Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19/09/2023, 16:18
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.pdf.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.pdf.exe
Resource
win10v2004-20230915-en
General
-
Target
Ziraat Bankasi Swift Mesaji.pdf.exe
-
Size
432KB
-
MD5
778e9469f1350fee289e910cdb8e1a0c
-
SHA1
2724c76395596bca2e97c4d2ed1bb0b4da3e2642
-
SHA256
b3d5c049904ce10dd9ac4a72851aafda6d24e7603c3b1b60436ced92274434e2
-
SHA512
03b98679fe317ecc40ca92dc173ed05ae276e89611c955785e0f864633600709f4951329e58c965f1c1b76acd4660a28eb7f8639281e3f2a6b46599f5cfd2bfd
-
SSDEEP
6144:xB+pgUvsgje7ILdTOxKT0QV6dKDj/QDXd0dl1rb5HL0k+oAD/5VijyJC+98oRvGm:xgnN+4hnT2cQZKNunKjKCk8oZGNY
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.pdf.exe -
Loads dropped DLL 11 IoCs
pid Process 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2988 Ziraat Bankasi Swift Mesaji.pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 2504 Ziraat Bankasi Swift Mesaji.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2988 set thread context of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2988 Ziraat Bankasi Swift Mesaji.pdf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28 PID 2988 wrote to memory of 2504 2988 Ziraat Bankasi Swift Mesaji.pdf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
41B
MD5c4829906d876f22ae69d5bdf4e401ae9
SHA14be3cc23f889d83675eb8e412776f425df75ab81
SHA25691543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb
SHA5127788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60
-
Filesize
7KB
MD5744f9c42403e9aabde8fc65d40bccd3e
SHA19ab49924ffa1560e5e3b70b097236a1451945829
SHA2568eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e
SHA512924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa
-
Filesize
6KB
MD5c5b9fe538654a5a259cf64c2455c5426
SHA1db45505fa041af025de53a0580758f3694b9444a
SHA2567b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa