azorult | c19611873222bfc236a1eeab96287424c06a987a877c164d21c7354fe72108c3

General

Target

Ziraat Bankasi Swift Mesaji.pdf.exe
Size

928KB
MD5

ff8c44307760d3f89e78a8a95980d6ea
SHA1

dd2421cc6fd60a4caadf8ec88f6635276550543b
SHA256

c19611873222bfc236a1eeab96287424c06a987a877c164d21c7354fe72108c3
SHA512

ebcadc9b92942dcc8f28e8f689290218f752cf80ce8620ae7ada371f5f3963cf5e6d5f2f021c42a8946ba4235096399ba297ec21070d96ece7e3ffe6ed3a7259
SSDEEP

24576:npp43ue2YKmNBRx6ajNlHgKUKV3hIgnYj:ppNYKWPweNl15CgnA

Score

10^/10

azorult guloader downloader infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

3460 Ziraat Bankasi Swift Mesaji.pdf.exe
Drops file in System32 directory 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Supercandidly\Udlejningers.bln Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

3920 Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exeZiraat Bankasi Swift Mesaji.pdf.exe

pid process

3460 Ziraat Bankasi Swift Mesaji.pdf.exe
3920 Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description pid process target process

PID 3460 set thread context of 3920 3460 Ziraat Bankasi Swift Mesaji.pdf.exe Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
3460	Ziraat Bankasi Swift Mesaji.pdf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Supercandidly\Udlejningers.bln	Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
3920	Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
3460	Ziraat Bankasi Swift Mesaji.pdf.exe
3920	Ziraat Bankasi Swift Mesaji.pdf.exe

description	pid	process	target process
PID 3460 set thread context of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe

Drops file in Program Files directory 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\gammastraalernes\foundered.non	Ziraat Bankasi Swift Mesaji.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\frelse.pre	Ziraat Bankasi Swift Mesaji.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\preussiskes\vokalise.Nor135	Ziraat Bankasi Swift Mesaji.pdf.exe

Drops file in Windows directory 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description	ioc	process
File opened for modification	C:\Windows\resources\netkortet.ini	Ziraat Bankasi Swift Mesaji.pdf.exe
File opened for modification	C:\Windows\Fonts\kompressor\fennoskandisk.ini	Ziraat Bankasi Swift Mesaji.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

3460 Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
3460	Ziraat Bankasi Swift Mesaji.pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description	pid	process	target process
PID 3460 wrote to memory of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 3460 wrote to memory of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 3460 wrote to memory of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 3460 wrote to memory of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 3460 wrote to memory of 3920	3460	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbA24C.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Windows\Resources\netkortet.ini

Filesize
44B

MD5
ad691854b5e0587ed7af25c249a68fd5

SHA1
60a4465cfe7b6b663b9993fe958f8306de76d556

SHA256
b20bf1c3b7b6a17271b6a463eaac81ac8d2debc47950479047cf14ac51ca04c8

SHA512
2018e53a9c97641be6313912d3277f7aedc7788c74c0bd4574504892dc8ddeff9a206d59aa302c971a9a9e227a28055e790a94f747f3d5ab7762d2f64fb3d9b3

Download Submit
memory/3460-32-0x0000000004AF0000-0x00000000056EB000-memory.dmp

Filesize
12.0MB

Download
memory/3460-33-0x0000000077CC1000-0x0000000077DE1000-memory.dmp

Filesize
1.1MB

Download
memory/3460-34-0x0000000074910000-0x0000000074917000-memory.dmp

Filesize
28KB

Download
memory/3460-35-0x0000000004AF0000-0x00000000056EB000-memory.dmp

Filesize
12.0MB

Download
memory/3920-36-0x00000000004F0000-0x00000000010EB000-memory.dmp

Filesize
12.0MB

Download
memory/3920-37-0x0000000077D48000-0x0000000077D49000-memory.dmp

Filesize
4KB

Download
memory/3920-38-0x0000000077D65000-0x0000000077D66000-memory.dmp

Filesize
4KB

Download
memory/3920-45-0x00000000736B0000-0x0000000074904000-memory.dmp

Filesize
18.3MB

Download
memory/3920-46-0x00000000004F0000-0x00000000010EB000-memory.dmp

Filesize
12.0MB

Download
memory/3920-47-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/3920-48-0x00000000004F0000-0x00000000010EB000-memory.dmp

Filesize
12.0MB

Download
memory/3920-49-0x00000000736B0000-0x0000000074904000-memory.dmp

Filesize
18.3MB

Download
memory/3920-50-0x0000000077CC1000-0x0000000077DE1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads