Loading ...

Play interactive tourEdit tour

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample Name:Ziraat Bankasi Swift Mesaji.exe
Analysis ID:553163
MD5:161523651320083122d05dd374c87ec4
SHA1:df8fae3ff1125841de5aa2306de3501e8204919a
SHA256:f4d91c834da24d653fef9049355102bcb68be411280268af61ac8f59bce581db
Tags:AgentTeslaexegeoTURZiraatBank
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Detected unpacking (creates a PE file in dynamic memory)
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "fizikokimya@antimikrop.com.tr", "Password": "fiziko2016Kimya", "Host": "mail.antimikrop.com.tr"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    3.2.Ziraat Bankasi Swift Mesaji.exe.415058.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 55 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "fizikokimya@antimikrop.com.tr", "Password": "fiziko2016Kimya", "Host": "mail.antimikrop.com.tr"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 23%
                      Machine Learning detection for sampleShow sources
                      Source: Ziraat Bankasi Swift Mesaji.exeJoe Sandbox ML: detected
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeUnpacked PE file: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack
                      Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.292591572.0000000003270000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.284056753.00000000030E0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.292591572.0000000003270000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.284056753.00000000030E0000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00402630 FindFirstFileA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00404A29 FindFirstFileExW,
                      Source: global trafficTCP traffic: 192.168.2.7:49729 -> 77.88.21.37:587
                      Source: global trafficTCP traffic: 192.168.2.7:49729 -> 77.88.21.37:587
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://lRguGt.com
                      Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.553520842.00000000029D0000.00000004.00000001.sdmpString found in binary or memory: https://Wm2Dt2zcSt3c655v3va.com
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.antimikrop.com.tr
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.293572777.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack, u003cPrivateImplementationDetailsu003eu007b1374F29Cu002d8C84u002d421Cu002d89E5u002d3799DC6DC7BBu007d/u00389DEAE1Fu002dF3ECu002d4475u002dA0CFu002d11ACB2FDF936.csLarge array initialization: .cctor: array initializer size 11991
                      Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0040604C
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00404772
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0040A2A5
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00822490
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00821808
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00821C48
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00820070
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00820BA8
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00820014
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008C5688
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008C9CE0
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008CD438
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008C0070
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008CF170
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_008C0011
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_049D0A90
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_049DC8E8
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_049DD310
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_049DBB38
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_049DD2F5
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A8B136 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A8B105 NtQuerySystemInformation,
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.285119056.00000000031F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.285489107.000000000338F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.294724890.0000000003090000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exeBinary or memory string: OriginalFilename vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamepvCVvHYPqsReUXauAjcxcqbGhkyQCsxTXEGkQdn.exe4 vs Ziraat Bankasi Swift Mesaji.exe
                      Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 23%
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeJump to behavior
                      Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A8AFBA AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A8AF83 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsdADF5.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@9/1
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
                      Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.292591572.0000000003270000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.284056753.00000000030E0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.292591572.0000000003270000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000003.284056753.00000000030E0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeUnpacked PE file: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_72C51000 push eax; ret
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401F16 push ecx; ret
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Temp\nsyAE26.tmp\tkqqg.dllJump to dropped file
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFunction Chain: threadResumed,threadDelayed,memAlloc,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,systemQueried
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFunction Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6116Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6116Thread sleep time: -4170000s >= -30000s
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6116Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6116Thread sleep time: -57562s >= -30000s
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWindow / User API: threadDelayed 544
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00402630 FindFirstFileA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end node
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.481381105.0000000005464000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.481221494.0000000005451000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554817015.0000000005466000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.481381105.0000000005464000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.481221494.0000000005451000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554817015.0000000005466000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_004067FE GetProcessHeap,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0019E986 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0019E772 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0019EAB4 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0019EA37 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0019EA76 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00823CC0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMemory written: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552656445.0000000000EF0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552656445.0000000000EF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552656445.0000000000EF0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552656445.0000000000EF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0040208D cpuid
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA,
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A8BB16 GetUserNameW,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.30a1458.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3090000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4930000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4930000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.30a1458.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.5446f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3090000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.5446f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.291447047.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.548601003.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.294724890.0000000003090000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 6988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 7108, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 7108, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.30a1458.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3090000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4930000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4930000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.37f3258.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.30a1458.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.5446f0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3090000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.5446f0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.415058.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.291447047.0000000000414000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.548601003.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.294724890.0000000003090000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 6988, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 7108, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionAccess Token Manipulation1Disable or Modify Tools11OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Input Capture1Account Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSSystem Information Discovery126Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion131LSA SecretsQuery Registry1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSecurity Software Discovery131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Ziraat Bankasi Swift Mesaji.exe23%ReversingLabsWin32.Trojan.AgentTesla
                      Ziraat Bankasi Swift Mesaji.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                      3.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      3.2.Ziraat Bankasi Swift Mesaji.exe.4970000.5.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.antimikrop.com.tr0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ipify.org%(0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://lRguGt.com0%Avira URL Cloudsafe
                      https://Wm2Dt2zcSt3c655v3va.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.yandex.ru
                      77.88.21.37
                      truefalse
                        high
                        mail.antimikrop.com.tr
                        unknown
                        unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.org%(Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://127.0.0.1:HTTP/1.1Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        https://api.ipify.org%GETMozilla/5.0Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        low
                        http://DynDns.comDynDNSZiraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://lRguGt.comZiraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://nsis.sf.net/NSIS_ErrorZiraat Bankasi Swift Mesaji.exefalse
                          high
                          http://nsis.sf.net/NSIS_ErrorErrorZiraat Bankasi Swift Mesaji.exefalse
                            high
                            https://Wm2Dt2zcSt3c655v3va.comZiraat Bankasi Swift Mesaji.exe, 00000003.00000002.553520842.00000000029D0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haZiraat Bankasi Swift Mesaji.exe, 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipZiraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            77.88.21.37
                            mail.yandex.ruRussian Federation
                            13238YANDEXRUfalse

