33:$s3: get_OSFullName 0x19be53:$s3: get_OSFullName 0x128e38:$s5: remove_Key 0x128fe1:$s5: remove_Key 0x163258:$s5: remove_Key 0x163401:$s5: remove_Key 0x19d478:$s5: remove_Key 0x19d621:$s5: remove_Key 0x129e82:$s6: FtpWebRequest 0x1642a2:$s6: FtpWebRequest 0x19e4c2:$s6: FtpWebRequest 0x12ac2d:$s7: logins 0x12b19f:$s7: logins 0x12df18:$s7: logins 0x12df62:$s7: logins 0x12f86a:$s7: logins 0x16504d:$s7: logins
0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3300b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d42b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa764b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3307d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d49d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa76bd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33107:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa7747:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33199:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d5b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa77d9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33203:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa7843:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33275:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa78b5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3330b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d72b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa794b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304be:$s2: GetPrivateProfileString 0x6a8de:$s2: GetPrivateProfileString 0xa4afe:$s2: GetPrivateProfileString 0x2fbd3:$s3: get_OSFullName 0x69ff3:$s3: get_OSFullName 0xa4213:$s3: get_OSFullName 0x311f8:$s5: remove_Key 0x313a1:$s5: remove_Key 0x6b618:$s5: remove_Key 0x6b7c1:$s5: remove_Key 0xa5838:$s5: remove_Key 0xa59e1:$s5: remove_Key 0x32242:$s6: FtpWebRequest 0x6c662:$s6: FtpWebRequest 0xa6882:$s6: FtpWebRequest 0x32fed:$s7: logins 0x3355f:$s7: logins 0x362d8:$s7: logins 0x36322:$s7: logins 0x37c2a:$s7: logins 0x6d40d:$s7: logins
0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xaee2b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xe924b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12346b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaee9d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xe92bd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1234dd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaef27:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xe9347:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x123567:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaefb9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xe93d9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1235f9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaf023:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xe9443:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x123663:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaf095:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xe94b5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1236d5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaf12b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xe954b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x12376b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0xac2de:$s2: GetPrivateProfileString 0xe66fe:$s2: GetPrivateProfileString 0x12091e:$s2: GetPrivateProfileString 0xab9f3:$s3: get_OSFullName 0xe5e13:$s3: get_OSFullName 0x120033:$s3: get_OSFullName 0xad018:$s5: remove_Key 0xad1c1:$s5: remove_Key 0xe7438:$s5: remove_Key 0xe75e1:$s5: remove_Key 0x121658:$s5: remove_Key 0x121801:$s5: remove_Key 0xae062:$s6: FtpWebRequest 0xe8482:$s6: FtpWebRequest 0x1226a2:$s6: FtpWebRequest 0xaee0d:$s7: logins 0xaf37f:$s7: logins 0xb20f8:$s7: logins 0xb2142:$s7: logins 0xb3a4a:$s7: logins 0xe922d:$s7: logins
Click to see the 17 entries

Snort Signatures

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 159.65.94.38

Timestamp:	04/23/24-08:00:33.745256
SID:	2855542
Source Port:	49734
Destination Port:	50060
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 159.65.94.38

Timestamp:	04/23/24-08:00:33.745256
SID:	2851779
Source Port:	49734
Destination Port:	50060
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 159.65.94.38

Timestamp:	04/23/24-08:00:33.388142
SID:	2029927
Source Port:	49733
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HSBC Havale Bildirimi.exe

Avira: detected

Found malware configuration

Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://eu-west-1.sftpcloud.io", "Username": "8e065e20d50941049d65f96f62357139", "Password": "26esZMYm4svydFPPVNZDGTMnq25MRawd"}

Multi AV Scanner detection for submitted file

Source: HSBC Havale Bildirimi.exe	ReversingLabs: Detection: 31%
Source: HSBC Havale Bildirimi.exe	Virustotal: Detection: 35%			Perma Link

Machine Learning detection for sample

Source: HSBC Havale Bildirimi.exe

Joe Sandbox ML: detected

Source: HSBC Havale Bildirimi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HSBC Havale Bildirimi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Code function: 4x nop then jmp 07E0E943h

0_2_07E0EA52

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49733 -> 159.65.94.38:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49734 -> 159.65.94.38:50060
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49734 -> 159.65.94.38:50060

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 159.65.94.38:50060

Source: Joe Sandbox View

IP Address: 159.65.94.38 159.65.94.38

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown

FTP traffic detected: 159.65.94.38:21 -> 192.168.2.4:49733 220 SSH-2.0-SFTPCloud.io

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: eu-west-1.sftpcloud.io

Source: HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.0000000003328000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eu-west-1.sftpcloud.io
Source: HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000000.00000002.1650665443.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, 7KG.cs

.Net Code: cYSVhF

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

.NET source code contains very large array initializations

Source: HSBC Havale Bildirimi.exe, Form7.cs	Large array initialization: : array initializer size 619594
Source: 0.2.HSBC Havale Bildirimi.exe.5c10000.11.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604
Source: 0.2.HSBC Havale Bildirimi.exe.3459a2c.2.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_01A8E044	0_2_01A8E044
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E01AE8	0_2_07E01AE8
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0A560	0_2_07E0A560
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0C468	0_2_07E0C468
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0C478	0_2_07E0C478
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0C040	0_2_07E0C040
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0CE28	0_2_07E0CE28
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E01AD7	0_2_07E01AD7
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0A998	0_2_07E0A998
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07EF0EF0	0_2_07EF0EF0
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_030F4A60	3_2_030F4A60
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_030F9AE8	3_2_030F9AE8
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_030F3E48	3_2_030F3E48
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_030FCE78	3_2_030FCE78
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_030F4190	3_2_030F4190
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_068356E0	3_2_068356E0
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06830040	3_2_06830040
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06833F50	3_2_06833F50
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_0683BDE9	3_2_0683BDE9
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06832AF8	3_2_06832AF8
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06839AF8	3_2_06839AF8
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06838B8B	3_2_06838B8B
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_0683323B	3_2_0683323B
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06835000	3_2_06835000
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_0683AB18	3_2_0683AB18
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06979598	3_2_06979598
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_06977BD4	3_2_06977BD4

Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1646007687.0000000003431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1643911980.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1653737064.000000000BA20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000000.1622596557.0000000001072000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKktQ.exeL vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1650315487.0000000005C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1646007687.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0e5d931d-5261-42c7-a0a7-da0466d93cee.exe4 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0e5d931d-5261-42c7-a0a7-da0466d93cee.exe4 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000003.00000002.2875412080.00000000011A8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe, 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0e5d931d-5261-42c7-a0a7-da0466d93cee.exe4 vs HSBC Havale Bildirimi.exe
Source: HSBC Havale Bildirimi.exe	Binary or memory string: OriginalFilenameKktQ.exeL vs HSBC Havale Bildirimi.exe

Source: HSBC Havale Bildirimi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: HSBC Havale Bildirimi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, 1UT6pzc0M.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, DnQOD3M.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, 01seU.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, iUDwvr7Gz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, XUu2qKyuF6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, aZathEIgR.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, l50VLEll22.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, l50VLEll22.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, sPgJFWg0LIKTTxN70F.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: _0020.AddAccessRule
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, sPgJFWg0LIKTTxN70F.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: _0020.SetAccessControl
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Vh0lGERDVsax8KlZLV.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/1

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Havale Bildirimi.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Mutant created: NULL

Source: HSBC Havale Bildirimi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HSBC Havale Bildirimi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HSBC Havale Bildirimi.exe	ReversingLabs: Detection: 31%
Source: HSBC Havale Bildirimi.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

File read: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: HSBC Havale Bildirimi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HSBC Havale Bildirimi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: HSBC Havale Bildirimi.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.HSBC Havale Bildirimi.exe.5c10000.11.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Vh0lGERDVsax8KlZLV.cs	.Net Code: BNIFllXsp7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.HSBC Havale Bildirimi.exe.3459a2c.2.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Vh0lGERDVsax8KlZLV.cs	.Net Code: BNIFllXsp7 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_01A8DA50 pushfd ; iretd	0_2_01A8DA89
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0B230 push ebx; retf	0_2_07E0B283
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 0_2_07E0A05E pushad ; retf	0_2_07E0A05F
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_0697F4D3 pushad ; ret	3_2_0697F4DD
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Code function: 3_2_0697DD50 push es; ret	3_2_0697DD60

