Windows Analysis Report Halkbank_Ekstre_20230426_075819_154055.exe

Uses insecure TLS / SSL version for HTTPS connection

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
Source:	Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 02702B39h	0_2_0270257F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 02702B39h	0_2_02702509
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100F03B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100F21B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0100F7A1h	3_2_0100F4E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0100FBF9h	3_2_0100F941
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100EA08
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622658h	3_2_06622240
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06620F11h	3_2_06620C60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662021Dh	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06620BA7h	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662F7D1h	3_2_0662F528
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622091h	3_2_06621DE0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D511h	3_2_0662D268
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D0B9h	3_2_0662CE10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D969h	3_2_0662D6C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662E219h	3_2_0662DF70
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662DDC1h	3_2_0662DB18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662E671h	3_2_0662E3C8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662EF21h	3_2_0662EC78
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662EAC9h	3_2_0662E820
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06621371h	3_2_066210C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662F379h	3_2_0662F0D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662C809h	3_2_0662C560
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066217D1h	3_2_06621520
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662C3B1h	3_2_0662C108
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662CC61h	3_2_0662C9B8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06621C31h	3_2_06621980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662FC29h	3_2_0662F980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622658h	3_2_06622586
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06638D95h	3_2_06638A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06635D11h	3_2_06635A68
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066388A9h	3_2_06638600
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636169h	3_2_06635EC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636A19h	3_2_06636770
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066365C1h	3_2_06636318
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_066337FA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636E71h	3_2_06636BC8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066302E9h	3_2_06630040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066372C9h	3_2_06637020
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06633808
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630B99h	3_2_066308F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06637BA1h	3_2_066378F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0663774Ah	3_2_066374A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630741h	3_2_06630498
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630FF1h	3_2_06630D48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06637FF9h	3_2_06637D50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06635891h	3_2_066355E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06631449h	3_2_066311A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06638451h	3_2_066381A8

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Halkbank_Ekstre_20230426_075819_154055.exe	String found in binary or memory: http://tempuri.org/DataSeta.xsd)Microsoft
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225$
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_0255D424	0_2_0255D424
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_027040AA	0_2_027040AA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_02700040	0_2_02700040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_02700007	0_2_02700007
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D4C1E0	0_2_06D4C1E0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D46A00	0_2_06D46A00
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D40040	0_2_06D40040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D4A878	0_2_06D4A878
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D40006	0_2_06D40006
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AACC0	3_2_007AACC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AD89C	3_2_007AD89C
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AFA50	3_2_007AFA50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007ABFEC	3_2_007ABFEC
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_00E14758	3_2_00E14758
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C1F0	3_2_0100C1F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100B388	3_2_0100B388
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C4D0	3_2_0100C4D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C7B2	3_2_0100C7B2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_01009848	3_2_01009848
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_010068E0	3_2_010068E0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_01004B31	3_2_01004B31
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100CA92	3_2_0100CA92
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100BC32	3_2_0100BC32
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100BF10	3_2_0100BF10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100B552	3_2_0100B552
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_010035CA	3_2_010035CA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100F4E8	3_2_0100F4E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100F941	3_2_0100F941
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100E9F8	3_2_0100E9F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100EA08	3_2_0100EA08
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620C60	3_2_06620C60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620040	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06629080	3_2_06629080
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06624490	3_2_06624490
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F528	3_2_0662F528
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621DE0	3_2_06621DE0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066289B0	3_2_066289B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D268	3_2_0662D268
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D258	3_2_0662D258
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662CE01	3_2_0662CE01
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662CE10	3_2_0662CE10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D6C0	3_2_0662D6C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D6B0	3_2_0662D6B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DF60	3_2_0662DF60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DF70	3_2_0662DF70
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DB0A	3_2_0662DB0A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DB18	3_2_0662DB18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E3C8	3_2_0662E3C8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E3B9	3_2_0662E3B9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662EC69	3_2_0662EC69
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662EC78	3_2_0662EC78
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620C50	3_2_06620C50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E820	3_2_0662E820
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620006	3_2_06620006
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06628008	3_2_06628008
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E812	3_2_0662E812
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C0F7	3_2_0662C0F7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066210C0	3_2_066210C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F0C0	3_2_0662F0C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F0D0	3_2_0662F0D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066210B0	3_2_066210B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06624480	3_2_06624480
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C560	3_2_0662C560
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621970	3_2_06621970
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F971	3_2_0662F971
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C550	3_2_0662C550
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621520	3_2_06621520
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C108	3_2_0662C108
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621510	3_2_06621510
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F518	3_2_0662F518
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621DD0	3_2_06621DD0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C9A9	3_2_0662C9A9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C9B8	3_2_0662C9B8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621980	3_2_06621980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F980	3_2_0662F980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638A58	3_2_06638A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663CE28	3_2_0663CE28
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663DAC0	3_2_0663DAC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663AEA8	3_2_0663AEA8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663BB38	3_2_0663BB38
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C7D8	3_2_0663C7D8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663D478	3_2_0663D478
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663A858	3_2_0663A858
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663B4F0	3_2_0663B4F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066390A1	3_2_066390A1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066315F8	3_2_066315F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C188	3_2_0663C188
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635A68	3_2_06635A68
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638A48	3_2_06638A48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635A58	3_2_06635A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638600	3_2_06638600
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663CE18	3_2_0663CE18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635EC0	3_2_06635EC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663DAAF	3_2_0663DAAF
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635EB2	3_2_06635EB2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636760	3_2_06636760
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636770	3_2_06636770
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663BB27	3_2_0663BB27
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636308	3_2_06636308
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636318	3_2_06636318
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066337FA	3_2_066337FA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C7CB	3_2_0663C7CB
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636BC8	3_2_06636BC8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636BB8	3_2_06636BB8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06633B80	3_2_06633B80
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630040	3_2_06630040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06632C57	3_2_06632C57
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637020	3_2_06637020
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630007	3_2_06630007
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06633808	3_2_06633808
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637010	3_2_06637010
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066308E1	3_2_066308E1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066378E7	3_2_066378E7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066308F0	3_2_066308F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066378F8	3_2_066378F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066374A0	3_2_066374A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06634880	3_2_06634880
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630488	3_2_06630488
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637490	3_2_06637490
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630498	3_2_06630498
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C178	3_2_0663C178
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637D40	3_2_06637D40
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630D48	3_2_06630D48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637D50	3_2_06637D50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630D38	3_2_06630D38
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06632D00	3_2_06632D00
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066355E8	3_2_066355E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066385F1	3_2_066385F1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066355DA	3_2_066355DA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066311A0	3_2_066311A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066381A8	3_2_066381A8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06631191	3_2_06631191
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663819A	3_2_0663819A