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:553163
                            Start date:14.01.2022
                            Start time:12:12:27
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 59s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Ziraat Bankasi Swift Mesaji.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:19
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/4@9/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 38.3% (good quality ratio 35.7%)
                            • Quality average: 78.6%
                            • Quality standard deviation: 30.1%
                            HCA Information:
                            • Successful, ratio: 87%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            12:13:56API Interceptor430x Sleep call for process: Ziraat Bankasi Swift Mesaji.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\078s89jqsxc08eyh
                            Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):291839
                            Entropy (8bit):7.963840034244116
                            Encrypted:false
                            SSDEEP:6144:jpk7RyrNkcMOsZA7e0QzUwAwDHQ9tdTp3+4rALig5qDCiIt4hrBp4wyPcdG:jW7RyrS5BBzQxp+335qDXHrBp4BPcA
                            MD5:EA24D857020EB4FB65D427260C084C97
                            SHA1:CB446E36E6BDF214A3DFFB410F2F31E2EDE119E6
                            SHA-256:66F56E1C142E94CAB30C05F6E510304593544E760A9C0B1CA09D86F5D6390419
                            SHA-512:422C02D523C16E343865BC163E1C44F0AC4AB158BE647CE71FEA303B84C270A718AF4330D4AC51B88F061DD8CDBF25D9FEFFD13220E796A4992B173C3E4C8E01
                            Malicious:false
                            Reputation:low
                            Preview: (..{h..*[N...B.5X......j.....S. s..$E....W.Q..._.qV....~..z.{F...:=C...I.....K.pO.....(:`..H.g.}..{....|P..L.b.j$'B.xao..A.+m..~p&D..2..E........0.....wy!..LC.. .......gd.H.6.l8......CjG........e:).._..u).,C.wr......vb.....LY.J..X.y.!...@4.W.iC.+L.X{...*.K....O51+=V....i......J.cu s(.$EM...W.Q.t._..V....~C,.........^...........]T.4.gq..B1.8.I...q..w..@%.R.mYP.B.x.o..5.h"#......X.?.`...C.1........M...e<($.M.2Z1.....{..1.a|3....~S>....Y\w......\f.%T.......N.|.....ph....R..w..<.R4.W.iC.+...M...*.....e.5.H.....i.....S. ..l.U...B.Q..._..V..{.~C.z......0..D........]v+.]T_..gq..Bh.8n.&..q..w..@%...lP.2E.u...4.h"#..m.$XlB..`....:1....H......e<(.rG.2....nZ....1.a|3....~S>.^..Z\w......<.f.%T.......N.|...$..ph....R..w..<.R4.W.iC.+L.X{...*.N...o.5.......i.....S. s..$E....W.Q..._.qV....~C,z......0..D.......r....]T.t.gqC..B1.8nI...q..w..@%..mlP.B.xao..5.h"#...m]$Xl?.`....:1........M...e<($.M.2Z1........1.a|3....~S>....Y\w......<.f.%T.......N.|...$..
                            C:\Users\user\AppData\Local\Temp\fdazqvak
                            Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5177
                            Entropy (8bit):6.122705645881862
                            Encrypted:false
                            SSDEEP:96:i+LPt1QjqbEf4hXCNtd6C04Dg3yDck9uBTdQXTCXt+IGNMTUdUMfyOw:tLbQjqbcw+qQ0WuQW9aSct5w
                            MD5:80D6D3B339EF43FCB75B2B520A128560
                            SHA1:1C5FC2DE82F3E04606EC99E9657CD4FE268D4879
                            SHA-256:E40995D5D9195DDC3FE5D3AA67ED4212D41C21B8C7420D7F91EB8CD3386FA792
                            SHA-512:A7F3FBA52BED2BDB39034C970CDCC4AB90C64148597D1E51EB6AF697EF3D4EC863E8C5FB8D0DA1471ECAEE5101B8F262EF659ED7536918EF48D0E6058F6AB2B8
                            Malicious:false
                            Reputation:low
                            Preview: B1 ....=.=........Y....9.Y....A....`...................A......1..-.........AA.....)..%.........A$.....a..].........AO.....Y..U.......!..Y....r..9..5...A..b..A..=..A.....Z.+......A.....[.........5...A........\.....1...)...a...Y...9...A...............?.....1...!........A....`...........\............6.[....=...Y.......!.........!......Z.....Z......!....!.........6.[.....W.A....A....[.....8.A....A....[!....l.A....A....[!...=.=..Y....A`........1...........W..............<5A.....Y...!r.!..b....1...-..Ar.!.Z:....1...-...!..Y....1....8.A*....A_......<..A...!A.................< `..........6.[....=.=..Y....A`........Y...........W..............<5A.....Y......!r.!..b....Y...U...r.!.Z:....Y...U...r.!.*:...Y...U....b.!..+....Y...U..Ar.!.Z:....Y...U...!..Y....Y....W.A7....A4...........!..A....<...............!A.................< `..........6.[....=.=.`........5...........W..............<5A.....Y...!r.!..b....5...A...r.!.Z:....5...A...!..Y....5....l.A.....A.......<...
                            C:\Users\user\AppData\Local\Temp\nsyAE25.tmp
                            Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):321764
                            Entropy (8bit):7.815561849982555
                            Encrypted:false
                            SSDEEP:6144:NHpk7RyrNkcMOsZA7e0QzUwAwDHQ9tdTp3+4rALig5qDCiIt4hrBp4wyPcd1:BW7RyrS5BBzQxp+335qDXHrBp4BPc
                            MD5:B533A0B04B17F00B9F73B661D48D04D2
                            SHA1:BF3D337FEB9029E4FB11D96229330CE4F2CEC87F
                            SHA-256:89D35CC1F3C79201E3E5A8E617D2DDB8597AF3CB56018164014746E4CFED320D
                            SHA-512:2190182461931FA9A4739BDF96010C1A12C3F5C9E3F01993D20B30690D8608301271242A667C454AA20E5D68D3C626D3612B040D666459137BCBC5AF8068500C
                            Malicious:false
                            Reputation:low
                            Preview: .P......,........................<.......O.......P..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Local\Temp\nsyAE26.tmp\tkqqg.dll
                            Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:modified
                            Size (bytes):4096
                            Entropy (8bit):3.7725519810575148
                            Encrypted:false
                            SSDEEP:24:e1GSb0JDlNmEcQqV3ax/+sK4RHJiDTyaNt01a5DTyxk8q6I1nPnRuV4MPgicisCm:SgZzhWipKxt9r6IPRuqSjsvyO
                            MD5:6D4D09737E9AB179CAB4481188F7C904
                            SHA1:F49AD85CA74D5D83F7E26E09C2B251F9FF5750EF
                            SHA-256:F8F3827A1D513BE5607BADD8AB724D264360B65321DF7338425E44BB8185A274
                            SHA-512:CBD50F889DF5AEB03A539F3965D965AA009F3EBA41CCDA15831AC0516820BFDF7F313A8DE1758DC42BC5F6396644D8A40AAC023F922C374E1A3D462B83100497
                            Malicious:false
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U.CU.CU.C...CT.C0..BZ.CU.Cw.C..BT.C..BT.C.QCT.C..BT.CRichU.C........PE..L..."2.a...........!......................... ...............................P............@.......................... ..L.... .......0.......................@..L.................................................... ...............................text...v........................... ..`.rdata..j.... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Entropy (8bit):7.936184384803921
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 92.16%
                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:Ziraat Bankasi Swift Mesaji.exe
                            File size:270191
                            MD5:161523651320083122d05dd374c87ec4
                            SHA1:df8fae3ff1125841de5aa2306de3501e8204919a
                            SHA256:f4d91c834da24d653fef9049355102bcb68be411280268af61ac8f59bce581db
                            SHA512:0280e226de497d257b1a11f15e9dfd765ab0491b05199711dc71728c6a4fe9faff0a987a71ab97d37aa1af9cd4144e9611912add9d3abb507ec7efcee019ec76
                            SSDEEP:6144:owt4pSsfMNAKw5CFFe3NJMn9aiMcRmrEktnwVroIDx:Ze+wkCG9aptPBwVcS
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                            File Icon

                            Icon Hash:b2a88c96b2ca6a72

                            Static PE Info

                            General

                            Entrypoint:0x403225
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                            DLL Characteristics:
                            Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:099c0646ea7282d232219f8807883be0

                            Entrypoint Preview

                            Instruction
                            sub esp, 00000180h
                            push ebx
                            push ebp
                            push esi
                            xor ebx, ebx
                            push edi
                            mov dword ptr [esp+18h], ebx
                            mov dword ptr [esp+10h], 00409128h
                            xor esi, esi
                            mov byte ptr [esp+14h], 00000020h
                            call dword ptr [00407030h]
                            push 00008001h
                            call dword ptr [004070B4h]
                            push ebx
                            call dword ptr [0040727Ch]
                            push 00000008h
                            mov dword ptr [00423F58h], eax
                            call 00007EFEC0CC80D0h
                            mov dword ptr [00423EA4h], eax
                            push ebx
                            lea eax, dword ptr [esp+34h]
                            push 00000160h
                            push eax
                            push ebx
                            push 0041F450h
                            call dword ptr [00407158h]
                            push 004091B0h
                            push 004236A0h
                            call 00007EFEC0CC7D87h
                            call dword ptr [004070B0h]
                            mov edi, 00429000h
                            push eax
                            push edi
                            call 00007EFEC0CC7D75h
                            push ebx
                            call dword ptr [0040710Ch]
                            cmp byte ptr [00429000h], 00000022h
                            mov dword ptr [00423EA0h], eax
                            mov eax, edi
                            jne 00007EFEC0CC559Ch
                            mov byte ptr [esp+14h], 00000022h
                            mov eax, 00429001h
                            push dword ptr [esp+14h]
                            push eax
                            call 00007EFEC0CC7868h
                            push eax
                            call dword ptr [0040721Ch]
                            mov dword ptr [esp+1Ch], eax
                            jmp 00007EFEC0CC55F5h
                            cmp cl, 00000020h
                            jne 00007EFEC0CC5598h
                            inc eax
                            cmp byte ptr [eax], 00000020h
                            je 00007EFEC0CC558Ch
                            cmp byte ptr [eax], 00000022h
                            mov byte ptr [eax+eax+00h], 00000000h

                            Rich Headers

                            Programming Language:
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x2c1900x2e8dataEnglishUnited States
                            RT_DIALOG0x2c4780x100dataEnglishUnited States
                            RT_DIALOG0x2c5780x11cdataEnglishUnited States
                            RT_DIALOG0x2c6980x60dataEnglishUnited States
                            RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                            RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                            Imports

                            DLLImport
                            KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                            USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                            SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 14, 2022 12:14:21.816436052 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:24.821912050 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:30.642966986 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:30.963020086 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:33.651163101 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:39.666896105 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:43.134583950 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:46.136400938 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:51.743208885 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:52.152290106 CET49729587192.168.2.777.88.21.37
                            Jan 14, 2022 12:14:54.730667114 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:00.731127024 CET49735587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:04.383513927 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:07.388025999 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:12.998759031 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:13.404131889 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:16.169889927 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:22.170479059 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:25.740854979 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:28.749264002 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:34.229104042 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:34.765422106 CET49788587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:37.234250069 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:43.235353947 CET49812587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:46.831315994 CET49815587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:49.844641924 CET49815587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:55.240976095 CET49817587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:55.857549906 CET49815587192.168.2.777.88.21.37
                            Jan 14, 2022 12:15:58.242610931 CET49817587192.168.2.777.88.21.37