Source: HSBC Havale Bildirimi.exe

Static PE information: section name: .text entropy: 7.880013247472283

Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, TCDSbJFy2extBEQBLh.cs	High entropy of concatenated method names: 'iO2a3PgJFW', 'SLIaRKTTxN', 'meSaGULtc6', 'XwJawxdOyB', 'dIKa8179oc', 'tFEaZRR6D5', 'is8WASSD8WC1URry3q', 'NXcgcIuyjlkMFnaDtd', 'ks3aaeCTv1', 'IRgaOnE2RX'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, sUNlA1AQDmAIe9SWfS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'roXmXvx57V', 'hkam7kAnZG', 'EWQmz3OnMh', 'jYYO5AHt1X', 'UMgOa8C443', 'HDqOmQlapO', 'tMwOOGorim', 'AQrmxR65Du0DayPuaOy'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, sPgJFWg0LIKTTxN70F.cs	High entropy of concatenated method names: 'A2M4voS5eV', 'y9w4ehy4xV', 'nim40rqMgO', 'R8u4juGoEk', 'YZ24i61GKZ', 'Hnq4hB0KHL', 'K8e4slP8A6', 'OHY4n8nvj0', 'YvC4X1xPbn', 'srU47msExZ'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, t8AQRAjUftIDFW1DQX.cs	High entropy of concatenated method names: 'vbLSGp1w4N', 'TahSwnpZLo', 'ToString', 'AbdSbQWBEb', 'VBLS4H3O1E', 'MMwSAiXcX8', 'AQjSB6w53l', 'zbxS99DWcZ', 'fYeS3mNqdR', 'RkgSRayhCk'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, dfcA9wWeSULtc6XwJx.cs	High entropy of concatenated method names: 'SHMATZ1LvO', 'XI4AfIhDf6', 'H2lAgXUTKt', 'viDAWgMdon', 'pCKA8O9AY9', 'GeAAZax7YV', 'zV1AS8OOHW', 'v7sALQcqpm', 'xCxAY8sYkV', 'I2qA2xd6Q2'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, xOyBRV1j8lyZUOIK17.cs	High entropy of concatenated method names: 'QRnBcZ6WO5', 'V0VBJNBdt1', 'RSqAxthbjc', 'jR6Auy8CRG', 'RuXAkBbI3v', 'Cv0AV75fTZ', 'yR1ArYnIsE', 'gWeANTdwiM', 'KqnAQRv2J8', 'UncAChFdGo'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, UmAMcqEKFG0jWUHESc.cs	High entropy of concatenated method names: 'h54ogfLfXF', 'eZyoWfIfnx', 'NpnoPgxluV', 'DIBoKjv05G', 'g0Nouu1prD', 'nNPokIsYvt', 'wlworGbBKX', 'sURoNxSWNi', 'ieCoCv8SBI', 'mkyotnAJWi'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, hySlqhnZZ4gj77rIgR.cs	High entropy of concatenated method names: 'go0LbA3yG7', 'AGSL42EyWe', 'JeTLAlCgMh', 'vKJLBGTrFg', 'n6HL90KqVX', 'FqML31eHau', 'p3cLRt4B0W', 'oUWLMQXSGg', 'qYKLGc8w22', 'YZ5Lwufkq0'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, d0I6FCQPhVG7bZ79bW.cs	High entropy of concatenated method names: 'LNd3dnfeK6', 'BHK3qTpJxu', 'HDX3lMRy0d', 'gaW3TTMMyq', 'h4k3c14RT6', 'kOF3fuM1QJ', 'XhP3JI4aAD', 'boo3guyXA2', 'AJP3WXmr9f', 'oZG31yMopU'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, ioc2FEPRR6D5dWc7Yj.cs	High entropy of concatenated method names: 'hUd9IBZ8pI', 'vbx94O4fFh', 'XKy9B3UGOB', 'sb493rheKe', 'EY19Rqb0LG', 'AeKBivbqN4', 'x59Bhh4Z5O', 'RLyBsNHTbR', 'ACTBnEan50', 'x6aBXTuHJy'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, u4jr8nrvvcc1Krsh0j.cs	High entropy of concatenated method names: 'NeK3bHYlnR', 'J4s3Atshkn', 'xw739Ne4hN', 'Nxw97OhRtj', 'NUi9zjvRrU', 'RUh35Ebk1n', 'HZ33au1AsT', 'gj33mvtw8U', 'Vro3OfjMpG', 'GAi3FnEJVZ'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Vh0lGERDVsax8KlZLV.cs	High entropy of concatenated method names: 'X54OIP1RFA', 'M6RObdvXY0', 'qy0O4A6Woq', 'DctOAWw3TE', 'QfKOBwZCli', 'OTOO9GIF6O', 'pZ3O34a80d', 'MDoORleerV', 'KG1OMhrpKF', 'C1pOGkKvxL'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, OyhVpNX9vvlMA9i8tv.cs	High entropy of concatenated method names: 'F1NLPqpbhK', 'akiLKovnCX', 'GhQLxNWaWC', 'j1SLuFv440', 'ALsLvLu2tt', 'OpwLkpZ77u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, EnlqP2mvt0LTA0qg0B.cs	High entropy of concatenated method names: 'Ir3l5RrCQ', 'LOKTjrEWy', 'R1Lfb6v0F', 'nXwJF4u4Q', 'H0JWb97nL', 'Fyc1sLW5I', 'oEdWHHdJZonj7gVybX', 'GRCjiVp24rigtKOZqq', 'rPFLJh8MZ', 'VGH2Xju4h'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, Igykv4h6Y6ywpKeygy.cs	High entropy of concatenated method names: 'RQiSnSu3qX', 'zfSS7Kw7qa', 'OAuL5caIeb', 'MiHLaglegm', 'lJBStdeSSC', 'tp4SHLLDQo', 'aYWSE0PPka', 'Jl0Sv9EFrU', 'ws8Se4Y5N7', 'BLkS0yFWXP'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, P32R92aOLBjV09FUrUm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FGf2vUCG8I', 'M9L2eJ5fZr', 'YyN201J4wm', 'XQE2jDbudG', 'od62iDSvJe', 'e9C2hK6kPP', 'fQ42s6Lp9T'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, L4uJGia5wbZAevBfo3P.cs	High entropy of concatenated method names: 'UGJYdjRan1', 'QfIYqwyQal', 'dZdYlXpXwO', 'L8rYTwhlCc', 'qwHYca39A1', 'ykSYfW24Td', 'xiZYJ9ZURb', 'fieYgcwxCb', 'OaNYWwFly3', 'QigY12XSjM'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, VtxG5Z7YrkqvFdtTc1.cs	High entropy of concatenated method names: 'aWmYa4A13n', 'xIIYOw6h1I', 'vcPYFVR22t', 'e2QYbYmSO9', 'T3cY4T7oBT', 'JxSYB3y5J3', 'o3qY9YDEBa', 'WTTLsGI8P1', 'QvnLnhUuyf', 'Jy9LXSrPq4'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, tEgjRG4Gr0tGRbcNHG.cs	High entropy of concatenated method names: 'Dispose', 'Vw5aXHfvAw', 'zyBmKD5MTr', 'rIHZZ5m2PF', 'CBya7SlqhZ', 'p4gazj77rI', 'ProcessDialogKey', 'DRtm5yhVpN', 'ivvmalMA9i', 'otvmmhtxG5'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, pY3sh3vgaeIfbaJour.cs	High entropy of concatenated method names: 'W1O8CvDVT8', 'f6P8HODuyZ', 'ac08vRU1YX', 'HI08eu1wdM', 'hwV8KkOGQX', 'V848xgHeMt', 'DfT8uInt1h', 'pwI8kcxi4I', 'zyf8VoksfM', 'hXm8rglr8r'
Source: 0.2.HSBC Havale Bildirimi.exe.ba20000.15.raw.unpack, FQvYhOam5679JJSWxg2.cs	High entropy of concatenated method names: 'ahh2dpG1F3', 'CI52q9YOsw', 'F1b2lAIQo0', 's7BruRwuAGsAMtgTaqS', 'z3qvXFwFWkws62y4Mce', 'nlu287wHy09MbNLeW0n', 'IWLLhWwegWD3r262Krj', 'yZZ8ffwYKpKlQFOFXng'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, TCDSbJFy2extBEQBLh.cs	High entropy of concatenated method names: 'iO2a3PgJFW', 'SLIaRKTTxN', 'meSaGULtc6', 'XwJawxdOyB', 'dIKa8179oc', 'tFEaZRR6D5', 'is8WASSD8WC1URry3q', 'NXcgcIuyjlkMFnaDtd', 'ks3aaeCTv1', 'IRgaOnE2RX'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, sUNlA1AQDmAIe9SWfS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'roXmXvx57V', 'hkam7kAnZG', 'EWQmz3OnMh', 'jYYO5AHt1X', 'UMgOa8C443', 'HDqOmQlapO', 'tMwOOGorim', 'AQrmxR65Du0DayPuaOy'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, sPgJFWg0LIKTTxN70F.cs	High entropy of concatenated method names: 'A2M4voS5eV', 'y9w4ehy4xV', 'nim40rqMgO', 'R8u4juGoEk', 'YZ24i61GKZ', 'Hnq4hB0KHL', 'K8e4slP8A6', 'OHY4n8nvj0', 'YvC4X1xPbn', 'srU47msExZ'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, t8AQRAjUftIDFW1DQX.cs	High entropy of concatenated method names: 'vbLSGp1w4N', 'TahSwnpZLo', 'ToString', 'AbdSbQWBEb', 'VBLS4H3O1E', 'MMwSAiXcX8', 'AQjSB6w53l', 'zbxS99DWcZ', 'fYeS3mNqdR', 'RkgSRayhCk'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, dfcA9wWeSULtc6XwJx.cs	High entropy of concatenated method names: 'SHMATZ1LvO', 'XI4AfIhDf6', 'H2lAgXUTKt', 'viDAWgMdon', 'pCKA8O9AY9', 'GeAAZax7YV', 'zV1AS8OOHW', 'v7sALQcqpm', 'xCxAY8sYkV', 'I2qA2xd6Q2'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, xOyBRV1j8lyZUOIK17.cs	High entropy of concatenated method names: 'QRnBcZ6WO5', 'V0VBJNBdt1', 'RSqAxthbjc', 'jR6Auy8CRG', 'RuXAkBbI3v', 'Cv0AV75fTZ', 'yR1ArYnIsE', 'gWeANTdwiM', 'KqnAQRv2J8', 'UncAChFdGo'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, UmAMcqEKFG0jWUHESc.cs	High entropy of concatenated method names: 'h54ogfLfXF', 'eZyoWfIfnx', 'NpnoPgxluV', 'DIBoKjv05G', 'g0Nouu1prD', 'nNPokIsYvt', 'wlworGbBKX', 'sURoNxSWNi', 'ieCoCv8SBI', 'mkyotnAJWi'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, hySlqhnZZ4gj77rIgR.cs	High entropy of concatenated method names: 'go0LbA3yG7', 'AGSL42EyWe', 'JeTLAlCgMh', 'vKJLBGTrFg', 'n6HL90KqVX', 'FqML31eHau', 'p3cLRt4B0W', 'oUWLMQXSGg', 'qYKLGc8w22', 'YZ5Lwufkq0'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, d0I6FCQPhVG7bZ79bW.cs	High entropy of concatenated method names: 'LNd3dnfeK6', 'BHK3qTpJxu', 'HDX3lMRy0d', 'gaW3TTMMyq', 'h4k3c14RT6', 'kOF3fuM1QJ', 'XhP3JI4aAD', 'boo3guyXA2', 'AJP3WXmr9f', 'oZG31yMopU'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, ioc2FEPRR6D5dWc7Yj.cs	High entropy of concatenated method names: 'hUd9IBZ8pI', 'vbx94O4fFh', 'XKy9B3UGOB', 'sb493rheKe', 'EY19Rqb0LG', 'AeKBivbqN4', 'x59Bhh4Z5O', 'RLyBsNHTbR', 'ACTBnEan50', 'x6aBXTuHJy'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, u4jr8nrvvcc1Krsh0j.cs	High entropy of concatenated method names: 'NeK3bHYlnR', 'J4s3Atshkn', 'xw739Ne4hN', 'Nxw97OhRtj', 'NUi9zjvRrU', 'RUh35Ebk1n', 'HZ33au1AsT', 'gj33mvtw8U', 'Vro3OfjMpG', 'GAi3FnEJVZ'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Vh0lGERDVsax8KlZLV.cs	High entropy of concatenated method names: 'X54OIP1RFA', 'M6RObdvXY0', 'qy0O4A6Woq', 'DctOAWw3TE', 'QfKOBwZCli', 'OTOO9GIF6O', 'pZ3O34a80d', 'MDoORleerV', 'KG1OMhrpKF', 'C1pOGkKvxL'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, OyhVpNX9vvlMA9i8tv.cs	High entropy of concatenated method names: 'F1NLPqpbhK', 'akiLKovnCX', 'GhQLxNWaWC', 'j1SLuFv440', 'ALsLvLu2tt', 'OpwLkpZ77u', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, EnlqP2mvt0LTA0qg0B.cs	High entropy of concatenated method names: 'Ir3l5RrCQ', 'LOKTjrEWy', 'R1Lfb6v0F', 'nXwJF4u4Q', 'H0JWb97nL', 'Fyc1sLW5I', 'oEdWHHdJZonj7gVybX', 'GRCjiVp24rigtKOZqq', 'rPFLJh8MZ', 'VGH2Xju4h'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, Igykv4h6Y6ywpKeygy.cs	High entropy of concatenated method names: 'RQiSnSu3qX', 'zfSS7Kw7qa', 'OAuL5caIeb', 'MiHLaglegm', 'lJBStdeSSC', 'tp4SHLLDQo', 'aYWSE0PPka', 'Jl0Sv9EFrU', 'ws8Se4Y5N7', 'BLkS0yFWXP'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, P32R92aOLBjV09FUrUm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FGf2vUCG8I', 'M9L2eJ5fZr', 'YyN201J4wm', 'XQE2jDbudG', 'od62iDSvJe', 'e9C2hK6kPP', 'fQ42s6Lp9T'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, L4uJGia5wbZAevBfo3P.cs	High entropy of concatenated method names: 'UGJYdjRan1', 'QfIYqwyQal', 'dZdYlXpXwO', 'L8rYTwhlCc', 'qwHYca39A1', 'ykSYfW24Td', 'xiZYJ9ZURb', 'fieYgcwxCb', 'OaNYWwFly3', 'QigY12XSjM'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, VtxG5Z7YrkqvFdtTc1.cs	High entropy of concatenated method names: 'aWmYa4A13n', 'xIIYOw6h1I', 'vcPYFVR22t', 'e2QYbYmSO9', 'T3cY4T7oBT', 'JxSYB3y5J3', 'o3qY9YDEBa', 'WTTLsGI8P1', 'QvnLnhUuyf', 'Jy9LXSrPq4'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, tEgjRG4Gr0tGRbcNHG.cs	High entropy of concatenated method names: 'Dispose', 'Vw5aXHfvAw', 'zyBmKD5MTr', 'rIHZZ5m2PF', 'CBya7SlqhZ', 'p4gazj77rI', 'ProcessDialogKey', 'DRtm5yhVpN', 'ivvmalMA9i', 'otvmmhtxG5'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, pY3sh3vgaeIfbaJour.cs	High entropy of concatenated method names: 'W1O8CvDVT8', 'f6P8HODuyZ', 'ac08vRU1YX', 'HI08eu1wdM', 'hwV8KkOGQX', 'V848xgHeMt', 'DfT8uInt1h', 'pwI8kcxi4I', 'zyf8VoksfM', 'hXm8rglr8r'
Source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, FQvYhOam5679JJSWxg2.cs	High entropy of concatenated method names: 'ahh2dpG1F3', 'CI52q9YOsw', 'F1b2lAIQo0', 's7BruRwuAGsAMtgTaqS', 'z3qvXFwFWkws62y4Mce', 'nlu287wHy09MbNLeW0n', 'IWLLhWwegWD3r262Krj', 'yZZ8ffwYKpKlQFOFXng'

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 19E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 3430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 19E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 9410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 7C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: A410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: B410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: BAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: CAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: DAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 32D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Memory allocated: 52D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe TID: 7276

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: HSBC Havale Bildirimi.exe, 00000003.00000002.2875574272.0000000001656000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Memory written: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"			Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Process created: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe "C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"			Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7412, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Havale Bildirimi.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7412, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HSBC Havale Bildirimi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.5012820.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.510a460.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HSBC Havale Bildirimi.exe.508e640.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HSBC Havale Bildirimi.exe PID: 7412, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HSBC Havale Bildirimi.exe	32%	ReversingLabs	Win32.Trojan.GenSteal
HSBC Havale Bildirimi.exe	36%	Virustotal		Browse
HSBC Havale Bildirimi.exe	100%	Avira	HEUR/AGEN.1309691
HSBC Havale Bildirimi.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
eu-west-1.sftpcloud.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://eu-west-1.sftpcloud.io	1%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eu-west-1.sftpcloud.io	159.65.94.38	true	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	HSBC Havale Bildirimi.exe, 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/staff/dennis.htm	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/frere-user.html	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://eu-west-1.sftpcloud.io	HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.0000000003328000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.urwpp.deDPlease	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HSBC Havale Bildirimi.exe, 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	HSBC Havale Bildirimi.exe, 00000000.00000002.1650702636.0000000007522000.00000004.00000800.00020000.00000000.sdmp, HSBC Havale Bildirimi.exe, 00000000.00000002.1650665443.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
159.65.94.38	eu-west-1.sftpcloud.io	United States		14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430124
Start date and time:	2024-04-23 07:59:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HSBC Havale Bildirimi.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 85 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:00:28	API Interceptor	2x Sleep call for process: HSBC Havale Bildirimi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
159.65.94.38	rKjlbIeOH9.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	RI5YLKEDM2.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	#U00d6deme Onay#U0131 Kopyas#U0131.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	r__demeOnay__Kopyas__.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	42#U0435.exe	Get hash	malicious	AgentTesla	Browse
	#U0642#U0633#U064a#U0645#U0629_#U0627#U0644#U062f#U0641#U0639.exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme_Onay#U0131_Kopyas.....exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	#U00f6deme_makbuzu.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	#U00d6deme_makbuzu.exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme_makbuzu.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
eu-west-1.sftpcloud.io	rKjlbIeOH9.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	159.65.94.38
	RI5YLKEDM2.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	#U00d6deme Onay#U0131 Kopyas#U0131.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	r__demeOnay__Kopyas__.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	42#U0435.exe	Get hash	malicious	AgentTesla	Browse	159.65.94.38
	#U0642#U0633#U064a#U0645#U0629_#U0627#U0644#U062f#U0641#U0639.exe	Get hash	malicious	AgentTesla	Browse	159.65.94.38
	#U00d6deme_Onay#U0131_Kopyas.....exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	#U00f6deme_makbuzu.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	159.65.94.38
	#U00d6deme_makbuzu.exe	Get hash	malicious	AgentTesla	Browse	159.65.94.38
	#U00d6deme_makbuzu.exe	Get hash	malicious	AgentTesla	Browse	159.65.94.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	CxBkzmVHaR.elf	Get hash	malicious	Mirai	Browse	142.93.67.140
	pJNcZyhUh8.elf	Get hash	malicious	Mirai	Browse	46.101.242.254
	https://url.za.m.mimecastprotect.com/s/jC3iCP1JJ7tQXOpWCziIaE?domain=americanconfort.com	Get hash	malicious	HTMLPhisher	Browse	159.203.50.177
	.Sx86.elf	Get hash	malicious	Unknown	Browse	206.189.49.14
	http://outlookaccount.rf.gd/?i=1	Get hash	malicious	Unknown	Browse	146.185.171.8
	https://yxv.ens.mybluehost.me/Ca/net/login.php	Get hash	malicious	Unknown	Browse	138.197.61.175
	https://www.admin-longin.co.jp.ysvllet.cn/	Get hash	malicious	Unknown	Browse	165.22.249.193
	cfGjk0Keob.elf	Get hash	malicious	Mirai	Browse	204.48.26.239
	tajma.arm7-20240421-1029.elf	Get hash	malicious	Mirai, Okiru	Browse	159.203.140.79
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ0ODAzLU1pY3Jvc29mdC1DUEwtUTItUE1HLUFCTS1HZXItMS1sYW5kaW5nLnBocD9lPWJvbnVjY2VsbGkuZGFyaW9AZGVtZS1ncm91cC5jb20=&r=14547470367&d=12037165&p=1&t=h&h=fb97401a549b1167a78f6002a0aef94d	Get hash	malicious	Unknown	Browse	104.248.15.35

Process:	C:\Users\user\Desktop\HSBC Havale Bildirimi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.873277037231857
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	HSBC Havale Bildirimi.exe
File size:	725'504 bytes
MD5:	bd60459b620a2eae856dcd1441c4bdec
SHA1:	62b1413836683e02a024e34724c3413408a80e2f
SHA256:	d644e92ab06e7ff19e5f10453d102137a2d057a0a97e6890cec905a211c7f467
SHA512:	8a24c4709854cbb9221b686d1872ffb0eb63024b8ecdbec27730ff019f7cf148180de89936da3b24bc996e3ef1a53b1a752f521dfbf0f0e4369eee8d32106701
SSDEEP:	12288:moCAGP4tB3qQVrh/Rr632btNzBc0cqPLrj8rI+XobStrWn:EP4tB3qQ5O32bTzqYTrjSemw
TLSH:	D5F41204367E9F4ACA7E83B14426D90843B4B05B6372D70B0FC7A4CA1E76B948D5DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.%f.....................(........... ........@.. ....................................@................................

File Icon


Icon Hash:	98306c8c8ca682cc

Static PE Info

General

Entrypoint:	0x4b061e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6625FD34 [Mon Apr 22 06:01:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb05cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x2600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae624	0xae800	6ca90f255076aaec5d152941b8991589	False	0.9266780645594556	TTComp archive data, binary, 4K dictionary	7.880013247472283	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x2600	0x2600	4cc0b07dc1e447b2383ab1f1faffc178	False	0.8831208881578947	data	7.560738636069652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	87c088891334cba01a8bfa2b8573d3fa	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2130	0x1ec9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9813475447278264
RT_GROUP_ICON	0xb3ffc	0x14	data	0.95
RT_VERSION	0xb4010	0x380	data	0.4296875
RT_MANIFEST	0xb4390	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/23/24-08:00:33.745256	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49734	50060	192.168.2.4	159.65.94.38
04/23/24-08:00:33.745256	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49734	50060	192.168.2.4	159.65.94.38
04/23/24-08:00:33.388142	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49733	21	192.168.2.4	159.65.94.38

