Overview

overview

10

Static

static

Ziraat Ban...df.exe

windows7-x64

10

Ziraat Ban...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2022 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ziraat Bankasi Swift Mesaji.pdf.exe

  • Size

    896KB

  • MD5

    44be4836f3228810bdb241f11a393952

  • SHA1

    6ad820d986a29601c52346323cdeff859deba0b6

  • SHA256

    7130b704fe2c8bf91508ad0dfa4869780e5afc92918f0f92e25c4e9523d1ab56

  • SHA512

    a17b9c1e08bb8bed6bc338e4ce9ccef5639fd4e9259d4401a18942c33370abce56aad6643f57be550c4066eb276ab1286647f7c326a3db9a4ef62b257416d165

  • SSDEEP

    12288:FHa2PRb2y2aWXAwWVTqiG78nvYpYWJrj+vSjURiijEZs1s4A54ve:UY2zXKV28nv8xj3jUR/E624ve

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5617443580:AAFX8iYrXMCASkw95O815OVGuLWLdSgh8Qo/sendMessage?chat_id=5334267822

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hxHmXpuPT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3692
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hxHmXpuPT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A1B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3684
    • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
      2⤵
        PID:4100
      • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
        2⤵
          PID:2040
        • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3752
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            3⤵
            • Accesses Microsoft Outlook profiles
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2976

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3A1B.tmp
        Filesize

        1KB

        MD5

        6225bb36f83a5bea6fcef587de0ea7b0

        SHA1

        6f44f3ff718ca50b656e4d7c65b80d35b42f9e43

        SHA256

        c5604481af188e47476c2d2245d8ca5cdceb8fb48c2af8e4c88cc4d351f5aed4

        SHA512

        9886431e14d5bf83f1d95db2b73269ebfa84668fcabe17367086b576cd7b0d6f923611d9392aedfba844356eb119c70b0ac2eed64b6dd2cf9725a0417132a2fd

        Download Submit

      • memory/2976-156-0x0000000001320000-0x000000000133A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3692-150-0x0000000005510000-0x0000000005532000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3692-159-0x0000000006B60000-0x0000000006B7E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3692-166-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3692-165-0x0000000007C10000-0x0000000007C2A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3692-141-0x0000000005010000-0x0000000005046000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3692-164-0x0000000007B00000-0x0000000007B0E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3692-163-0x0000000007B50000-0x0000000007BE6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3692-144-0x00000000056A0000-0x0000000005CC8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3692-162-0x0000000007940000-0x000000000794A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3692-161-0x00000000078D0000-0x00000000078EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3692-160-0x0000000007F10000-0x000000000858A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3692-151-0x00000000055B0000-0x0000000005616000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3692-158-0x00000000705D0000-0x000000007061C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3692-157-0x0000000006BD0000-0x0000000006C02000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3692-154-0x00000000064D0000-0x00000000064EE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3752-153-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3752-148-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3752-146-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/3752-167-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

        Download

      • memory/4508-133-0x00000000050C0000-0x0000000005664000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4508-134-0x0000000004BB0000-0x0000000004C42000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4508-132-0x0000000000240000-0x0000000000320000-memory.dmp

        Filesize

        896KB

        Download

      • memory/4508-135-0x0000000004B90000-0x0000000004B9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4508-136-0x0000000008500000-0x000000000859C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4508-137-0x0000000008950000-0x00000000089B6000-memory.dmp

        Filesize

        408KB

        Download