Overview

overview

10

Static

static

Ziraat Ban...ji.exe

windows7-x64

10

Ziraat Ban...ji.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ziraat Bankasi swift mesaji.exe

  • Size

    859KB

  • MD5

    2aef199a37a0cb73fc832ce7e26da6f3

  • SHA1

    3ced4d57eeaa6d22e2a1b247ce7ae87729e02d5d

  • SHA256

    f9e4451730239448df0b825886e85b1af1ce388697ed890e8d1d4152b09312d0

  • SHA512

    eafe6158ff2c9e26c97a64ff73b886db3a1133d56bbd02b2d3b9cefdcef68b7de573661331489d8fbbd7c83c756c42120019328c44bb0dcd09ff6d373313a10a

  • SSDEEP

    12288:lNtcDwROWJpq7bwwgNrEEGoQ1k5FQm+cQoFw2x2agCN+TiGJMTQRAFB8:hcDwRq7bLg2EG10FCcQoFjx5TN

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi swift mesaji.exe
    "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi swift mesaji.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mDixFpnqRoC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mDixFpnqRoC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A09.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4416
    • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi swift mesaji.exe
      "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi swift mesaji.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A09.tmp
    Filesize

    1KB

    MD5

    4119c9bfbf41e0715124a3b7dfb62b1e

    SHA1

    27e4748f5c2b2264ee1f988c8bdbcd45f1677db0

    SHA256

    2ab3adcc1a4d1a73b6950f859d309339a6e0d77eb7e656e752885c1a1caa6f9b

    SHA512

    0e3b92e817755484cf75a0025f30f1d6ed1ccc6f4e0e66eadaa6893172bb96df6aa4048d0ff4f4a2b05df50d419b03ae60b9fc9d0e819bb8be66eca91182c4f4

    Download Submit

  • memory/960-133-0x00000000057D0000-0x0000000005D74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/960-134-0x0000000005220000-0x00000000052B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/960-135-0x00000000051D0000-0x00000000051DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/960-136-0x0000000007C10000-0x0000000007CAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/960-137-0x0000000008020000-0x0000000008086000-memory.dmp

    Filesize

    408KB

    Download

  • memory/960-132-0x0000000000750000-0x000000000082C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1848-156-0x00000000702C0000-0x000000007030C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1848-148-0x0000000004E20000-0x0000000004E42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1848-164-0x0000000007500000-0x0000000007508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1848-143-0x00000000050A0000-0x00000000056C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1848-163-0x0000000007520000-0x000000000753A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1848-162-0x0000000007410000-0x000000000741E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1848-140-0x00000000025E0000-0x0000000002616000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1848-158-0x00000000078D0000-0x0000000007F4A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1848-150-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1848-161-0x0000000007460000-0x00000000074F6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1848-160-0x0000000007250000-0x000000000725A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1848-159-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1848-154-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1848-155-0x0000000006490000-0x00000000064C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1848-157-0x0000000006470000-0x000000000648E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2920-146-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2920-151-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2920-144-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2920-165-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4120-153-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download