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:00:31.838227987 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:31.994132996 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:31.994281054 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:32.150793076 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.151110888 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:32.306823969 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.388303041 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.388442039 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:32.544307947 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.593101978 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.595886946 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:32.751491070 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.751569033 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.751704931 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:32.907742977 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:32.912442923 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.068232059 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.069601059 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.225621939 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.228426933 CEST	49734	50060	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.271598101 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.384674072 CEST	50060	49734	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.385660887 CEST	49734	50060	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.388142109 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.584614992 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.745013952 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.745255947 CEST	49734	50060	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.745305061 CEST	49734	50060	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.787173033 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:33.901124001 CEST	50060	49734	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:33.944078922 CEST	50060	49734	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:34.187016010 CEST	50060	49734	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:34.187108040 CEST	49734	50060	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:34.187158108 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:34.240298033 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:00:49.576065063 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:00:49.576117039 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:01:04.736148119 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:01:04.736206055 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:01:19.896258116 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:01:19.896312952 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:01:35.144310951 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:01:35.144614935 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:01:50.304147959 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:01:50.304312944 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:02:05.464199066 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:02:05.464344025 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:02:20.711925030 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:02:20.712032080 CEST	49733	21	192.168.2.4	159.65.94.38
Apr 23, 2024 08:02:35.868295908 CEST	21	49733	159.65.94.38	192.168.2.4
Apr 23, 2024 08:02:35.868407965 CEST	49733	21	192.168.2.4	159.65.94.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:00:31.713063955 CEST	57591	53	192.168.2.4	1.1.1.1
Apr 23, 2024 08:00:31.807450056 CEST	53	57591	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 08:00:31.713063955 CEST	192.168.2.4	1.1.1.1	0x7a08	Standard query (0)	eu-west-1.sftpcloud.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 08:00:31.807450056 CEST	1.1.1.1	192.168.2.4	0x7a08	No error (0)	eu-west-1.sftpcloud.io		159.65.94.38	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 23, 2024 08:00:32.150793076 CEST	21	49733	159.65.94.38	192.168.2.4	220 SSH-2.0-SFTPCloud.io
Apr 23, 2024 08:00:32.151110888 CEST	49733	21	192.168.2.4	159.65.94.38	USER 8e065e20d50941049d65f96f62357139
Apr 23, 2024 08:00:32.388303041 CEST	21	49733	159.65.94.38	192.168.2.4	331 OK
Apr 23, 2024 08:00:32.388442039 CEST	49733	21	192.168.2.4	159.65.94.38	PASS 26esZMYm4svydFPPVNZDGTMnq25MRawd
Apr 23, 2024 08:00:32.593101978 CEST	21	49733	159.65.94.38	192.168.2.4	230 Password ok, continue
Apr 23, 2024 08:00:32.751569033 CEST	21	49733	159.65.94.38	192.168.2.4	200 I'm in UTF8 only anyway
Apr 23, 2024 08:00:32.751704931 CEST	49733	21	192.168.2.4	159.65.94.38	PWD
Apr 23, 2024 08:00:32.907742977 CEST	21	49733	159.65.94.38	192.168.2.4	257 "/" is the current directory
Apr 23, 2024 08:00:32.912442923 CEST	49733	21	192.168.2.4	159.65.94.38	TYPE I
Apr 23, 2024 08:00:33.068232059 CEST	21	49733	159.65.94.38	192.168.2.4	200 Type set to binary
Apr 23, 2024 08:00:33.069601059 CEST	49733	21	192.168.2.4	159.65.94.38	PASV
Apr 23, 2024 08:00:33.225621939 CEST	21	49733	159.65.94.38	192.168.2.4	227 Entering Passive Mode (159,65,94,38,195,140)
Apr 23, 2024 08:00:33.388142109 CEST	49733	21	192.168.2.4	159.65.94.38	STOR PW_user-472847_2024_04_23_08_00_30.html
Apr 23, 2024 08:00:33.745013952 CEST	21	49733	159.65.94.38	192.168.2.4	150 Using transfer connection
Apr 23, 2024 08:00:34.187158108 CEST	21	49733	159.65.94.38	192.168.2.4	226 Closing transfer connection

Target ID:	0
Start time:	08:00:27
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\HSBC Havale Bildirimi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Imagebase:	0xfc0000
File size:	725'504 bytes
MD5 hash:	BD60459B620A2EAE856DCD1441C4BDEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1647158292.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:00:29
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\HSBC Havale Bildirimi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Imagebase:	0x250000
File size:	725'504 bytes
MD5 hash:	BD60459B620A2EAE856DCD1441C4BDEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:00:29
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\HSBC Havale Bildirimi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HSBC Havale Bildirimi.exe"
Imagebase:	0xf60000
File size:	725'504 bytes
MD5 hash:	BD60459B620A2EAE856DCD1441C4BDEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2877197811.000000000331A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2875205244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2877197811.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	159
Total number of Limit Nodes:	11

Executed Functions

Function 07EF0EF0 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652762591.0000000007EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ef0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cd92bef7bd3043a1edf0626c9530735873229fa06446b56f65178530b9c5bd
Instruction ID: 80c89c70ba56f4bc63f7eef183e7b0fd781048e851660b71ecdb5c041a2c69bb
Opcode Fuzzy Hash: 30cd92bef7bd3043a1edf0626c9530735873229fa06446b56f65178530b9c5bd
Instruction Fuzzy Hash: F232BDB0B02209CFDB15EB69C550BAEB7F6AF89304F248469E205DB7A1DB35EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07E01AD7 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b04e729b094c06dae696dc504100277e6e170493e57eb910013e8f3e7a3a63a
Instruction ID: d51c5d06b332f6dfbddedfa484e084dc374a065d97ff3e1ced99ef0e7e875c1c
Opcode Fuzzy Hash: 7b04e729b094c06dae696dc504100277e6e170493e57eb910013e8f3e7a3a63a
Instruction Fuzzy Hash: 4CE1F832D20B5B8ACB10EB64D990A9DB7B1FF95300F11C79AD04937261EB746EC9CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07E01AE8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bc9af6f5dc3e72e4e9e9b543c11352ae82f764db1022a4be802e4d1cd4f0dc
Instruction ID: e7a013f0fee2221bf09026aa6ca87bb6c2f4d58db10e190539930380e27ff10e
Opcode Fuzzy Hash: 01bc9af6f5dc3e72e4e9e9b543c11352ae82f764db1022a4be802e4d1cd4f0dc
Instruction Fuzzy Hash: 9DD1F932D20B5B8ACB10EB64D990A9DB7B1FF95300F11C79AD04937261EB746EC9CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07E0EA52 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae77b41d5267da187f2e50447ca008661fcbbcf406e6bdfa7f616e6262f5fd6
Instruction ID: 927df49cccec8b8b456bcb5ba7488a9067f770e51d1d1c934368922734a53cb5
Opcode Fuzzy Hash: 0ae77b41d5267da187f2e50447ca008661fcbbcf406e6bdfa7f616e6262f5fd6
Instruction Fuzzy Hash: AD21F8B4915228DFDB60DF64C845BECBBB4EB0A304F14A4EA950DA6281C7355FC6CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A8D49A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01A8D51E
GetCurrentThread.KERNEL32 ref: 01A8D55B
GetCurrentProcess.KERNEL32 ref: 01A8D598
GetCurrentThreadId.KERNEL32 ref: 01A8D5F1

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3cfc979dfa6dd1931d8ebdfc6df370954a758fe6757fe52902c51488e979aec0
Instruction ID: b3bf86f71319c8c1ba765def1326455543fd4a22023e4d16f5b3abd7b797e5ec
Opcode Fuzzy Hash: 3cfc979dfa6dd1931d8ebdfc6df370954a758fe6757fe52902c51488e979aec0
Instruction Fuzzy Hash: 745175B0901649CFDB18DFA9D548BAEBBF1EF48314F24C45AD019AB3A0C7749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01A8D4A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01A8D51E
GetCurrentThread.KERNEL32 ref: 01A8D55B
GetCurrentProcess.KERNEL32 ref: 01A8D598
GetCurrentThreadId.KERNEL32 ref: 01A8D5F1

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36d9660652a2b508f4e696820daecc8cbcb90f88b4a45a2d59c4c7b7e8e46240
Instruction ID: 405227a3a3d21e91cc0db85565aba17d84a1490e57a9a4fe4c89ccc2f4331122
Opcode Fuzzy Hash: 36d9660652a2b508f4e696820daecc8cbcb90f88b4a45a2d59c4c7b7e8e46240
Instruction Fuzzy Hash: DB5165B0901649CFDB18DFA9D548BAEBBF1EF48314F20C45AD019AB3A0D7749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D59C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E0D7DE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cf37f995506d41492ce21d41de4cb5feae1ff617806bf9c0df4fbdba565ea40e
Instruction ID: b38e53c4614fe9e04c2d332a5b6aca31beefad48c9a503026d6802fa40d53a5f
Opcode Fuzzy Hash: cf37f995506d41492ce21d41de4cb5feae1ff617806bf9c0df4fbdba565ea40e
Instruction Fuzzy Hash: A5A18CB1E0161ADFDB10DFA8CC417EDBBB2AF44314F1481A9E808A7284DB7499C5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D5A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07E0D7DE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 92010063c0869065a60fbed58bb3950f3410659e00e8cd0ec8fcb3fd0c1eaba3
Instruction ID: 922e37f9554d4a64214c8f920f2035f5c9f23000abab959535138a1e3b7d9506
Opcode Fuzzy Hash: 92010063c0869065a60fbed58bb3950f3410659e00e8cd0ec8fcb3fd0c1eaba3
Instruction Fuzzy Hash: 8A915BB1E0161ADFDB10DFA8CC417EDBBB2AF44314F1481A9E809A7294DB7499C5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01A8B210 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01A8B466

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 39bef268fd872b8cd14993abab96d4afed887cff24b0e504e51cb0ade51e9b8c
Instruction ID: 88b2ab75c95215c898560199ec38959216a37ee4f0ad4f7b2d7cba848db9fae0
Opcode Fuzzy Hash: 39bef268fd872b8cd14993abab96d4afed887cff24b0e504e51cb0ade51e9b8c
Instruction Fuzzy Hash: F8713670A00B058FD724EF69D14479ABBF5FF88300F108A2ED48AD7A51EB75E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A85E94 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01A85F51

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4b4b4eccec15fe589eb0b8fa2fd3105da5cee7b6c5a89bdb4033711184dc499d
Instruction ID: b7bcaae46eac8a9075a33215d4e96c3d68d6bae73939beea7aeae752ff9d4298
Opcode Fuzzy Hash: 4b4b4eccec15fe589eb0b8fa2fd3105da5cee7b6c5a89bdb4033711184dc499d
Instruction Fuzzy Hash: D341F0B1C00619CFDB24DFA9C984BDEBBF5BF48304F24806AD418AB255DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A84A7C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01A85F51

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d289652406eb07109c189c6463e5860c6bf2876202e562885d8a2f3ed6355ca1
Instruction ID: 69c1488619f5557af0f60ce4fb2bde4d60970aac982eb780b790050aa9d96059
Opcode Fuzzy Hash: d289652406eb07109c189c6463e5860c6bf2876202e562885d8a2f3ed6355ca1
Instruction Fuzzy Hash: A441CEB0C0061DCFDB24DFA9C944B9EBBF5BF49304F24806AD418AB255DB756985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D318 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E0D3B0

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e6ea1097f39e1e360bbb9b9d9d86f81a584d09341c34da68ac3409b8a5f5fa1b
Instruction ID: 83fbc8e5b656c2ee594b4c33812dcea84aa7049cd58a2a40f5dc6960817adebc
Opcode Fuzzy Hash: e6ea1097f39e1e360bbb9b9d9d86f81a584d09341c34da68ac3409b8a5f5fa1b
Instruction Fuzzy Hash: 17215AB59003599FCB10DFA9C881BEEBBF5FF48320F10842AE958A7250C7789584CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0CD48 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E0CDCE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1e276436be869f18cb3758e82748c4f97a4e31066da7a2c4cbab9e17d0f1e8ad
Instruction ID: 2c7e7532797333f2d6dc1329aed6bd399c283736f7af62941f04ee42698d3498
Opcode Fuzzy Hash: 1e276436be869f18cb3758e82748c4f97a4e31066da7a2c4cbab9e17d0f1e8ad
Instruction Fuzzy Hash: 76219AB1D002198FDB10DFAAC4817EEBFF4EF88324F10842AD459A7290C7789985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D320 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E0D3B0