Sample file is different than original file name gathered from version info

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.000000000280A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1978545566.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2001619425.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000000.1967619527.0000000000394000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2002294197.0000000007300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220219789.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe	Binary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20230426_075819_154055.exe.log

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Mutant created: NULL

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3223175561.0000000003A2D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C02000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Halkbank_Ekstre_20230426_075819_154055.exe	Virustotal: Detection: 55%
Source: Halkbank_Ekstre_20230426_075819_154055.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains method to dynamically call methods (often used by packers)

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
Source:	Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe

Data Obfuscation

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: Halkbank_Ekstre_20230426_075819_154055.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: 0xF32F70C2 [Wed Apr 15 21:42:26 2099 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Code function: 3_2_01001A60 push esp; retf

3_2_01001A4F

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: section name: .text entropy: 7.95952575244103

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	High entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, ziedvnrBRhAIpT5Qi8.cs	High entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, awHOa2tvZC3B51kOtt.cs	High entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, od4j2WLp01hKGvRovU.cs	High entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, cfK2jui8T0oYumsHiO.cs	High entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, JtOE33hfZH9hFUu4kMg.cs	High entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, bMHWQvIvpUEgKY4Zg9.cs	High entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, t5mbvvPGfGMR4sTcBJ.cs	High entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, l1Qrv9zHACbYjdnnW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	High entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, AX4t7qyE4jux1hf1Y6.cs	High entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, OMxwkrxpKFZmqViVRi.cs	High entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, HG4SfGhYBDdbP6jIh6a.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, pXiQGngKJHAxTaoAu6.cs	High entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, C6LqXe7ZhCmGCf6YQf.cs	High entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, N4uflNZUBmxHnLaKnc.cs	High entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, XgHtcVWpxu9tyOjXNd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, iWk2BpmdKZQmbajR8p.cs	High entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, wmDBajVNd98VIVRuG2.cs	High entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, lRRIqr2t2v0WVf5PlP.cs	High entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, EnE7sFddoOZbauWubq.cs	High entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	High entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, ziedvnrBRhAIpT5Qi8.cs	High entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, awHOa2tvZC3B51kOtt.cs	High entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, od4j2WLp01hKGvRovU.cs	High entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, cfK2jui8T0oYumsHiO.cs	High entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, JtOE33hfZH9hFUu4kMg.cs	High entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, bMHWQvIvpUEgKY4Zg9.cs	High entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, t5mbvvPGfGMR4sTcBJ.cs	High entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, l1Qrv9zHACbYjdnnW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	High entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, AX4t7qyE4jux1hf1Y6.cs	High entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, OMxwkrxpKFZmqViVRi.cs	High entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, HG4SfGhYBDdbP6jIh6a.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, pXiQGngKJHAxTaoAu6.cs	High entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, C6LqXe7ZhCmGCf6YQf.cs	High entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, N4uflNZUBmxHnLaKnc.cs	High entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, XgHtcVWpxu9tyOjXNd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, iWk2BpmdKZQmbajR8p.cs	High entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, wmDBajVNd98VIVRuG2.cs	High entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, lRRIqr2t2v0WVf5PlP.cs	High entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, EnE7sFddoOZbauWubq.cs	High entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 8370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 8610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 9610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595591	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595366	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595196	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 592961	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591563	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591422	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591313	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591188	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591063	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 590938	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Window / User API: threadDelayed 3219			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Window / User API: threadDelayed 6567			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 1684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828	Thread sleep count: 3219 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828	Thread sleep count: 6567 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596197s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595366s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -592961s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -590938s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595591	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595366	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595196	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 592961	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591563	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591422	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591313	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591188	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591063	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 590938	Jump to behavior

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220287888.0000000000C87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process information queried: ProcessInformation

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Code function: 3_2_0662BE28 LdrInitializeThunk,

3_2_0662BE28

Enables debug privileges

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Memory written: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

Contacted Domains

Name	IP	Active
reallyfreegeoip.org	172.67.177.134	true
scratchdreams.tk	104.21.27.85	true
checkip.dyndns.com	132.226.247.73	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/191.96.150.225	false	Avira URL Cloud: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@eraslangroup.net", "Password": "aHZAyjDK", "Host": "mail.eraslangroup.net", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 18%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for submitted file

Source: Halkbank_Ekstre_20230426_075819_154055.exe	Virustotal: Detection: 55%			Perma Link
Source: Halkbank_Ekstre_20230426_075819_154055.exe	ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
Source:	Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 02702B39h	0_2_0270257F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 02702B39h	0_2_02702509
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100F03B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100F21B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0100F7A1h	3_2_0100F4E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0100FBF9h	3_2_0100F941
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0100EA08
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622658h	3_2_06622240
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06620F11h	3_2_06620C60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662021Dh	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06620BA7h	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662F7D1h	3_2_0662F528
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622091h	3_2_06621DE0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D511h	3_2_0662D268
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D0B9h	3_2_0662CE10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662D969h	3_2_0662D6C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662E219h	3_2_0662DF70
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662DDC1h	3_2_0662DB18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662E671h	3_2_0662E3C8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662EF21h	3_2_0662EC78
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662EAC9h	3_2_0662E820
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06621371h	3_2_066210C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662F379h	3_2_0662F0D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662C809h	3_2_0662C560
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066217D1h	3_2_06621520
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662C3B1h	3_2_0662C108
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662CC61h	3_2_0662C9B8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06621C31h	3_2_06621980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0662FC29h	3_2_0662F980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06622658h	3_2_06622586
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06638D95h	3_2_06638A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06635D11h	3_2_06635A68
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066388A9h	3_2_06638600
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636169h	3_2_06635EC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636A19h	3_2_06636770
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066365C1h	3_2_06636318
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_066337FA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06636E71h	3_2_06636BC8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066302E9h	3_2_06630040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 066372C9h	3_2_06637020
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06633808
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630B99h	3_2_066308F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06637BA1h	3_2_066378F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 0663774Ah	3_2_066374A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630741h	3_2_06630498
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06630FF1h	3_2_06630D48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06637FF9h	3_2_06637D50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06635891h	3_2_066355E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06631449h	3_2_066311A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 4x nop then jmp 06638451h	3_2_066381A8

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View	IP Address: 104.21.27.85 104.21.27.85
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Halkbank_Ekstre_20230426_075819_154055.exe	String found in binary or memory: http://tempuri.org/DataSeta.xsd)Microsoft
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225$
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_0255D424	0_2_0255D424
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_027040AA	0_2_027040AA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_02700040	0_2_02700040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_02700007	0_2_02700007
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D4C1E0	0_2_06D4C1E0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D46A00	0_2_06D46A00
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D40040	0_2_06D40040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D4A878	0_2_06D4A878
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 0_2_06D40006	0_2_06D40006
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AACC0	3_2_007AACC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AD89C	3_2_007AD89C
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007AFA50	3_2_007AFA50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_007ABFEC	3_2_007ABFEC
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_00E14758	3_2_00E14758
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C1F0	3_2_0100C1F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100B388	3_2_0100B388
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C4D0	3_2_0100C4D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100C7B2	3_2_0100C7B2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_01009848	3_2_01009848
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_010068E0	3_2_010068E0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_01004B31	3_2_01004B31
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100CA92	3_2_0100CA92
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100BC32	3_2_0100BC32
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100BF10	3_2_0100BF10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100B552	3_2_0100B552
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_010035CA	3_2_010035CA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100F4E8	3_2_0100F4E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100F941	3_2_0100F941
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100E9F8	3_2_0100E9F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0100EA08	3_2_0100EA08
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620C60	3_2_06620C60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620040	3_2_06620040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06629080	3_2_06629080
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06624490	3_2_06624490
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F528	3_2_0662F528
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621DE0	3_2_06621DE0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066289B0	3_2_066289B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D268	3_2_0662D268
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D258	3_2_0662D258
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662CE01	3_2_0662CE01
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662CE10	3_2_0662CE10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D6C0	3_2_0662D6C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662D6B0	3_2_0662D6B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DF60	3_2_0662DF60
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DF70	3_2_0662DF70
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DB0A	3_2_0662DB0A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662DB18	3_2_0662DB18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E3C8	3_2_0662E3C8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E3B9	3_2_0662E3B9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662EC69	3_2_0662EC69
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662EC78	3_2_0662EC78
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620C50	3_2_06620C50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E820	3_2_0662E820
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06620006	3_2_06620006
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06628008	3_2_06628008
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662E812	3_2_0662E812
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C0F7	3_2_0662C0F7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066210C0	3_2_066210C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F0C0	3_2_0662F0C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F0D0	3_2_0662F0D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066210B0	3_2_066210B0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06624480	3_2_06624480
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C560	3_2_0662C560
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621970	3_2_06621970
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F971	3_2_0662F971
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C550	3_2_0662C550
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621520	3_2_06621520
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C108	3_2_0662C108
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621510	3_2_06621510
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F518	3_2_0662F518
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621DD0	3_2_06621DD0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C9A9	3_2_0662C9A9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662C9B8	3_2_0662C9B8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06621980	3_2_06621980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0662F980	3_2_0662F980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638A58	3_2_06638A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663CE28	3_2_0663CE28
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663DAC0	3_2_0663DAC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663AEA8	3_2_0663AEA8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663BB38	3_2_0663BB38
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C7D8	3_2_0663C7D8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663D478	3_2_0663D478
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663A858	3_2_0663A858
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663B4F0	3_2_0663B4F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066390A1	3_2_066390A1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066315F8	3_2_066315F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C188	3_2_0663C188
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635A68	3_2_06635A68
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638A48	3_2_06638A48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635A58	3_2_06635A58
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06638600	3_2_06638600
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663CE18	3_2_0663CE18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635EC0	3_2_06635EC0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663DAAF	3_2_0663DAAF
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06635EB2	3_2_06635EB2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636760	3_2_06636760
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636770	3_2_06636770
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663BB27	3_2_0663BB27
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636308	3_2_06636308
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636318	3_2_06636318
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066337FA	3_2_066337FA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C7CB	3_2_0663C7CB
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636BC8	3_2_06636BC8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06636BB8	3_2_06636BB8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06633B80	3_2_06633B80
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630040	3_2_06630040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06632C57	3_2_06632C57
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637020	3_2_06637020
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630007	3_2_06630007
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06633808	3_2_06633808
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637010	3_2_06637010
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066308E1	3_2_066308E1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066378E7	3_2_066378E7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066308F0	3_2_066308F0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066378F8	3_2_066378F8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066374A0	3_2_066374A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06634880	3_2_06634880
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630488	3_2_06630488
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637490	3_2_06637490
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630498	3_2_06630498
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663C178	3_2_0663C178
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637D40	3_2_06637D40
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630D48	3_2_06630D48
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06637D50	3_2_06637D50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06630D38	3_2_06630D38
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06632D00	3_2_06632D00
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066355E8	3_2_066355E8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066385F1	3_2_066385F1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066355DA	3_2_066355DA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066311A0	3_2_066311A0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_066381A8	3_2_066381A8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_06631191	3_2_06631191
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Code function: 3_2_0663819A	3_2_0663819A

Sample file is different than original file name gathered from version info

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.000000000280A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1978545566.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2001619425.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000000.1967619527.0000000000394000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2002294197.0000000007300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220219789.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
Source: Halkbank_Ekstre_20230426_075819_154055.exe	Binary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20230426_075819_154055.exe.log

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Mutant created: NULL

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Halkbank_Ekstre_20230426_075819_154055.exe	Virustotal: Detection: 55%
Source: Halkbank_Ekstre_20230426_075819_154055.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains method to dynamically call methods (often used by packers)

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
Source:	Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe

Data Obfuscation

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: Halkbank_Ekstre_20230426_075819_154055.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: 0xF32F70C2 [Wed Apr 15 21:42:26 2099 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Code function: 3_2_01001A60 push esp; retf

3_2_01001A4F

Source: Halkbank_Ekstre_20230426_075819_154055.exe

Static PE information: section name: .text entropy: 7.95952575244103

Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	High entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, ziedvnrBRhAIpT5Qi8.cs	High entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, awHOa2tvZC3B51kOtt.cs	High entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, od4j2WLp01hKGvRovU.cs	High entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, cfK2jui8T0oYumsHiO.cs	High entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, JtOE33hfZH9hFUu4kMg.cs	High entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, bMHWQvIvpUEgKY4Zg9.cs	High entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, t5mbvvPGfGMR4sTcBJ.cs	High entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, l1Qrv9zHACbYjdnnW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	High entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, AX4t7qyE4jux1hf1Y6.cs	High entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, OMxwkrxpKFZmqViVRi.cs	High entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, HG4SfGhYBDdbP6jIh6a.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, pXiQGngKJHAxTaoAu6.cs	High entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, C6LqXe7ZhCmGCf6YQf.cs	High entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, N4uflNZUBmxHnLaKnc.cs	High entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, XgHtcVWpxu9tyOjXNd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, iWk2BpmdKZQmbajR8p.cs	High entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, wmDBajVNd98VIVRuG2.cs	High entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, lRRIqr2t2v0WVf5PlP.cs	High entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, EnE7sFddoOZbauWubq.cs	High entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs	High entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, ziedvnrBRhAIpT5Qi8.cs	High entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, awHOa2tvZC3B51kOtt.cs	High entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, od4j2WLp01hKGvRovU.cs	High entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, cfK2jui8T0oYumsHiO.cs	High entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, JtOE33hfZH9hFUu4kMg.cs	High entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, bMHWQvIvpUEgKY4Zg9.cs	High entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, t5mbvvPGfGMR4sTcBJ.cs	High entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, l1Qrv9zHACbYjdnnW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.cs	High entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, AX4t7qyE4jux1hf1Y6.cs	High entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, OMxwkrxpKFZmqViVRi.cs	High entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, HG4SfGhYBDdbP6jIh6a.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, pXiQGngKJHAxTaoAu6.cs	High entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, C6LqXe7ZhCmGCf6YQf.cs	High entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, N4uflNZUBmxHnLaKnc.cs	High entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, XgHtcVWpxu9tyOjXNd.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, iWk2BpmdKZQmbajR8p.cs	High entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, wmDBajVNd98VIVRuG2.cs	High entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, lRRIqr2t2v0WVf5PlP.cs	High entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, EnE7sFddoOZbauWubq.cs	High entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 2770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 8370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 8610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 9610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595591	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595366	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595196	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 592961	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591563	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591422	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591313	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591188	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591063	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 590938	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Window / User API: threadDelayed 3219			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Window / User API: threadDelayed 6567			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 1684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828	Thread sleep count: 3219 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828	Thread sleep count: 6567 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596197s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595366s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -593110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -592961s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -591063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688	Thread sleep time: -590938s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596310	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596197	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595591	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595366	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595196	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593610	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593485	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593360	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593235	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 593110	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 592961	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591563	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591422	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591313	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591188	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 591063	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Thread delayed: delay time: 590938	Jump to behavior

Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220287888.0000000000C87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process information queried: ProcessInformation

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Code function: 3_2_0662BE28 LdrInitializeThunk,

3_2_0662BE28

Enables debug privileges

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Memory written: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY