Malware Analysis Report

2025-04-13 20:35

Sample ID 230919-tseghaad4v
Target Ziraat Bankasi Swift Mesaji.exe
SHA256 69dc0e9d1c32e23c27af3da7736bb1dae9018a1f1144ea8f12adeccc5208d915
Tags
guloader downloader azorult collection discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69dc0e9d1c32e23c27af3da7736bb1dae9018a1f1144ea8f12adeccc5208d915

Threat Level: Known bad

The file Ziraat Bankasi Swift Mesaji.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader azorult collection discovery infostealer spyware stealer trojan

Azorult

Guloader,Cloudeye

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Checks QEMU agent file

Reads data files stored by FTP clients

Reads local data of messenger clients

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks processor information in registry

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-19 16:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-19 16:18

Reported

2023-09-19 16:21

Platform

win7-20230831-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 agencypress.wpengine.com udp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 35.192.134.14:443 agencypress.wpengine.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\BgImage.dll

MD5 744f9c42403e9aabde8fc65d40bccd3e
SHA1 9ab49924ffa1560e5e3b70b097236a1451945829
SHA256 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e
SHA512 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nso73FA.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\trykimprgneringerne.ini

MD5 c4829906d876f22ae69d5bdf4e401ae9
SHA1 4be3cc23f889d83675eb8e412776f425df75ab81
SHA256 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb
SHA512 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60

\Users\Admin\AppData\Local\Temp\nso73FA.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

memory/2412-59-0x0000000003700000-0x00000000054D2000-memory.dmp

memory/2412-60-0x0000000003700000-0x00000000054D2000-memory.dmp

memory/2412-61-0x0000000076DE0000-0x0000000076F89000-memory.dmp

memory/2412-62-0x0000000076FD0000-0x00000000770A6000-memory.dmp

memory/2412-63-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2544-64-0x0000000000470000-0x0000000002242000-memory.dmp

memory/2544-65-0x0000000076DE0000-0x0000000076F89000-memory.dmp

memory/2544-66-0x0000000000470000-0x0000000002242000-memory.dmp

memory/2544-67-0x0000000072410000-0x0000000073472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2E34.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar2E85.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-19 16:18

Reported

2023-09-19 16:21

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

Signatures

Azorult

trojan infostealer azorult

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1436 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe

"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2308

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 agencypress.wpengine.com udp
US 35.192.134.14:443 agencypress.wpengine.com tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.134.192.35.in-addr.arpa udp
US 8.8.8.8:53 hoswell.shop udp
US 188.114.97.0:80 hoswell.shop tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 hoswell.shop tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\BgImage.dll

MD5 744f9c42403e9aabde8fc65d40bccd3e
SHA1 9ab49924ffa1560e5e3b70b097236a1451945829
SHA256 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e
SHA512 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsDialogs.dll

MD5 0d45588070cf728359055f776af16ec4
SHA1 c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\trykimprgneringerne.ini

MD5 c4829906d876f22ae69d5bdf4e401ae9
SHA1 4be3cc23f889d83675eb8e412776f425df75ab81
SHA256 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb
SHA512 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

C:\Users\Admin\AppData\Local\Temp\nssD832.tmp\nsExec.dll

MD5 c5b9fe538654a5a259cf64c2455c5426
SHA1 db45505fa041af025de53a0580758f3694b9444a
SHA256 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
SHA512 f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

memory/1436-68-0x0000000004A30000-0x0000000006802000-memory.dmp

memory/1436-69-0x0000000004A30000-0x0000000006802000-memory.dmp

memory/1436-70-0x0000000077181000-0x00000000772A1000-memory.dmp

memory/1436-71-0x00000000024D0000-0x00000000024D6000-memory.dmp

memory/1792-72-0x0000000000470000-0x0000000002242000-memory.dmp

memory/1792-73-0x0000000000470000-0x0000000002242000-memory.dmp

memory/1792-74-0x0000000077181000-0x00000000772A1000-memory.dmp

memory/1792-75-0x0000000077208000-0x0000000077209000-memory.dmp

memory/1792-76-0x0000000077225000-0x0000000077226000-memory.dmp

memory/1792-83-0x0000000072AC0000-0x0000000073D14000-memory.dmp

memory/1792-84-0x0000000000470000-0x0000000002242000-memory.dmp

memory/1792-85-0x0000000032440000-0x0000000032467000-memory.dmp

memory/1792-86-0x0000000072AC0000-0x0000000073D14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E671BC02\nss3.dll

MD5 556ea09421a0f74d31c4c0a89a70dc23
SHA1 f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256 f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA512 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

C:\Users\Admin\AppData\Local\Temp\E671BC02\mozglue.dll

MD5 9e682f1eb98a9d41468fc3e50f907635
SHA1 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

C:\Users\Admin\AppData\Local\Temp\E671BC02\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\E671BC02\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\E671BC02\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/1792-148-0x0000000077181000-0x00000000772A1000-memory.dmp

memory/1792-149-0x0000000072AC0000-0x0000000073D14000-memory.dmp

memory/1792-152-0x0000000000470000-0x0000000002242000-memory.dmp

memory/1792-153-0x0000000072AC0000-0x0000000073D14000-memory.dmp