Resubmissions
25-06-2021 19:41
210625-cgjlbhyy9x 1017-01-2021 18:19
210117-ewbm9r64bs 1017-01-2021 17:16
210117-4xha8fdzv6 1012-01-2021 18:06
210112-j5blepsszn 10Analysis
-
max time kernel
141s -
max time network
110s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win10v20201028
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
1.5MB
-
MD5
76db2712f6619db04c1444b474229b5f
-
SHA1
dc3f71636f1b58e65ac93b0dc140a44a304f4433
-
SHA256
6a7a3a0a6690559ef59408a9013d10b8b80c8abcbfc7bc14120820649a25919f
-
SHA512
ed2d6c8ffe19e63b3e393c07882feead2698f5282108ec69ed7a6be550a4bd0a0e9d603cb120b3aa788e3e4660515e5c5cc2d0c1eed2ece836a3fbeabb0a80f9
Malware Config
Extracted
C:\Users\Admin\AppData\Local\60F5850B53\Log.txt
masslogger
Extracted
agenttesla
Protocol: smtp- Host:
mail.debi.com.tr - Port:
587 - Username:
info@debi.com.tr - Password:
357.Debi
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\Desktop\MassLoggerBinnemewise.exe family_masslogger C:\Users\Admin\Desktop\MassLoggerBinnemewise.exe family_masslogger C:\Users\Admin\Desktop\MassLoggerBinnemewise.exe family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1004-19-0x00000000004374DE-mapping.dmp family_agenttesla behavioral1/memory/1004-21-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1004-22-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
MassLoggerBinnemewise.exeInstallUtil.exepid process 1736 MassLoggerBinnemewise.exe 1004 InstallUtil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MassLoggerBinnemewise.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation MassLoggerBinnemewise.exe -
Loads dropped DLL 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 936 Ziraat Bankasi Swift Mesaji.exe 936 Ziraat Bankasi Swift Mesaji.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 936 set thread context of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeInstallUtil.exeMassLoggerBinnemewise.exepid process 936 Ziraat Bankasi Swift Mesaji.exe 936 Ziraat Bankasi Swift Mesaji.exe 1004 InstallUtil.exe 1004 InstallUtil.exe 1736 MassLoggerBinnemewise.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeInstallUtil.exeMassLoggerBinnemewise.exedescription pid process Token: SeDebugPrivilege 936 Ziraat Bankasi Swift Mesaji.exe Token: SeDebugPrivilege 1004 InstallUtil.exe Token: SeDebugPrivilege 1736 MassLoggerBinnemewise.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 1004 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 936 wrote to memory of 1736 936 Ziraat Bankasi Swift Mesaji.exe MassLoggerBinnemewise.exe PID 936 wrote to memory of 1736 936 Ziraat Bankasi Swift Mesaji.exe MassLoggerBinnemewise.exe PID 936 wrote to memory of 1736 936 Ziraat Bankasi Swift Mesaji.exe MassLoggerBinnemewise.exe PID 936 wrote to memory of 1736 936 Ziraat Bankasi Swift Mesaji.exe MassLoggerBinnemewise.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe PID 936 wrote to memory of 1004 936 Ziraat Bankasi Swift Mesaji.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\MassLoggerBinnemewise.exe"C:\Users\Admin\Desktop\MassLoggerBinnemewise.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\Desktop\MassLoggerBinnemewise.exeMD5
533fd831932aebe1ad47fe7568970ef3
SHA13fbf9b245126604cadaa3dc9a68f3c71534f09c2
SHA2563d2e64397cf43b5c4e460fd73558f55aceafc1f00cf84b60e3f1cac987a8006f
SHA512289be0adaaa82f0c450825c89084d6ce69ec58990a56b64ee38c6909951de4208ea1e8c77f75c68799cd826b0afe5c7f88b4f5204b56457961ccb66de93ceef1
-
C:\Users\Admin\Desktop\MassLoggerBinnemewise.exeMD5
533fd831932aebe1ad47fe7568970ef3
SHA13fbf9b245126604cadaa3dc9a68f3c71534f09c2
SHA2563d2e64397cf43b5c4e460fd73558f55aceafc1f00cf84b60e3f1cac987a8006f
SHA512289be0adaaa82f0c450825c89084d6ce69ec58990a56b64ee38c6909951de4208ea1e8c77f75c68799cd826b0afe5c7f88b4f5204b56457961ccb66de93ceef1
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\Desktop\MassLoggerBinnemewise.exeMD5
533fd831932aebe1ad47fe7568970ef3
SHA13fbf9b245126604cadaa3dc9a68f3c71534f09c2
SHA2563d2e64397cf43b5c4e460fd73558f55aceafc1f00cf84b60e3f1cac987a8006f
SHA512289be0adaaa82f0c450825c89084d6ce69ec58990a56b64ee38c6909951de4208ea1e8c77f75c68799cd826b0afe5c7f88b4f5204b56457961ccb66de93ceef1
-
memory/936-3-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/936-5-0x0000000000480000-0x000000000049E000-memory.dmpFilesize
120KB
-
memory/936-6-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/936-10-0x0000000004EC0000-0x0000000004ECB000-memory.dmpFilesize
44KB
-
memory/936-14-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/936-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1004-19-0x00000000004374DE-mapping.dmp
-
memory/1004-18-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-21-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-22-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1004-24-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1736-17-0x0000000000760000-0x000000000079E000-memory.dmpFilesize
248KB
-
memory/1736-13-0x0000000001230000-0x0000000001231000-memory.dmpFilesize
4KB
-
memory/1736-12-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1736-8-0x0000000000000000-mapping.dmp
-
memory/1736-27-0x00000000007C0000-0x00000000007CF000-memory.dmpFilesize
60KB