Analysis
-
max time kernel
133s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Akbank Bildirimi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Akbank Bildirimi.exe
Resource
win10v2004-20220414-en
General
-
Target
Akbank Bildirimi.exe
-
Size
530KB
-
MD5
6864baa092a9d571a6b2b90994695ec8
-
SHA1
360b38f1050fa182cb4c579dd7af60d784d3f543
-
SHA256
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
-
SHA512
91fde501a8d514ff2ffeb12d0deb7721c372ccbf657e962e4ad5b35f0500a6fb5aa7e1b150ea4042ded50d7e898b5e8f432c8ee5ef931a08462a314cc4e5dd80
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
gatefee22
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1680-56-0x0000000000310000-0x0000000000318000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1700-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1700-66-0x000000000044C4AE-mapping.dmp family_agenttesla behavioral1/memory/1700-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1700-70-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1700-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1680-54-0x00000000009F0000-0x0000000000A7A000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1680-57-0x0000000000650000-0x00000000006A8000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Akbank Bildirimi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Akbank Bildirimi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Akbank Bildirimi.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Akbank Bildirimi.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Akbank Bildirimi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Akbank Bildirimi.exedescription pid process target process PID 1680 set thread context of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Akbank Bildirimi.exepid process 1700 Akbank Bildirimi.exe 1700 Akbank Bildirimi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Akbank Bildirimi.exedescription pid process Token: SeDebugPrivilege 1700 Akbank Bildirimi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Akbank Bildirimi.exepid process 1700 Akbank Bildirimi.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Akbank Bildirimi.exeAkbank Bildirimi.exedescription pid process target process PID 1680 wrote to memory of 2004 1680 Akbank Bildirimi.exe schtasks.exe PID 1680 wrote to memory of 2004 1680 Akbank Bildirimi.exe schtasks.exe PID 1680 wrote to memory of 2004 1680 Akbank Bildirimi.exe schtasks.exe PID 1680 wrote to memory of 2004 1680 Akbank Bildirimi.exe schtasks.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1680 wrote to memory of 1700 1680 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 1700 wrote to memory of 1968 1700 Akbank Bildirimi.exe netsh.exe PID 1700 wrote to memory of 1968 1700 Akbank Bildirimi.exe netsh.exe PID 1700 wrote to memory of 1968 1700 Akbank Bildirimi.exe netsh.exe PID 1700 wrote to memory of 1968 1700 Akbank Bildirimi.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe -
outlook_win_path 1 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iCbkAkaGXo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9BC4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9BC4.tmpFilesize
1KB
MD5df5ce2031c6c8f9232be179cf85037d6
SHA1e8ba898e3aa525704fe59fa22c9da453b97a165a
SHA256cc557a890ec044b9f0c4993073bfcf502f7c33252bdac36e903926771978016d
SHA5121d5775ef786228bc97f265f62c409c812341bc23406bf5fea0c2efa5ef703ca7142f8fe2879266d62d928e32d8030ae4914cc7313a070c2754173521f9b8b4eb
-
memory/1680-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1680-56-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/1680-57-0x0000000000650000-0x00000000006A8000-memory.dmpFilesize
352KB
-
memory/1680-54-0x00000000009F0000-0x0000000000A7A000-memory.dmpFilesize
552KB
-
memory/1700-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-66-0x000000000044C4AE-mapping.dmp
-
memory/1700-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-70-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1700-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1968-72-0x0000000000000000-mapping.dmp
-
memory/2004-58-0x0000000000000000-mapping.dmp