General

  • Target

    Ziraat Bankasi Swift Mesaji.pdf.exe

  • Size

    413KB

  • Sample

    230920-vgtbyshe7t

  • MD5

    9fbef348c8c0558a2f192df83d0c4437

  • SHA1

    05ec32a1d41c3c3e1ee696347749797bac1c9bab

  • SHA256

    351db39c3affe720b1666ee7fea828ef85c9801c403f8f1e0e74998450c6d9ad

  • SHA512

    e8cd13d3668310ca19f7334cb6d66eeb9bfa8942a8bb311bdd368a8dc1d9c63ead8815109ccf7a2efbd072920abbc1d2fe19e44041f2e2385e95cef7d6f33e78

  • SSDEEP

    6144:xB+pgUvsgje7ILkbl3XD/wO5V/GqkerBON1VnWjC1aLgPzVdin04tN3p:xgnN+4kZXD/WgLgLVdyNZ

Malware Config

Targets

    • Target

      Ziraat Bankasi Swift Mesaji.pdf.exe

    • Size

      413KB

    • MD5

      9fbef348c8c0558a2f192df83d0c4437

    • SHA1

      05ec32a1d41c3c3e1ee696347749797bac1c9bab

    • SHA256

      351db39c3affe720b1666ee7fea828ef85c9801c403f8f1e0e74998450c6d9ad

    • SHA512

      e8cd13d3668310ca19f7334cb6d66eeb9bfa8942a8bb311bdd368a8dc1d9c63ead8815109ccf7a2efbd072920abbc1d2fe19e44041f2e2385e95cef7d6f33e78

    • SSDEEP

      6144:xB+pgUvsgje7ILkbl3XD/wO5V/GqkerBON1VnWjC1aLgPzVdin04tN3p:xgnN+4kZXD/WgLgLVdyNZ

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.