Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 08:10
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win10v20210408
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
236KB
-
MD5
41a8eefc3266fe55a90e522a016f54d4
-
SHA1
a3a931064476409dd4114cf01668860ad5dab37c
-
SHA256
624e5509cedfb8121623c45d583c18e8fc351bf881aafb5c2de521fccba60240
-
SHA512
bb4085fc421c007d0612a795285cdd00a3615ec51055648520dd23f95a2f1f7e643ca106b3ea5863b569048b3aba2bae30c021e9237294596d98ed42d8bba85e
Malware Config
Extracted
azorult
http://bengalcement.com.bd/AxPu/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 7 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeMSBuild.exepid process 860 Ziraat Bankasi Swift Mesaji.exe 512 Ziraat Bankasi Swift Mesaji.exe 3060 Ziraat Bankasi Swift Mesaji.exe 2220 MSBuild.exe 2220 MSBuild.exe 2220 MSBuild.exe 2220 MSBuild.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 3060 set thread context of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2220 MSBuild.exe 2220 MSBuild.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exepid process 860 Ziraat Bankasi Swift Mesaji.exe 860 Ziraat Bankasi Swift Mesaji.exe 512 Ziraat Bankasi Swift Mesaji.exe 512 Ziraat Bankasi Swift Mesaji.exe 3060 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exedescription pid process target process PID 860 wrote to memory of 3184 860 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 860 wrote to memory of 3184 860 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 860 wrote to memory of 3184 860 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 860 wrote to memory of 512 860 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 860 wrote to memory of 512 860 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 860 wrote to memory of 512 860 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 512 wrote to memory of 196 512 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 512 wrote to memory of 196 512 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 512 wrote to memory of 196 512 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 512 wrote to memory of 3060 512 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 512 wrote to memory of 3060 512 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 512 wrote to memory of 3060 512 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 3060 wrote to memory of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 3060 wrote to memory of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 3060 wrote to memory of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 3060 wrote to memory of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\04xh1al0qnjy1rcfmMD5
c2204251cbf5973a17edcd41b94ec5c8
SHA1ad0bb13b3ab1c2028fae8cad129001ef1d54f41a
SHA256fb1f529540ab45872d15c8f8c3ec672221be6870034c01e1ab56c7ccdafd305c
SHA5126a57f8d90cbe518ab0fca44f27f245f79fa4c7404b3ed19b0036e98fa5a9417909b3f0a19b03841a2b016892100e00065a77e450db5039c17219d2ca4d0c0fe4
-
C:\Users\Admin\AppData\Local\Temp\04xh1al0qnjy1rcfmMD5
c2204251cbf5973a17edcd41b94ec5c8
SHA1ad0bb13b3ab1c2028fae8cad129001ef1d54f41a
SHA256fb1f529540ab45872d15c8f8c3ec672221be6870034c01e1ab56c7ccdafd305c
SHA5126a57f8d90cbe518ab0fca44f27f245f79fa4c7404b3ed19b0036e98fa5a9417909b3f0a19b03841a2b016892100e00065a77e450db5039c17219d2ca4d0c0fe4
-
C:\Users\Admin\AppData\Local\Temp\sct4rix2tae8dnMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\sct4rix2tae8dnMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Temp\nsh97D3.tmp\19t5vcbhf.dllMD5
8b9dad0b976b65616b3bfe1e8db9b971
SHA1a8f2e5fee9d4291c9b548959f55f00c557f28eca
SHA256f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7
SHA5124356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb
-
\Users\Admin\AppData\Local\Temp\nsiB492.tmp\19t5vcbhf.dllMD5
8b9dad0b976b65616b3bfe1e8db9b971
SHA1a8f2e5fee9d4291c9b548959f55f00c557f28eca
SHA256f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7
SHA5124356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb
-
\Users\Admin\AppData\Local\Temp\nssA698.tmp\19t5vcbhf.dllMD5
8b9dad0b976b65616b3bfe1e8db9b971
SHA1a8f2e5fee9d4291c9b548959f55f00c557f28eca
SHA256f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7
SHA5124356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb
-
memory/512-116-0x0000000000000000-mapping.dmp
-
memory/860-115-0x0000000000A90000-0x0000000000A92000-memory.dmpFilesize
8KB
-
memory/2220-125-0x000000000041A684-mapping.dmp
-
memory/2220-127-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3060-121-0x0000000000000000-mapping.dmp