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 099ba3a931ddef7c98bae478d31fc9594a2dae4688ca176a24424aa639d5ac27
Instruction ID: 196cff3266ba83bc7081ac93304f216bd3904b4ad1b76f0216119207e350c502
Opcode Fuzzy Hash: 099ba3a931ddef7c98bae478d31fc9594a2dae4688ca176a24424aa639d5ac27
Instruction Fuzzy Hash: 7C213BB19003599FCB10CFA9C885BDEBBF5FF48314F108429E558A7250C7789584CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D408 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E0D490

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 148332675696194a96e850344c06a8a8a62b1b805eb3b76932144b12e0c2e7a4
Instruction ID: f4d254ff055f3c0944c2f3737f43e7df310c98ddaf00670664c180cb8875958a
Opcode Fuzzy Hash: 148332675696194a96e850344c06a8a8a62b1b805eb3b76932144b12e0c2e7a4
Instruction Fuzzy Hash: 9D212AB1D002599FCB10DFAAC881AEEFBF5FF48324F50842AE558A7250C7789545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A8D6E0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A8D76F

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f4fab81933d30d41b4ca02ef66ff2c30c491a4e4971f2eb3f933321b41d3475b
Instruction ID: df65614aa0e4b78efa78945c112bbc56c8996ff713ca94c31d35b5661cec0d6b
Opcode Fuzzy Hash: f4fab81933d30d41b4ca02ef66ff2c30c491a4e4971f2eb3f933321b41d3475b
Instruction Fuzzy Hash: 1321E3B59002489FDB10DFA9D984AEEBBF4EB48310F14841AE958A3350D374A954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D410 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07E0D490

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0774d3b2a09d0aadcab12c046acdc2deaab17e5331e1b6407f32e18be7557537
Instruction ID: f9fddcbf9c256339d5885fcc705dc68834da99a9d1a1cab6b8019ce1e8da6383
Opcode Fuzzy Hash: 0774d3b2a09d0aadcab12c046acdc2deaab17e5331e1b6407f32e18be7557537
Instruction Fuzzy Hash: 1D2128B19002599FCB10DFAAC881AEEFBF5FF48320F50842AE558A7250C774A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0CD50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E0CDCE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e4f3b006ad6baee5229d6e4f6b59d6e0208122b6be0f96739c30e4b2d7a061b2
Instruction ID: a874dfdddbf74ef2b567a5867701b761852b808ac93925c4b52a4227392a85fb
Opcode Fuzzy Hash: e4f3b006ad6baee5229d6e4f6b59d6e0208122b6be0f96739c30e4b2d7a061b2
Instruction Fuzzy Hash: 8F211AB19002099FDB10DFAAC4857EEBBF4EF88314F14842AD459A7254C7789585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A8D6E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01A8D76F

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 984ab1f96c6e3442145cab8bcb6bd2101d28553953b1d9d9eb15e7b4e789138f
Instruction ID: c612cdafd4d047f90dba638b590ec3379d22dcfcf61bc4246348633d6af86d55
Opcode Fuzzy Hash: 984ab1f96c6e3442145cab8bcb6bd2101d28553953b1d9d9eb15e7b4e789138f
Instruction Fuzzy Hash: 0F21F5B59002489FDB10DF9AD584AEEFFF4FB48310F14841AE954A3350D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0CC98 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E0CD02

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c56a79e546c3e3e32a6e12840a282c0bcc03ed397ffc752519716a312d9c5e90
Instruction ID: 246c4c6eeb26893a20a075000969ee3d770c8ab88f419f09fb35d984819d7f0d
Opcode Fuzzy Hash: c56a79e546c3e3e32a6e12840a282c0bcc03ed397ffc752519716a312d9c5e90
Instruction Fuzzy Hash: 2E117CB19002498FCB20DFAAD4457EEFFF4AB88324F20842AD459A7650C7359484CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D25A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E0D2CE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 62be40341f125ed66263ce0267c5fc3c5bf5417bcc87fbf81f24e83d5b038e8f
Instruction ID: 5c90f11f9686e59959b2c86d62267279ae83bdc563f795cab59dd0fd3990e49e
Opcode Fuzzy Hash: 62be40341f125ed66263ce0267c5fc3c5bf5417bcc87fbf81f24e83d5b038e8f
Instruction Fuzzy Hash: AC119AB29002498FCB10DFA9C8457EEBFF5EF48324F10841AD459A7250C7359980CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A8AC28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A8B4E1,00000800,00000000,00000000), ref: 01A8B6F2

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e3ec68ebf46f138a5cd452ba1672328eb57d7718e2a302f32274751f99715b24
Instruction ID: 5a2be20bf8bf66edad624741d35e9e0381c7a02a95bba00606e1df238785bf94
Opcode Fuzzy Hash: e3ec68ebf46f138a5cd452ba1672328eb57d7718e2a302f32274751f99715b24
Instruction Fuzzy Hash: D01123B6D003498FDB20DF9AC444AEEFBF4EB98314F14842AE519A7310C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A8B680 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01A8B4E1,00000800,00000000,00000000), ref: 01A8B6F2

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37c5696af4165510b831dcd4fcb002f26b835b9c8994c2c6721f8cbf0adafe95
Instruction ID: 5ba1b023cdcf34f48554b4aea057709a262ef1c32c074ba1ce3218f792ff415e
Opcode Fuzzy Hash: 37c5696af4165510b831dcd4fcb002f26b835b9c8994c2c6721f8cbf0adafe95
Instruction Fuzzy Hash: 881112B6D002498FDB10DF9AD484ADEFBF4EB58314F14842AD919A7310C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0D260 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E0D2CE

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 15bdb6625a0afffcdecc26a68fd35c697b20861ad9360f0d7588853955d08160
Instruction ID: c63fdfded5ce885f4aa22864f32f18bae8d78e292fa4b1dcea0659a309129c22
Opcode Fuzzy Hash: 15bdb6625a0afffcdecc26a68fd35c697b20861ad9360f0d7588853955d08160
Instruction Fuzzy Hash: 4B1126B19002499FCB10DFAAC845BEEBBF5EB88324F20841AE559A7250C775A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0CCA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E0CD02

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 17538b9c4028d1a2e1f2a7117f9eff109097774ca77bd69ccc26ff6c48361092
Instruction ID: 6f08258958189e83d1d2878a15e20304711e63aff87be7dbb9754132775e07e7
Opcode Fuzzy Hash: 17538b9c4028d1a2e1f2a7117f9eff109097774ca77bd69ccc26ff6c48361092
Instruction Fuzzy Hash: 8D113AB19002498FCB20DFAAC4457EEFFF4EF88324F208429D559A7250C775A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07E0FE28 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E0FE8D

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 11258dd16c77f3ce925100d7128fd8f0dc7b44507e37bbf36a6817b3f903e588
Instruction ID: 43c08578f0314046261df030d47660953d037ae7b5b4f9438ab190fbd5592e1f
Opcode Fuzzy Hash: 11258dd16c77f3ce925100d7128fd8f0dc7b44507e37bbf36a6817b3f903e588
Instruction Fuzzy Hash: C81133B59002498FCB20DF99D485BEEFFF4EB48324F10845AE458A7350C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E0F6E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E0FE8D

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3917b11096c94b9994068870477ce0d3aa883b3901db319c1d3161398040c38f
Instruction ID: 22b6669d5635f6c9d9f20a2bde3d14c7eccde05be276757a79c7e33d4c63223a
Opcode Fuzzy Hash: 3917b11096c94b9994068870477ce0d3aa883b3901db319c1d3161398040c38f
Instruction Fuzzy Hash: C91125B58003489FCB20DF89C449BEEBBF8EB48324F10845AE558A7240C375A994CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01A8B400 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01A8B466

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 75cddd22e4a7a6f01ca531c24a3da26bb033c258f4e8b1f073d91a81cc0c7c24
Instruction ID: c08ae69af06248b6d0063a8de2dc0ee0e429d6f058a32682f81ebdb86ce18341
Opcode Fuzzy Hash: 75cddd22e4a7a6f01ca531c24a3da26bb033c258f4e8b1f073d91a81cc0c7c24
Instruction Fuzzy Hash: EC111DB6C002498FDB20DF9AC444ADEFBF4AB88320F10842AD969B7211C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0174D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644740706.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
Instruction ID: f0ea6e7d381e20cf83cfbd8003e4b0fe9d7abcf44efa2b3a77c1026c64d7a7c2
Opcode Fuzzy Hash: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
Instruction Fuzzy Hash: 9B212971608200DFDB15DF98D5C4B26FBA5FB94324F20C6ADE9894B356C336D446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0174D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644740706.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
Instruction ID: 295e3d9d07176bf1a48e4bab82c00f939091afecc1d0b98b254aae8f1d4fb2de
Opcode Fuzzy Hash: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
Instruction Fuzzy Hash: F1212271604200DFCB25DF98D9C4B26FFA5EB98314F20C5ADD88A4B266C33AD447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0174D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644740706.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 798c691eb1598b438db1389a38650b52614df392b7124c3705b3babb305877dd
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4E11D075504280CFDB16CF54D5C4B15FF61FB44314F24C6AED8494B666C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644740706.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 011d33d17fa2089cf24dc02a4060d06541cd281c3725a179bce855231a52822e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A311BB75508280DFDB12CF54C5C4B15FFA1FB84224F24C6AAD8894B296C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0152D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643896160.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078c3dbd43ddd084a1389521db9e8dc589dd11fe5dc95e74c38e3fddd4f29c87
Instruction ID: d6a9a71131f43c2a85397d8a906ed27651b8654c6ae49030fff92374ee979a13
Opcode Fuzzy Hash: 078c3dbd43ddd084a1389521db9e8dc589dd11fe5dc95e74c38e3fddd4f29c87
Instruction Fuzzy Hash: 9101AC721083909AE7115E59CDC476BBFE8FF42324F1CC96AED194E1C6D67D9440C671

Uniqueness

Uniqueness Score: -1.00%

Function 0152D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643896160.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66142e22df9360f262a9f8ae90fdc6175d1a732c5f162e3400e339d6936488ce
Instruction ID: 9e09278f862f5bf01e5f354bd15e468cd05b0f261d0ba285613b67d2a37ed626
Opcode Fuzzy Hash: 66142e22df9360f262a9f8ae90fdc6175d1a732c5f162e3400e339d6936488ce
Instruction Fuzzy Hash: 2FF062724083949AE7118E1ACCC8B66FFA8EB51734F18C45AED484E286C2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07E0A560 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32a24a4bd17690d9a9944e2420810baf72b7e2f645b62dc93f017cc3b5ceee5
Instruction ID: 09932cc71f2993029c8f952afdfe4258e76c326d0824c085cc06d3c7b149ef57
Opcode Fuzzy Hash: e32a24a4bd17690d9a9944e2420810baf72b7e2f645b62dc93f017cc3b5ceee5
Instruction Fuzzy Hash: CCE109B4E012198FDB14DFA9C5849AEBBB2FF49305F24D169E414AB355D730AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07E0C478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e88fc75e957333d886ee5135cc3638c41b0b150efbb01d637e08e7264e187fa
Instruction ID: 1a38830b6aa6bdac67992632d31c30f41c9831872f49063e95820d4e8f8b2b68
Opcode Fuzzy Hash: 3e88fc75e957333d886ee5135cc3638c41b0b150efbb01d637e08e7264e187fa
Instruction Fuzzy Hash: 24E10BB4E011198FDB14DFA9C5809AEFBB2FF89305F249269E414AB355D730AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E0C040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbf3910f878cbf65a2757f6a25cb57f4b619ba1b879a217d690e3e483497aa3
Instruction ID: 52025ba57f9c06e4bfc0b1c53b19a3c51bbd813b81e277d4f5a587c1af814aef
Opcode Fuzzy Hash: 9fbf3910f878cbf65a2757f6a25cb57f4b619ba1b879a217d690e3e483497aa3
Instruction Fuzzy Hash: 07E1FBB4E011198FDB14DFA9C5809AEFBB2FF49305F249269E414AB356D734AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07E0CE28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed26de3cb8f43eb9d9bf534d50c3aff9d6e12e21bac57667d42589bc4c9e0c7e
Instruction ID: f45cf60861476da88529ccd01890309714411e413064c16d0c25947300484b81
Opcode Fuzzy Hash: ed26de3cb8f43eb9d9bf534d50c3aff9d6e12e21bac57667d42589bc4c9e0c7e
Instruction Fuzzy Hash: 88E119B4E011198FDB14DFA9C5909AEFBF2FF89305F249159E404AB355D730A982CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07E0A998 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b97ff675dab8a8b3e1bad2d053c29e9ca06705b1d0767cd722e500931abe984
Instruction ID: 85a83f6890aad29f5ca19202e24476e990a9633edd8923eb0a06047ca60ef64e
Opcode Fuzzy Hash: 8b97ff675dab8a8b3e1bad2d053c29e9ca06705b1d0767cd722e500931abe984
Instruction Fuzzy Hash: F1E10AB4E012198FDB14DFA9C5809AEBBB2FF89305F24D169E414A7356D734AD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A8E044 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645181440.0000000001A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a80000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba110715636647735254944fa37e0ebb623cca395c2bf8e116c246ee12d75f25
Instruction ID: 6e776012f21e1e79091614f67e94e57e0efab63aebb464a724d16272d360bdb6
Opcode Fuzzy Hash: ba110715636647735254944fa37e0ebb623cca395c2bf8e116c246ee12d75f25
Instruction Fuzzy Hash: 00A16032E0021ACFCF05EFB4D98459EBBB2FF85300B15457AE905AB265DB31E956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07E0C468 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652388244.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e00000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc4dbd82673b6e7d81beaeb02b4ab7a9ac7a7cc3bb1e4c2762c5c3c4bae79f5
Instruction ID: 31d6388e5a7bf7d83a6034a111112124f1b4f9b4868f4b887a7e76b67af0d334
Opcode Fuzzy Hash: 5cc4dbd82673b6e7d81beaeb02b4ab7a9ac7a7cc3bb1e4c2762c5c3c4bae79f5
Instruction Fuzzy Hash: 725139B4E002198BDB14CFA9D5805EEBBF2AF89304F24926AD408A7256D7309981CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HSBC Havale Bildirimi.exePID: 7412, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	94.1%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	4

Executed Functions

Function 030F9AE8 Relevance: 2.9, Instructions: 2854COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49b4daea3f9acea0dc82d3cf8a3b659f5d2f43677fc6ef1e33c3240ec8cf99b
Instruction ID: d85a733b97d08ded2f79a642ff54c5c50bc87f1cfc104da4176fecc955b3ef1f
Opcode Fuzzy Hash: e49b4daea3f9acea0dc82d3cf8a3b659f5d2f43677fc6ef1e33c3240ec8cf99b
Instruction Fuzzy Hash: E863E831D10B1A8EDB11EF68C8446A9F7B1FF99300F15D79AE45867221EB70AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 030FCE78 Relevance: 2.4, Instructions: 2406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45a60833611c4e05d2e4491cf313600a8e0e1993da34dee51b66d2bac1afc68
Instruction ID: 085f7fbbb65e8fc785dff1a6593813441d2bffe059c907db99c775455c2f69c5
Opcode Fuzzy Hash: b45a60833611c4e05d2e4491cf313600a8e0e1993da34dee51b66d2bac1afc68
Instruction Fuzzy Hash: EE332E31D107198EDB11EF68C8846ADF7B5FF99300F14C69AE459A7221EB70EAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030F4A60 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aae4617ec12e0d35d74bd94ab3bc08d8e7e98bb19c1b780140a45171019149
Instruction ID: 99a347883868885868ee1a3044641be00a9e9548158a87399c750219c514e2b6
Opcode Fuzzy Hash: 65aae4617ec12e0d35d74bd94ab3bc08d8e7e98bb19c1b780140a45171019149
Instruction Fuzzy Hash: FDB17070E01209CFDB50CFAAD8917DEFBF2AF88314F188529D915EB694EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030F3E48 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6433cadad13045b8ae058daddb18d79544a5809c3aac60cf6aedc790f5cecc4a
Instruction ID: 817549636828971173c981453ed770930c58fa8c8b28b636fc97e8ccb02e5ba8
Opcode Fuzzy Hash: 6433cadad13045b8ae058daddb18d79544a5809c3aac60cf6aedc790f5cecc4a
Instruction Fuzzy Hash: A0918170E01209DFDF50CFA9C8817DEBBF2BF88314F188129E915AB694EB349885CB41

Uniqueness

Uniqueness Score: -1.00%

Function 030F6EA3 Relevance: 2.6, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 030F6F9B
LR^q, xrefs: 030F6ED6

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 489e2fe1e84d462350afdb3655b6c0900573e6f03d8ceb09e5b55fa429ffb556
Instruction ID: 9ded44ba8a180c8b8f081e4d11b559b0b6b3ecb1b868d5a6003c58e6d6836398
Opcode Fuzzy Hash: 489e2fe1e84d462350afdb3655b6c0900573e6f03d8ceb09e5b55fa429ffb556
Instruction Fuzzy Hash: 9551F430E1120A9FDB15DFA8C84479EBBF6EF85700F148469E505EB741EB71D84ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 0697AAC4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0697D8D1

Memory Dump Source

Source File: 00000003.00000002.2881627606.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6970000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b676622d33ba3e273e24dcc82fcb731b0a446cd85ca51c4c69d07980384a113f
Instruction ID: d0d9f20a954b1f4bd27702f46fdcb91d225b1915e6cb12ac597d315a73813dd4
Opcode Fuzzy Hash: b676622d33ba3e273e24dcc82fcb731b0a446cd85ca51c4c69d07980384a113f
Instruction Fuzzy Hash: 65414BB5900309CFDB54DF59C888AAABBF5FF88314F24C459D519AB721D731A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0683C368 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0683C3CF

Memory Dump Source

Source File: 00000003.00000002.2881414895.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6830000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 336003e1d487aa56a2afe109e92d675a29500ae27aae199f7b198d8e9db00534
Instruction ID: c0884d12837101ccb96331f98bf7c9df17c1e02bb1f0ebb3a19b4c9037c02d7e
Opcode Fuzzy Hash: 336003e1d487aa56a2afe109e92d675a29500ae27aae199f7b198d8e9db00534
Instruction Fuzzy Hash: 5711F3B1C006699BCB10DF9AC544BDEFBF4AF48320F15816AD918B7250D378A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0683C360 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0683C3CF

Memory Dump Source

Source File: 00000003.00000002.2881414895.0000000006830000.00000040.00000800.00020000.00000000.sdmp, Offset: 06830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6830000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a1fb7f22c0a0a249ce5e34e5d2f86dae3e5e3af89c60f2bd4ad359cbb6163f3e
Instruction ID: ccde738f97fc6b1251a082e27a0844bb596f49c58a0fc23f8c417462f06dc203
Opcode Fuzzy Hash: a1fb7f22c0a0a249ce5e34e5d2f86dae3e5e3af89c60f2bd4ad359cbb6163f3e
Instruction Fuzzy Hash: F11114B1C006699BCB10DFAAC5447DEFBF4AF48320F14816AD818B7241D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0697FD50 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0697FDAD

Memory Dump Source

Source File: 00000003.00000002.2881627606.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6970000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d47f933ef189161e8d5248da5beee0d721e816d89b2eabfa8a9ff1f35d44ebec
Instruction ID: c832a679dc72c9ac1a3e0928de5eeefd2fb8218ac7356b1c4192622f1196a9b9
Opcode Fuzzy Hash: d47f933ef189161e8d5248da5beee0d721e816d89b2eabfa8a9ff1f35d44ebec
Instruction Fuzzy Hash: 861115B58003588FCB60DFAAD445BCEBBF8EB48324F20845AE559A7650D374A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0697EE60 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0697FDAD

Memory Dump Source

Source File: 00000003.00000002.2881627606.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6970000_HSBC Havale Bildirimi.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: aa66e137f03111baafd743f8f0290b9bb0dca306f553295fce6f72d7a8a61dce
Instruction ID: 70f22219f918da927fc7f5bfc9fc119b56eac498eb4e8c9561f93a4c095284c3
Opcode Fuzzy Hash: aa66e137f03111baafd743f8f0290b9bb0dca306f553295fce6f72d7a8a61dce
Instruction Fuzzy Hash: A81115B19003488FDB60DF9AD548BDEBBF8EB48324F20845AD519B7650D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030FF3F5 Relevance: 1.4, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 030FF543

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e703ae73a330cbb78acb184b0b19e7f306b49c78ee980e3e6991494a2932616b
Instruction ID: 5ea1ba450398e59238d4a9291e63486a45e6c3548a2cdcba24be9370cac9580f
Opcode Fuzzy Hash: e703ae73a330cbb78acb184b0b19e7f306b49c78ee980e3e6991494a2932616b
Instruction Fuzzy Hash: 5D4100307052028FCB05EB78D55466EBBE6EF89600F284469C506DB795EF39EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030F4F50 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

3, xrefs: 030F4EEB

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: c724e6096331ca4e197150b38d865cf0dc2fcd1212fa90a6353e21eacbfbd33c
Instruction ID: 961a35bad03ac50af691c268e3945dcd88303f5a8706f192773791cd0296be7e
Opcode Fuzzy Hash: c724e6096331ca4e197150b38d865cf0dc2fcd1212fa90a6353e21eacbfbd33c
Instruction Fuzzy Hash: ED41E434A01245CFCB54EB79C9587AEBBF1EF89300F2440A9D90ADB7A1DB359C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 030F6F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030F6F9B

