Overview

overview

10

Static

static

Ziraat Ban...ji.exe

windows7_x64

10

Ziraat Ban...ji.exe

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12-01-2021 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ziraat Bankasi Swift Mesaji.exe

  • Size

    444KB

  • MD5

    35c69b2c315a5b7d4fe4a2106dad3921

  • SHA1

    5f89cd2ec7ff235c54bb079740427687b028f96d

  • SHA256

    3d39fc826f6ed0115155842080406ffc82f930c5daae8ef710d3c30009fd0106

  • SHA512

    b008b1f7c9e6c2f640ada66b84348d15ecae142740fc717392300b3d83f9922171104a546f3a7f9ce4427eebb81f85ac6dee6a3c3a8dd836af17a5d84d7f8f0e

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://itrad3r.com/24cd/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
    "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      2⤵
      • Executes dropped EXE
      PID:272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • memory/272-10-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/272-11-0x000000000041A684-mapping.dmp
    Download
  • memory/272-13-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/784-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/784-3-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-5-0x00000000002F0000-0x000000000030E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/784-6-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/784-7-0x00000000003C0000-0x00000000003CB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/784-8-0x0000000000720000-0x0000000000721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-14-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp
    Filesize

    2.5MB

    Download