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 14, 2022 12:14:21.615456104 CET5976253192.168.2.78.8.8.8
                            Jan 14, 2022 12:14:21.774374962 CET53597628.8.8.8192.168.2.7
                            Jan 14, 2022 12:14:30.377652884 CET5945153192.168.2.78.8.8.8
                            Jan 14, 2022 12:14:30.638633013 CET53594518.8.8.8192.168.2.7
                            Jan 14, 2022 12:14:43.011908054 CET5931053192.168.2.78.8.8.8
                            Jan 14, 2022 12:14:43.133341074 CET53593108.8.8.8192.168.2.7
                            Jan 14, 2022 12:14:51.723941088 CET6429653192.168.2.78.8.8.8
                            Jan 14, 2022 12:14:51.741537094 CET53642968.8.8.8192.168.2.7
                            Jan 14, 2022 12:15:04.228090048 CET5882053192.168.2.78.8.8.8
                            Jan 14, 2022 12:15:04.381839037 CET53588208.8.8.8192.168.2.7
                            Jan 14, 2022 12:15:12.769236088 CET4924753192.168.2.78.8.8.8
                            Jan 14, 2022 12:15:12.997183084 CET53492478.8.8.8192.168.2.7
                            Jan 14, 2022 12:15:25.449325085 CET5606453192.168.2.78.8.8.8
                            Jan 14, 2022 12:15:25.739602089 CET53560648.8.8.8192.168.2.7
                            Jan 14, 2022 12:15:34.207704067 CET6145753192.168.2.78.8.8.8
                            Jan 14, 2022 12:15:34.226948977 CET53614578.8.8.8192.168.2.7
                            Jan 14, 2022 12:15:46.811651945 CET5836753192.168.2.78.8.8.8
                            Jan 14, 2022 12:15:46.829662085 CET53583678.8.8.8192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Jan 14, 2022 12:14:21.615456104 CET192.168.2.78.8.8.80x490eStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:30.377652884 CET192.168.2.78.8.8.80x1e5Standard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:43.011908054 CET192.168.2.78.8.8.80xb33bStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:51.723941088 CET192.168.2.78.8.8.80xa1d3Standard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:04.228090048 CET192.168.2.78.8.8.80x115cStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:12.769236088 CET192.168.2.78.8.8.80xac0cStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:25.449325085 CET192.168.2.78.8.8.80x9d67Standard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:34.207704067 CET192.168.2.78.8.8.80xf45aStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:46.811651945 CET192.168.2.78.8.8.80x8a6bStandard query (0)mail.antimikrop.com.trA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Jan 14, 2022 12:14:21.774374962 CET8.8.8.8192.168.2.70x490eNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:21.774374962 CET8.8.8.8192.168.2.70x490eNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:21.774374962 CET8.8.8.8192.168.2.70x490eNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:30.638633013 CET8.8.8.8192.168.2.70x1e5No error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:30.638633013 CET8.8.8.8192.168.2.70x1e5No error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:30.638633013 CET8.8.8.8192.168.2.70x1e5No error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:43.133341074 CET8.8.8.8192.168.2.70xb33bNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:43.133341074 CET8.8.8.8192.168.2.70xb33bNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:43.133341074 CET8.8.8.8192.168.2.70xb33bNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:14:51.741537094 CET8.8.8.8192.168.2.70xa1d3No error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:51.741537094 CET8.8.8.8192.168.2.70xa1d3No error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:14:51.741537094 CET8.8.8.8192.168.2.70xa1d3No error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:04.381839037 CET8.8.8.8192.168.2.70x115cNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:04.381839037 CET8.8.8.8192.168.2.70x115cNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:04.381839037 CET8.8.8.8192.168.2.70x115cNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:12.997183084 CET8.8.8.8192.168.2.70xac0cNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:12.997183084 CET8.8.8.8192.168.2.70xac0cNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:12.997183084 CET8.8.8.8192.168.2.70xac0cNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:25.739602089 CET8.8.8.8192.168.2.70x9d67No error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:25.739602089 CET8.8.8.8192.168.2.70x9d67No error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:25.739602089 CET8.8.8.8192.168.2.70x9d67No error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:34.226948977 CET8.8.8.8192.168.2.70xf45aNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:34.226948977 CET8.8.8.8192.168.2.70xf45aNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:34.226948977 CET8.8.8.8192.168.2.70xf45aNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)
                            Jan 14, 2022 12:15:46.829662085 CET8.8.8.8192.168.2.70x8a6bNo error (0)mail.antimikrop.com.trdomain.mail.yandex.netCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:46.829662085 CET8.8.8.8192.168.2.70x8a6bNo error (0)domain.mail.yandex.netmail.yandex.ruCNAME (Canonical name)IN (0x0001)
                            Jan 14, 2022 12:15:46.829662085 CET8.8.8.8192.168.2.70x8a6bNo error (0)mail.yandex.ru77.88.21.37A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Start time:12:13:43
                            Start date:14/01/2022
                            Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                            Imagebase:0x400000
                            File size:270191 bytes
                            MD5 hash:161523651320083122D05DD374C87EC4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.294724890.0000000003090000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.294724890.0000000003090000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Start time:12:13:45
                            Start date:14/01/2022
                            Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                            Imagebase:0x400000
                            File size:270191 bytes
                            MD5 hash:161523651320083122D05DD374C87EC4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.554087278.00000000037F1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.551571985.0000000000508000.00000004.00000020.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.292334595.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.554248422.0000000004930000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000001.292756258.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.291447047.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.291447047.0000000000414000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.554299855.0000000004972000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.548601003.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.548601003.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.552826458.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >