Loading ...

Play interactive tourEdit tour

Windows Analysis Report hesaphareketi-01.exe

Overview

General Information

Sample Name:hesaphareketi-01.exe
Analysis ID:502776
MD5:38e162610466dd251d9b377a60f65c11
SHA1:2a597d5198230eaafe8d842e76776192ba3e6742
SHA256:7eb784edddde0eddd7b21c4907916f0109334a4237a9c2eb917caf8eae81480f
Tags:exegeoTUR
Infos:

Most interesting Screenshot:

Detection

AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • hesaphareketi-01.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\hesaphareketi-01.exe' MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 5380 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
    • hesaphareketi-01.exe (PID: 6512 cmdline: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exe MD5: 38E162610466DD251D9B377A60F65C11)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "atifgabuying.ddns.net", "port": 7681}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x2c98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x5aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x2c98:$c1: Elevation:Administrator!new:
  • 0x5aa0:$c1: Elevation:Administrator!new:
00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xc98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xc98:$c1: Elevation:Administrator!new:
    • 0x3aa0:$c1: Elevation:Administrator!new:
    00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0xc98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x3aa0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0xc98:$c1: Elevation:Administrator!new:
      • 0x3aa0:$c1: Elevation:Administrator!new:
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x2318:$c1: Elevation:Administrator!new:
      17.3.hesaphareketi-01.exe.eca788.5.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
        17.2.hesaphareketi-01.exe.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        17.2.hesaphareketi-01.exe.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x191f0:$c1: Elevation:Administrator!new:
        Click to see the 86 entries

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "atifgabuying.ddns.net", "port": 7681}
        Multi AV Scanner detection for submitted fileShow sources
        Source: hesaphareketi-01.exeVirustotal: Detection: 31%Perma Link
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeVirustotal: Detection: 31%Perma Link
        Machine Learning detection for sampleShow sources
        Source: hesaphareketi-01.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skype.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeJoe Sandbox ML: detected
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt

        Exploits:

        barindex
        Yara detected UACMe UAC Bypass toolShow sources
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375307414.0000000000EC7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375440152.0000000000EC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375317154.0000000000EC9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510538676.000000000054F000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 1700, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: hesaphareketi-01.exe PID: 6512, type: MEMORYSTR
        Source: hesaphareketi-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49762 version: TLS 1.2
        Source: C:\Users\user\AppData\Local\Temp\hesaphareketi-01.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: hesaphareketi-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: hesaphareketi-01.exe, 00000011.00000003.383843457.0000000003FE1000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: atifgabuying.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: atifgabuying.ddns.net
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 31.14.69.10 31.14.69.10
        Source: global trafficTCP traffic: 192.168.2.5:49784 -> 185.66.91.154:7681
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
        Source: hesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: hesaphareketi-01.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, hesaphareketi-01.exe, 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
        Source: hesaphareketi-01.exe, 00000000.00000002.372341760.0000000002601000.00000004.00000001.sdmpString found in binary or memory: https://store2.gofile.io
        Source: hesaphareketi-01.exeString found in binary or memory: https://store2.gofile.io/download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll
        Source: unknownDNS traffic detected: queries for: store2.gofile.io
        Source: global trafficHTTP traffic detected: GET /download/a3cd5cbe-ac92-4ed8-a75c-282d6ded34cd/Gppieq.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49762 version: TLS 1.2
        Source: hesaphareketi-01.exe, 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000003.375572565.0000000000EB5000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372661566.0000000003681000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372473445.00000000026B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375283442.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.375468406.0000000000EBA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.372592569.0000000003609000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000011.00000002.510453136.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: hesaphareketi-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.hesaphareketi-01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3623fa8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3659650.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3699ae0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3659650.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 17.2.hesaphareketi-01.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec8f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.26f135c.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.hesaphareketi-01.exe.3681670.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ec4848.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.ecbd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 17.3.hesaphareketi-01.exe.eca788.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 0.2.hesaphareketi-01.exe.3681670.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f