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 7496ce515402a3732430569aee3350f7d75df539475b8a3cb1074895da822cda
Instruction ID: 2cb50f9c5ad1c44b5b736e1f5539a4a8ba58fcde36e30dcabaef5f32b5990b3d
Opcode Fuzzy Hash: 7496ce515402a3732430569aee3350f7d75df539475b8a3cb1074895da822cda
Instruction Fuzzy Hash: 20318F71E1120E8FDB54CFA9C84479EB7B6FF85310F148966E905EB240E771D84ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 030F6B68 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LR^q, xrefs: 030F6B9F

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 654f5212333783f2d35177e2c3013e2fbf92bf9737693fbc7295653e6473298b
Instruction ID: e7e07c43afad455e0df3e7795546e48eabe141bf21e99394fbd321d55361b8f5
Opcode Fuzzy Hash: 654f5212333783f2d35177e2c3013e2fbf92bf9737693fbc7295653e6473298b
Instruction Fuzzy Hash: 621123302092546FC706DB3D8424AAE7FF6EF8A701B1184BAD009CF692DB36D845C793

Uniqueness

Uniqueness Score: -1.00%

Function 030F7580 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d73e3ea59228f06a985250cb21061063f210836c3e60948e208c8116be70a1a
Instruction ID: 819cffc1c13a736864fc90afc23f33c4f6b4d3fbebd75042be08371a0777f374
Opcode Fuzzy Hash: 7d73e3ea59228f06a985250cb21061063f210836c3e60948e208c8116be70a1a
Instruction Fuzzy Hash: CC024034B01102DFCB59EB2CE98822977E6FB9A740B144979D505CB3A4DF35DC8B87A2

Uniqueness

Uniqueness Score: -1.00%

Function 030F9698 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6271f3bb7d7a7c2833fdcac310dca136ce383328a51d2cfd7bcc432276d6ef
Instruction ID: 6885fae246cd9e66ca58adbf2163d785c4d825dde95c0487db5c00342fb99485
Opcode Fuzzy Hash: 3e6271f3bb7d7a7c2833fdcac310dca136ce383328a51d2cfd7bcc432276d6ef
Instruction Fuzzy Hash: 55C1C271A012058FDB50CF69D9847AEBBF6FB88310F2485AADA09DB791DB30DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030F931C Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9010fab7aa03c4314975bbd6b392d3d74c1b74847abe6b03ad43391f8647c2b
Instruction ID: a504b98741cd0760c6bdbe0ad8ea50da4d1a9c5fe11d38b072640e2c920b259f
Opcode Fuzzy Hash: b9010fab7aa03c4314975bbd6b392d3d74c1b74847abe6b03ad43391f8647c2b
Instruction Fuzzy Hash: D5C16D34A012058FDB14DFA8D584BADBBF6EF88310F248469E906DB7A4DB35ED42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 030F4A57 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c7ca567e1efc735e364240f3615da9610746ce8d2916e8de70a78135e02b67
Instruction ID: a13092409d7beb050a945885d8c24f033cba70011cc82c0c6cc1aaf2901bc898
Opcode Fuzzy Hash: d1c7ca567e1efc735e364240f3615da9610746ce8d2916e8de70a78135e02b67
Instruction Fuzzy Hash: FBA17E70E01209CFDB50CFAAD8917DEFBF2AF88314F188529D915EB654EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030F3E3C Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ff3bb1b7b2836c0272f20792c1bc314f52177e541dc3d14e64afe403c22395
Instruction ID: 4c261c28fa733f4bbc0a322e440958daf7764fac804ae5d3e50e1225bee4e960
Opcode Fuzzy Hash: a9ff3bb1b7b2836c0272f20792c1bc314f52177e541dc3d14e64afe403c22395
Instruction Fuzzy Hash: EE916070E01209DFDB50CFA9C9857DEFBF1BF88314F188129E915A7694EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030F47CC Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f32d5eb1951e583992e4a36498c888d74e347afa3e1af526da9c7670b4609e
Instruction ID: a7e754a67c90ab53e85be118539af32d015923397111f509a16dc89b1a34912f
Opcode Fuzzy Hash: b7f32d5eb1951e583992e4a36498c888d74e347afa3e1af526da9c7670b4609e
Instruction Fuzzy Hash: 05717E70E05249DFDF10CFAAC8817DEFBF1AF88314F188129E915AB654EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030F47D8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a979061fe93718d0e49bafcf3e607e9df6a3b6d004d83814f44833d4fdc221
Instruction ID: c97eccec0cdbec02d1a0d27a7623a2eccb2df9e111144de168a83c8e7642b794
Opcode Fuzzy Hash: f5a979061fe93718d0e49bafcf3e607e9df6a3b6d004d83814f44833d4fdc221
Instruction Fuzzy Hash: 33718F70E05249DFDF10CFAAC8417DEFBF2AF88314F188129D915A7654EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030F6CA5 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80dda6eb84ee8b79d3ace3e3c050fa65a51600056f3f038bb6ded64ef9c69fc
Instruction ID: 5e4e4a2408593c65a54b0591bada4ada1294eaed0404d445e1b9cb23f2a36959
Opcode Fuzzy Hash: c80dda6eb84ee8b79d3ace3e3c050fa65a51600056f3f038bb6ded64ef9c69fc
Instruction Fuzzy Hash: CD512070D112188FDB18CFA9C884B9DFBF1BF48714F188129E819BB690DB75A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030F6CB0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39b95e1fefe9286db8e334ee1cf0d2bd679f915c1fb53ee8900563d50625ee4
Instruction ID: 88704cfc64ecfb171a1549c832b64aad0f2679a80d8ce65224985e25781b8d2a
Opcode Fuzzy Hash: a39b95e1fefe9286db8e334ee1cf0d2bd679f915c1fb53ee8900563d50625ee4
Instruction Fuzzy Hash: 09512271D002188FDB18CFA9C884B9DFBF1BF48714F188119E819BB690DB75A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030F1128 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec7ce45bbc7578a962ef79cd279254be9ac2a2433267656e352de8ed788d6c1
Instruction ID: bd8b233887c14071c46f2bce2dfd7ab8fbd285f9df9148f562e878b63e488619
Opcode Fuzzy Hash: cec7ce45bbc7578a962ef79cd279254be9ac2a2433267656e352de8ed788d6c1
Instruction Fuzzy Hash: BE51FB31B07281CFC755DB6CF998955BBB5FB9530474482AAD0004B33ADB786E4ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 030FF2B8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72d45d0856eef3d353fcc3e36dcdcf04a6bf18a624ea1989c9467b8f6cbfea8
Instruction ID: 24132e208040daabe73334f165f78774707618ecac09dcff6f9810947332ff3f
Opcode Fuzzy Hash: d72d45d0856eef3d353fcc3e36dcdcf04a6bf18a624ea1989c9467b8f6cbfea8
Instruction Fuzzy Hash: DE318035E112069FCB44DF68D8946AEB7F6EF89300F148529E916EB750DB70EC46CB44

Uniqueness

Uniqueness Score: -1.00%

Function 030F1138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b0ffc438216e6588c5bcda417c6fb94bba41c7b1a61c41b82df9792e07c136
Instruction ID: 345f5823b60d33a4c5731ae8abec8f2bc87f7df4325229b858deb0c448a792d5
Opcode Fuzzy Hash: f0b0ffc438216e6588c5bcda417c6fb94bba41c7b1a61c41b82df9792e07c136
Instruction Fuzzy Hash: EB41D630B43241CFC755DB6CF998959BBB5FB9530474482A9D0044B33ADB78AE4ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 030F26A7 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760d98c314cd0d2b167fdc89cdf81e9db6bb6041e25babb587b173cbf07f5919
Instruction ID: 6fe01639b0381f5f470ce145679955191e03baff0e5001c0b7b4f201e6030c93
Opcode Fuzzy Hash: 760d98c314cd0d2b167fdc89cdf81e9db6bb6041e25babb587b173cbf07f5919
Instruction Fuzzy Hash: EF41FFB4D013499FDB10CFA9C884ADEBBF5FF48310F248429E819AB254DB75A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030FF27B Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5160fde1f78ba71062d3a7d2a87d17a8d61ab793675ebf63933e2b5f1729835f
Instruction ID: 6b02ff71ec8cc1fecb58a4d057943c7b7cd43e1cb4761f86060e28ab784fbf3d
Opcode Fuzzy Hash: 5160fde1f78ba71062d3a7d2a87d17a8d61ab793675ebf63933e2b5f1729835f
Instruction Fuzzy Hash: 7C319E34E056468FCB45CFA4D894A9EBBF2FF89200F18855AE916EB751DB70EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 030FF2C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5646c0b409a80984241e761c5b8c397d7aa1611eb376dca92bb5d898fcf9248c
Instruction ID: 1d67b6ce80a8fa0a98652b12c9cb2a9773b346abb21b7c0106bdd4af36e67e67
Opcode Fuzzy Hash: 5646c0b409a80984241e761c5b8c397d7aa1611eb376dca92bb5d898fcf9248c
Instruction Fuzzy Hash: 35316034E012069FCB19DF68D894AAEB7F6FF89300F148529E916E7750DB70AC46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 030F26B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca84d7806db84eb7fd745d7a2f50aa1b7f04545523ee5ba2ccf00154fc8c4296
Instruction ID: c6d0ad0a23d973f174c2eaf327c95b50ca6c9d9ce9eac8cb142a81de0558ee03
Opcode Fuzzy Hash: ca84d7806db84eb7fd745d7a2f50aa1b7f04545523ee5ba2ccf00154fc8c4296
Instruction Fuzzy Hash: 9141EEB4D013499FDB10DFA9C484ADEBFF5BF48310F248429E819AB264DB75A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030F9207 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cae44472ba812bf75280d21ed6a5505a404c4707d4ac9ccc1e0f675df327dc
Instruction ID: 6b537c18d83af196875664595f366b79bbf5c0144fa39c1d6876ec14b56f0fbb
Opcode Fuzzy Hash: f8cae44472ba812bf75280d21ed6a5505a404c4707d4ac9ccc1e0f675df327dc
Instruction Fuzzy Hash: B9317E31E012099FDB85DFA4D89479EF7B6FF89300F188629E905AB750DB70E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030F7059 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262953aea837d548e3c1387a632a2cb10e11399d10f3046fc700ed77fd73a402
Instruction ID: 7fa8574a79260879b962cfb900706b8d4d5d315c05e0c228f44234b5466246f8
Opcode Fuzzy Hash: 262953aea837d548e3c1387a632a2cb10e11399d10f3046fc700ed77fd73a402
Instruction Fuzzy Hash: AB212134701215DFD749EB78E49862D77ABFBC8704B204468E50A973A8DF35DC46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 030F1668 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f033214c33ebfd03b864cfec6ea27d6836acd3e9c920af4ac582ff033f8f963
Instruction ID: 74472f6439fca0fbefd314cec383eb84092b20695c6824b8f12248cd9f0af03e
Opcode Fuzzy Hash: 5f033214c33ebfd03b864cfec6ea27d6836acd3e9c920af4ac582ff033f8f963
Instruction Fuzzy Hash: 13213B74B02280CFCB99D77CF88875A77A9E749354F1809F1D509CB6A5EB24CC858BA3

Uniqueness

Uniqueness Score: -1.00%

Function 030F9218 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d048563b2484e9a68c5bebafd9eda26e2c0826966f356f373ad62f2c11dbd0
Instruction ID: 0a27af1da274c9a58c4fa0dbb7e3f0357abef204adac48e3d3b1ab7f9932188e
Opcode Fuzzy Hash: 79d048563b2484e9a68c5bebafd9eda26e2c0826966f356f373ad62f2c11dbd0
Instruction Fuzzy Hash: 3B215E30E0120A9FDB85DFA4D88469EF7B6FF89300F148615E905AB650DB70E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030F133F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0f66b31e501a5851b641d7d0c4f129d2cfba9d4cde955cff74d57f5bd0aaa7
Instruction ID: 994bd330b20d25ea72a26e231467a8a0efbb9c3aaf14b608a061c86994fb7eac
Opcode Fuzzy Hash: ee0f66b31e501a5851b641d7d0c4f129d2cfba9d4cde955cff74d57f5bd0aaa7
Instruction Fuzzy Hash: 3B21D770B02141CFDB7CE628E44875D76D9EB4E710F0808A9EA06C7B94EB28D88587A6

Uniqueness

Uniqueness Score: -1.00%

Function 030F9108 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8810825f9c7e3f709228370f5a183b6b530c4caeb02047273fe2bfa66528f1f
Instruction ID: 5918aefa2f91c6ca699e453e6df70417382f58a1d90da5d81dc228064566ce39
Opcode Fuzzy Hash: b8810825f9c7e3f709228370f5a183b6b530c4caeb02047273fe2bfa66528f1f
Instruction Fuzzy Hash: 73219031E0120A9FDB18DFA8C8586DEB7B6FF89300F14852AE915FB750EB709946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 030F1840 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6e06fa8e008b53fe3f2edf500359096c8c77e35f7e5653bcf86ccaece1fdc3
Instruction ID: fcfedbc8323c18cb0ee8e0f9aad0effe0fb7781b0b58bb5bdd8b7d036639f328
Opcode Fuzzy Hash: 5d6e06fa8e008b53fe3f2edf500359096c8c77e35f7e5653bcf86ccaece1fdc3
Instruction Fuzzy Hash: 89217F30B06205CFDB68DB39D514BAEB7F5AF89304F1441A8D506EB7A0DB399D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876528143.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18fd000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc3e83cd991e33dbd0ba812dcaf226a274f40b74a01ddc6b874c84cded420a5
Instruction ID: 30e93418e00567aed78ca53e17b127a5361a8652862ff264ff0330192b37c64b
Opcode Fuzzy Hash: ddc3e83cd991e33dbd0ba812dcaf226a274f40b74a01ddc6b874c84cded420a5
Instruction Fuzzy Hash: 76210071604204DFDB15DF58D984B26BBA5EB84318F20C66DEB0A8B256C33AD547CA61

Uniqueness

Uniqueness Score: -1.00%

Function 030F9118 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb41ef372d919d2d44596546cf816a60674e1f438529cf8154359dc6ce3a573
Instruction ID: 2ed6636bc2adbe8c8da45e29872bb49f1184995360cb3cb15c31b75924bd928e
Opcode Fuzzy Hash: bbb41ef372d919d2d44596546cf816a60674e1f438529cf8154359dc6ce3a573
Instruction Fuzzy Hash: D0217130E012099FDB18DFA8C45869EB7B6BF89300F14852AE915EB740DB709946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 030F1850 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf51f5e99ea0144c664d4cbb02dcd4b7158fcc88401bf55fe52a0e3cab6d02b7
Instruction ID: abf4bf729e7490a4977df157d4bc299067c48bd90ea94c7ecc49a603540191e0
Opcode Fuzzy Hash: bf51f5e99ea0144c664d4cbb02dcd4b7158fcc88401bf55fe52a0e3cab6d02b7
Instruction Fuzzy Hash: 89214130B05204CFDB58DB79D6146AE77F6AF89241F1004A8D506EB7A0DB3ADD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030F1678 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ce9123453dc7f8729b8d0a38dfd49ef1ae47654658569ed396db3260045a70
Instruction ID: 4d3046d276414e0ae95d3695d7bf7bf66674dbd3557cf6e23abd002917bc6424
Opcode Fuzzy Hash: 10ce9123453dc7f8729b8d0a38dfd49ef1ae47654658569ed396db3260045a70
Instruction Fuzzy Hash: 5921D570B022408FCB58EB3CF94875E77AAE748354F1449B1D509C7665EB38DC858BA3

Uniqueness

Uniqueness Score: -1.00%

Function 030F4F60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cbf654ae058955bddbdc5601954f514ae265fe55c6171041c64fa102dde7a1
Instruction ID: f1b7f889d14b2b383274aabefbf8ad92b0e090324930d6a0a29c48c0febf41b8
Opcode Fuzzy Hash: 04cbf654ae058955bddbdc5601954f514ae265fe55c6171041c64fa102dde7a1
Instruction Fuzzy Hash: 2D21FA34B01205CFDB54EB79D958AAEB7F1EF49340F1044A8E906EB760EB369D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 030F0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce101d8c8599d748fd56cb246ad4442a0a85a419868cbd376af5cd42ddd2e1f
Instruction ID: 497fce214ffb7d8e1310debfc9dc5e689f0bec2134b1e842932fd3eee377286f
Opcode Fuzzy Hash: 0ce101d8c8599d748fd56cb246ad4442a0a85a419868cbd376af5cd42ddd2e1f
Instruction Fuzzy Hash: F0110630B022059FDFA4EB78D84433D72EAEB45310F148979D642CF742DA25CC868BD1

Uniqueness

Uniqueness Score: -1.00%

Function 030F0838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3f545d5783e6597ce9eb568b73cb9914dc753eab43ad7d14f9eeef8a553db4
Instruction ID: d7014bb935e1cca0bed7083748bccd03f4d6a2fd5fe6c0e1ce06893d0e0d21aa
Opcode Fuzzy Hash: 0c3f545d5783e6597ce9eb568b73cb9914dc753eab43ad7d14f9eeef8a553db4
Instruction Fuzzy Hash: 26110631B032059FDF64D678D84437D76DAEB45310F184979D642DB643EA24CC868BD1

Uniqueness

Uniqueness Score: -1.00%

Function 030F1450 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a0d61557618a31f9170cfbd31a15395440b05b17a9cb6ad87c1479d4bd403a
Instruction ID: 04641277895731e5e2a054870563e3fb145baa376ac2ae203201585939cb6bd0
Opcode Fuzzy Hash: 68a0d61557618a31f9170cfbd31a15395440b05b17a9cb6ad87c1479d4bd403a
Instruction Fuzzy Hash: AE117031A02715CFCF64EFB988501ADB7F5FB88211B1804B9DA05EBF42E635D842C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 030F178B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8804c5896485742df25a8db8f3f60bfae899bfdf731d106a992b0d726be10dae
Instruction ID: ee1bdf3500b6f3a823074150ccd0079650c26fdedac78a88d2eb761765597bfb
Opcode Fuzzy Hash: 8804c5896485742df25a8db8f3f60bfae899bfdf731d106a992b0d726be10dae
Instruction Fuzzy Hash: DC11E175F01211DFCF55EF78A84869E7BF6EB8C650F100165EA0AD3344EB3489428BA2

Uniqueness

Uniqueness Score: -1.00%

Function 030F1460 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586451c539725889a47af58d8985dae98b62869077cfc4be7fb93c2c7f07e5a6
Instruction ID: 032a1b51016ee7bd0f23b199a4ca7039747c94a3571c28d69100c26b4d101dc8
Opcode Fuzzy Hash: 586451c539725889a47af58d8985dae98b62869077cfc4be7fb93c2c7f07e5a6
Instruction Fuzzy Hash: E8016135A02715CFCF65EFB8845019DB7E5BB88210B18047AD905EBE41E635D942C791

Uniqueness

Uniqueness Score: -1.00%

Function 018FD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876528143.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18fd000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6369d3f8ad30df48e9fd5fbc204c589f53e5c654b36929599b1df75f5d26dce9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4A11BB75504280CFDB16CF58D5C4B16FFA2FB84314F24C6AEDA098B656C33AD50ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 030F7CA8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2097c442b768a54d13f67e35ebf1359ab56c073151525f5346766f24c513fe59
Instruction ID: ed51b3284aad2725d712671418f502c3ba51dfb735ab4d1632689e6bab9c6315
Opcode Fuzzy Hash: 2097c442b768a54d13f67e35ebf1359ab56c073151525f5346766f24c513fe59
Instruction Fuzzy Hash: 6E015270A01249EFCB41EB7CF98499CBBB5EF45704F0442B9C404DB265EB305E498B92

Uniqueness

Uniqueness Score: -1.00%

Function 030F14EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2e9c1c1a15f0fbbbbd3171c51fc09b6ebbaf8932ed1c2fecb078faae587199
Instruction ID: fff5b2d4cf7e92973d4756e1c2d45ad55195f599a251e9a2f5db075f89e969dd
Opcode Fuzzy Hash: dd2e9c1c1a15f0fbbbbd3171c51fc09b6ebbaf8932ed1c2fecb078faae587199
Instruction Fuzzy Hash: 2CF0F036A06654CFDB26CBA888901ECBBA1FED822171D00A7CA05EBE52D725E842C711

Uniqueness

Uniqueness Score: -1.00%

Function 030F7CB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2876862078.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30f0000_HSBC Havale Bildirimi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f8354e0d3b17a54e0373754ff1fe724fd619296bd58b676791b4b108a71caf
Instruction ID: f9ebe6b46aa03d4968229a6f40312e758966c8cd3d4ed8519a35652e1692db09
Opcode Fuzzy Hash: c9f8354e0d3b17a54e0373754ff1fe724fd619296bd58b676791b4b108a71caf
Instruction Fuzzy Hash: E1F0FF70E01109EFCB40EBACF98499DBBB5EB45304F5046B8C909D7264EF306E4A8B92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HSBC Havale Bildirimi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Havale Bildirimi.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
HSBC Havale Bildirimi.exe

Function 01A8D49A Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 01A8D4A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07E0D59C Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 07E0D5A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 01A8B210 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 01A85E94 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 01A84A7C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07E0D318 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Function 07E0CD48 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre