Overview

overview

10

Static

static

Burgan Ban...ti.exe

windows7_x64

10

Burgan Ban...ti.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    03/11/2021, 09:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Burgan Bank Hesap Ozeti.exe

  • Size

    618KB

  • MD5

    b741d275962b6a594401b03e6f8c258f

  • SHA1

    f69fc6c731cec9c189972d646f98ffd142e69610

  • SHA256

    039676543cb62a651daa0570029334af7e19b6c2f2b5b3a083f1a7d6ebd3143e

  • SHA512

    fb29439220b9d7159bff17017e5e1d894ba287249160ba8fcf94c2e52d277a89805f82b9230f2a62e16a2f7578726d87e34892f026a084aeea5d1a04e2fbb5a3

Score
10/10
a310loggerblustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.yekamuhendislik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MuhasebE123*

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • A310logger Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe
    "C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dkPditXZy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:824
    • C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe
      "C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1204

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1204-76-0x00000000009A0000-0x00000000009A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-78-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1576-68-0x0000000000180000-0x0000000000186000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1576-64-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1576-66-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1576-69-0x0000000000180000-0x000000000018A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1576-71-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1576-63-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1576-62-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1600-60-0x00000000054F0000-0x000000000556A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/1600-59-0x00000000009B0000-0x00000000009B6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1600-55-0x0000000000A60000-0x0000000000A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1600-58-0x0000000004C80000-0x0000000004C81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1600-57-0x00000000754A1000-0x00000000754A3000-memory.dmp

          Filesize

          8KB

          Download