Overview

overview

10

Static

static

Burgan Ban...ti.exe

windows7_x64

10

Burgan Ban...ti.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-11-2021 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Burgan Bank Hesap Ozeti.exe

  • Size

    618KB

  • MD5

    b741d275962b6a594401b03e6f8c258f

  • SHA1

    f69fc6c731cec9c189972d646f98ffd142e69610

  • SHA256

    039676543cb62a651daa0570029334af7e19b6c2f2b5b3a083f1a7d6ebd3143e

  • SHA512

    fb29439220b9d7159bff17017e5e1d894ba287249160ba8fcf94c2e52d277a89805f82b9230f2a62e16a2f7578726d87e34892f026a084aeea5d1a04e2fbb5a3

Score
10/10
a310loggerblustealercollectionspywarestealersuricata

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    mail.yekamuhendislik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MuhasebE123*

Signatures

  • A310logger

    A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarea310logger
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)

    suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)

    suricata
  • A310logger Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe
    "C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dkPditXZy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9576.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3772
    • C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe
      "C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:2904
      • C:\Program Files (x86)\Windows Mail\WinMail.exe
        "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
          4⤵
            PID:3608

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
      MD5

      91b41651e6e9ab352805c6d35a297d08

      SHA1

      11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

      SHA256

      0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

      SHA512

      b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
      MD5

      91b41651e6e9ab352805c6d35a297d08

      SHA1

      11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

      SHA256

      0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

      SHA512

      b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
      MD5

      055c857272026583a61e1b5821c69a24

      SHA1

      ec39d34f16487682801dd2b319554cbed57feca4

      SHA256

      190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

      SHA512

      d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

      Download Submit
    • memory/612-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2552-125-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

      Download
    • memory/2552-126-0x0000000000401B9C-mapping.dmp
      Download
    • memory/2904-134-0x000000001B350000-0x000000001B352000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2904-132-0x0000000000720000-0x0000000000721000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2904-129-0x0000000000000000-mapping.dmp
      Download
    • memory/3512-120-0x0000000004A50000-0x0000000004AE2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3512-123-0x0000000005AF0000-0x0000000005B6A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/3512-122-0x0000000005850000-0x0000000005851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3512-121-0x0000000004E70000-0x0000000004E76000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3512-115-0x00000000000B0000-0x00000000000B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3512-119-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3512-118-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3512-117-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3608-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3772-124-0x0000000000000000-mapping.dmp
      Download