Windows Analysis Report Halkbank02.exe

Overview

General Information

Sample Name:	Halkbank02.exe
Analysis ID:	483639
MD5:	a4cb6740c9195c5579acef4f7c8e40c7
SHA1:	54abe0f828d828d5ff840b989fb5f010395961f6
SHA256:	f1b1abf0182c865a3521d659cbc4bd86a4b00b0e4be95468a1d3b5ff46a3efc8
Tags:	exegeoGuLoaderHalkbankTUR
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Found inlined nop instructions (likely shell or obfuscated code)

Yara signature match

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.775767651.0000000002BD0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1l"}

Multi AV Scanner detection for submitted file

Source: Halkbank02.exe

ReversingLabs: Detection: 15%

Compliance:

Uses 32bit PE files

Source: Halkbank02.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_00401500
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00401500
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_00402872
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402872
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402C7A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402E7C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_00402A0C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402A0C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402C3F
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_004028F7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_004028F7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_00402A81
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402A81
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_004020A7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_004020A7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402B02
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402D07
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402F0C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_004027DC
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_004027DC
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402DF6
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402B84
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 4x nop then mov ebx, ebx	1_2_0040298D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_0040298D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 5x nop then xor eax, 4C849A4Bh	1_2_00402F9E

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1l

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.772950247.0000000000410000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000000.247791172.0000000000410000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Uses 32bit PE files

Source: Halkbank02.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000001.00000002.772950247.0000000000410000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.247791172.0000000000410000.00000020.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Sample file is different than original file name gathered from version info

Source: Halkbank02.exe, 00000001.00000000.247800004.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemeduse.exe vs Halkbank02.exe
Source: Halkbank02.exe, 00000001.00000002.774847664.00000000021F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemeduse.exeFE2XGeneral court% vs Halkbank02.exe
Source: Halkbank02.exe	Binary or memory string: OriginalFilenamemeduse.exe vs Halkbank02.exe

PE file contains strange resources

Source: Halkbank02.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00401500	1_2_00401500
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402872	1_2_00402872
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402C7A	1_2_00402C7A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402A0C	1_2_00402A0C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402C3F	1_2_00402C3F
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004028F7	1_2_004028F7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402A81	1_2_00402A81
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004020A7	1_2_004020A7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00401550	1_2_00401550
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402B02	1_2_00402B02
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004027DC	1_2_004027DC
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00402B84	1_2_00402B84
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_0040298D	1_2_0040298D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD65A4	1_2_02BD65A4
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD46B6	1_2_02BD46B6
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD18AE	1_2_02BD18AE
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD38A1	1_2_02BD38A1
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9AA0	1_2_02BD9AA0
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD4AA3	1_2_02BD4AA3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD7294	1_2_02BD7294
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD3093	1_2_02BD3093
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD628F	1_2_02BD628F
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8E8E	1_2_02BD8E8E
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD248A	1_2_02BD248A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD22F6	1_2_02BD22F6
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD90F3	1_2_02BD90F3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD28EB	1_2_02BD28EB
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD98EA	1_2_02BD98EA
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8EE0	1_2_02BD8EE0
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD08DF	1_2_02BD08DF
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BDA8D9	1_2_02BDA8D9
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BDACD7	1_2_02BDACD7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD50D3	1_2_02BD50D3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD52C8	1_2_02BD52C8
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD022B	1_2_02BD022B
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD122A	1_2_02BD122A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD4E25	1_2_02BD4E25
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD2024	1_2_02BD2024
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BDA00E	1_2_02BDA00E
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD060B	1_2_02BD060B
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD0E01	1_2_02BD0E01
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD3673	1_2_02BD3673
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD146E	1_2_02BD146E
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD2850	1_2_02BD2850
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8452	1_2_02BD8452
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD0A46	1_2_02BD0A46
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1C46	1_2_02BD1C46
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1592	1_2_02BD1592
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD4983	1_2_02BD4983
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD4DF9	1_2_02BD4DF9
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD41F0	1_2_02BD41F0
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD85E3	1_2_02BD85E3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD69DD	1_2_02BD69DD
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD05DF	1_2_02BD05DF
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD89D6	1_2_02BD89D6
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD4DD3	1_2_02BD4DD3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD37D2	1_2_02BD37D2
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BDA7C9	1_2_02BDA7C9
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9DC1	1_2_02BD9DC1
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9DC3	1_2_02BD9DC3
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD99C2	1_2_02BD99C2
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1138	1_2_02BD1138
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD352D	1_2_02BD352D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD0D2C	1_2_02BD0D2C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD2F1D	1_2_02BD2F1D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9B0D	1_2_02BD9B0D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD630A	1_2_02BD630A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1B72	1_2_02BD1B72
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8D6F	1_2_02BD8D6F
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD5963	1_2_02BD5963
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8F56	1_2_02BD8F56
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD614D	1_2_02BD614D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9149	1_2_02BD9149
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9745	1_2_02BD9745
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1340	1_2_02BD1340
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD1143	1_2_02BD1143

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Halkbank02.exe

Code function: 1_2_02BD65A4 NtAllocateVirtualMemory,

1_2_02BD65A4

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Halkbank02.exe

Process Stats: CPU usage > 98%

Source: Halkbank02.exe

ReversingLabs: Detection: 15%

Source: Halkbank02.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Halkbank02.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank02.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.775767651.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00403640 push 966DCA76h; iretd	1_2_00403645
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00405A45 push esp; iretd	1_2_00405A5A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00403C65 push ds; iretd	1_2_00403C6E
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00405E73 push ds; iretd	1_2_00405E8A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00404A75 push 7B3E4015h; iretd	1_2_00404A7A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00407231 push esp; retf	1_2_00407234
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004080C5 push E868A7E5h; iretd	1_2_004080CA
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00406ED7 push esi; ret	1_2_00406ED8
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004082EB pushfd ; iretd	1_2_004082F5
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004080ED push 7767F77Ch; iretd	1_2_004080F2
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00408105 push 03C6A3FEh; iretd	1_2_00408112
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00407B29 pushfd ; retf	1_2_00407B2A
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004061DD push 22BD4488h; iretd	1_2_004061E6
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD7409 pushfd ; iretd	1_2_02BD7412

Source: C:\Users\user\Desktop\Halkbank02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Halkbank02.exe

Code function: 1_2_02BD8CF8 rdtsc

1_2_02BD8CF8

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Halkbank02.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_00401500 mov ebx, dword ptr fs:[00000030h]	1_2_00401500
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004020A7 mov ebx, dword ptr fs:[00000030h]	1_2_004020A7
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_004027DC mov ebx, dword ptr fs:[00000030h]	1_2_004027DC
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD88B2 mov eax, dword ptr fs:[00000030h]	1_2_02BD88B2
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD608C mov eax, dword ptr fs:[00000030h]	1_2_02BD608C
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD41F0 mov eax, dword ptr fs:[00000030h]	1_2_02BD41F0
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD352D mov eax, dword ptr fs:[00000030h]	1_2_02BD352D
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD8150 mov eax, dword ptr fs:[00000030h]	1_2_02BD8150
Source: C:\Users\user\Desktop\Halkbank02.exe	Code function: 1_2_02BD9745 mov eax, dword ptr fs:[00000030h]	1_2_02BD9745

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Halkbank02.exe

Code function: 1_2_02BD8CF8 rdtsc

1_2_02BD8CF8

Source: Halkbank02.exe, 00000001.00000002.773637952.0000000000D60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Halkbank02.exe, 00000001.00000002.773637952.0000000000D60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Halkbank02.exe, 00000001.00000002.773637952.0000000000D60000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: Halkbank02.exe, 00000001.00000002.773637952.0000000000D60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Halkbank02.exe, 00000001.00000002.773637952.0000000000D60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	483639
Product:	CloudBasic
Start time:	10:37:01
Start date:	15.09.2021
Sample:	Halkbank02.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a4cb6740c9195c5579acef4f7c8e40c7
SHA1:	54abe0f828d828d5ff840b989fb5f010395961f6
SHA256:	f1b1abf0182c865a3521d659cbc4bd86a4b00b0e4be95468a1d3b5ff46a3efc8
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report Halkbank02.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map