Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 09:28
Static task
static1
Behavioral task
behavioral1
Sample
Burgan Bank Hesap Ozeti.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Burgan Bank Hesap Ozeti.exe
Resource
win10-en-20211014
General
-
Target
Burgan Bank Hesap Ozeti.exe
-
Size
618KB
-
MD5
b741d275962b6a594401b03e6f8c258f
-
SHA1
f69fc6c731cec9c189972d646f98ffd142e69610
-
SHA256
039676543cb62a651daa0570029334af7e19b6c2f2b5b3a083f1a7d6ebd3143e
-
SHA512
fb29439220b9d7159bff17017e5e1d894ba287249160ba8fcf94c2e52d277a89805f82b9230f2a62e16a2f7578726d87e34892f026a084aeea5d1a04e2fbb5a3
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.yekamuhendislik.com - Port:
587 - Username:
[email protected] - Password:
MuhasebE123*
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
BluStealer
A Modular information stealer written in Visual Basic.
-
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
-
A310logger Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe a310logger C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe a310logger -
Executes dropped EXE 1 IoCs
Processes:
Fox.exepid process 2904 Fox.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exedescription pid process target process PID 3512 set thread context of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Burgan Bank Hesap Ozeti.exepid process 3512 Burgan Bank Hesap Ozeti.exe 3512 Burgan Bank Hesap Ozeti.exe 3512 Burgan Bank Hesap Ozeti.exe 3512 Burgan Bank Hesap Ozeti.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exedescription pid process Token: SeDebugPrivilege 3512 Burgan Bank Hesap Ozeti.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Burgan Bank Hesap Ozeti.exepid process 2552 Burgan Bank Hesap Ozeti.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Burgan Bank Hesap Ozeti.exeBurgan Bank Hesap Ozeti.exeWinMail.exedescription pid process target process PID 3512 wrote to memory of 3772 3512 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 3512 wrote to memory of 3772 3512 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 3512 wrote to memory of 3772 3512 Burgan Bank Hesap Ozeti.exe schtasks.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 3512 wrote to memory of 2552 3512 Burgan Bank Hesap Ozeti.exe Burgan Bank Hesap Ozeti.exe PID 2552 wrote to memory of 2904 2552 Burgan Bank Hesap Ozeti.exe Fox.exe PID 2552 wrote to memory of 2904 2552 Burgan Bank Hesap Ozeti.exe Fox.exe PID 2552 wrote to memory of 612 2552 Burgan Bank Hesap Ozeti.exe WinMail.exe PID 2552 wrote to memory of 612 2552 Burgan Bank Hesap Ozeti.exe WinMail.exe PID 2552 wrote to memory of 612 2552 Burgan Bank Hesap Ozeti.exe WinMail.exe PID 612 wrote to memory of 3608 612 WinMail.exe WinMail.exe PID 612 wrote to memory of 3608 612 WinMail.exe WinMail.exe -
outlook_office_path 1 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe -
outlook_win_path 1 IoCs
Processes:
Fox.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Fox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dkPditXZy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9576.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"C:\Users\Admin\AppData\Local\Temp\Burgan Bank Hesap Ozeti.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Windows Mail\WinMail.exe"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeMD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeMD5
91b41651e6e9ab352805c6d35a297d08
SHA111b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA2560872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txtMD5
055c857272026583a61e1b5821c69a24
SHA1ec39d34f16487682801dd2b319554cbed57feca4
SHA256190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b
-
memory/612-136-0x0000000000000000-mapping.dmp
-
memory/2552-125-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2552-126-0x0000000000401B9C-mapping.dmp
-
memory/2904-134-0x000000001B350000-0x000000001B352000-memory.dmpFilesize
8KB
-
memory/2904-132-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/2904-129-0x0000000000000000-mapping.dmp
-
memory/3512-120-0x0000000004A50000-0x0000000004AE2000-memory.dmpFilesize
584KB
-
memory/3512-123-0x0000000005AF0000-0x0000000005B6A000-memory.dmpFilesize
488KB
-
memory/3512-122-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/3512-121-0x0000000004E70000-0x0000000004E76000-memory.dmpFilesize
24KB
-
memory/3512-115-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/3512-119-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/3512-118-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/3512-117-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3608-137-0x0000000000000000-mapping.dmp
-
memory/3772-124-0x0000000000000000-mapping.dmp