Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 09:28
Static task
static1
Behavioral task
behavioral1
Sample
Burgan Bank Hesap Ozeti.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Burgan Bank Hesap Ozeti.exe
Resource
win10-en-20211014
General
-
Target
Burgan Bank Hesap Ozeti.exe
-
Size
618KB
-
MD5
b741d275962b6a594401b03e6f8c258f
-
SHA1
f69fc6c731cec9c189972d646f98ffd142e69610
-
SHA256
039676543cb62a651daa0570029334af7e19b6c2f2b5b3a083f1a7d6ebd3143e
-
SHA512
fb29439220b9d7159bff17017e5e1d894ba287249160ba8fcf94c2e52d277a89805f82b9230f2a62e16a2f7578726d87e34892f026a084aeea5d1a04e2fbb5a3
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.yekamuhendislik.com - Port:
587 - Username:
muhasebe@yekamuhendislik.com - Password:
MuhasebE123*
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
A310logger Executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe a310logger -
Executes dropped EXE 1 IoCs
Processes:
Fox.exepid process 1204 Fox.exe -
Loads dropped DLL 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exepid process 1576 Burgan Bank Hesap Ozeti.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exedescription pid process target process PID 1600 set thread context of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Burgan Bank Hesap Ozeti.exepid process 1600 Burgan Bank Hesap Ozeti.exe 1600 Burgan Bank Hesap Ozeti.exe 1600 Burgan Bank Hesap Ozeti.exe 1600 Burgan Bank Hesap Ozeti.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exedescription pid process Token: SeDebugPrivilege 1600 Burgan Bank Hesap Ozeti.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exepid process 1576 Burgan Bank Hesap Ozeti.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Burgan Bank Hesap Ozeti.exeBurgan Bank Hesap Ozeti.exedescription pid process target process PID 1600 wrote to memory of 824 1600 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 1600 wrote to memory of 824 1600 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 1600 wrote to memory of 824 1600 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 1600 wrote to memory of 824 1600 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1600 wrote to memory of 1576 1600 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 1576 wrote to memory of 1204 1576 Burgan Bank Hesap Ozeti.exe Fox.exe PID 1576 wrote to memory of 1204 1576 Burgan Bank Hesap Ozeti.exe Fox.exe PID 1576 wrote to memory of 1204 1576 Burgan Bank Hesap Ozeti.exe Fox.exe PID 1576 wrote to memory of 1204 1576 Burgan Bank Hesap Ozeti.exe Fox.exe -
outlook_office_path 1 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dkPditXZy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeMD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeMD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeMD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
memory/824-61-0x0000000000000000-mapping.dmp
-
memory/1204-73-0x0000000000000000-mapping.dmp
-
memory/1204-76-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/1204-78-0x000000001B3C0000-0x000000001B3C2000-memory.dmpFilesize
8KB
-
memory/1576-68-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/1576-64-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1576-66-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1576-67-0x0000000000401B9C-mapping.dmp
-
memory/1576-69-0x0000000000180000-0x000000000018A000-memory.dmpFilesize
40KB
-
memory/1576-71-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1576-63-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1576-62-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/1600-60-0x00000000054F0000-0x000000000556A000-memory.dmpFilesize
488KB
-
memory/1600-59-0x00000000009B0000-0x00000000009B6000-memory.dmpFilesize
24KB
-
memory/1600-55-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1600-58-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/1600-57-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB