Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20220414-en
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
690KB
-
MD5
ad8c1fb6847c90cec8545d5a1d12e098
-
SHA1
75587c6e26bb845a03b2c17526f85561e2664c10
-
SHA256
32b7d0b30638db08927b43bb633cb29da62ab634c34de42ff582841191c31839
-
SHA512
8b867ca4f8d538aef19b2707195aa0b6e83bb42b54ab035d00e52bdb6881e378a55580431b38ea60d5e87462656b2662bab56e42e2b22dd2a15a33f15d18152d
Malware Config
Extracted
formbook
4.1
pr28
warehouseufohighbay.com
kingasia77.xyz
americanoutfittes.com
jemodaevangica.com
holigantv82.com
creamkidslife.com
skillzplanetoutreach.com
goldencityofficial.com
choiceaccessorise.com
kdgkzy.com
patra.tech
chicaglo.com
9491countyroad106.com
theultracleanser.com
lesmacarons.biz
kfaluminum.com
institutodiversidade.com
woodanqnmz.store
teslabuyerusa.com
cityofbastop.com
firegillibrand.com
npsyu5n-periv.com
nflstreams.pro
resuelve-deuda-latam-pro.com
281564.com
ezeehookz.com
rvestdewseherore.xyz
modderplaten.com
getdapp.xyz
tutsempire.com
scientiaimaging.com
cryptoriver-island.xyz
occidentalinn.net
decouvredesproduits.com
queensize.xyz
ipandu.net
yingxinyiyuan.com
suddeniink.com
guestwin.com
curahintstudio.xyz
5g00au.com
ncfirerestoration.com
diabeticlifeinsurancequotes.com
sex-intim-kropivnickiy.online
metashae.com
flora-kana.com
productsamerica.store
buliangdh90.xyz
georgiatourz.com
coveredbyaaa.com
wirethreepebble.com
jeffreygraper.com
temerecesunjamon.com
trynica.com
nubehost365.com
phulieumaytanbinh.com
bluprintthebrand.com
mitchellcafeteresa.com
longtorsoswimwear.com
savannahfengshui.com
0zc8l0.xyz
eby6.com
kantinuai.com
4kph.com
knottynikkibaby.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3808-137-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3808-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4324-147-0x0000000000CA0000-0x0000000000CCF000-memory.dmp formbook behavioral2/memory/4324-150-0x0000000000CA0000-0x0000000000CCF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exesvchost.exedescription pid process target process PID 1988 set thread context of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 3808 set thread context of 3152 3808 Ziraat Bankasi Swift Mesaji.exe Explorer.EXE PID 4324 set thread context of 3152 4324 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exesvchost.exepid process 3808 Ziraat Bankasi Swift Mesaji.exe 3808 Ziraat Bankasi Swift Mesaji.exe 3808 Ziraat Bankasi Swift Mesaji.exe 3808 Ziraat Bankasi Swift Mesaji.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe 4324 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exesvchost.exepid process 3808 Ziraat Bankasi Swift Mesaji.exe 3808 Ziraat Bankasi Swift Mesaji.exe 3808 Ziraat Bankasi Swift Mesaji.exe 4324 svchost.exe 4324 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exesvchost.exedescription pid process Token: SeDebugPrivilege 3808 Ziraat Bankasi Swift Mesaji.exe Token: SeDebugPrivilege 4324 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeExplorer.EXEsvchost.exedescription pid process target process PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1988 wrote to memory of 3808 1988 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 3152 wrote to memory of 4324 3152 Explorer.EXE svchost.exe PID 3152 wrote to memory of 4324 3152 Explorer.EXE svchost.exe PID 3152 wrote to memory of 4324 3152 Explorer.EXE svchost.exe PID 4324 wrote to memory of 4736 4324 svchost.exe cmd.exe PID 4324 wrote to memory of 4736 4324 svchost.exe cmd.exe PID 4324 wrote to memory of 4736 4324 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵PID:4736
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-130-0x0000000000900000-0x00000000009B2000-memory.dmpFilesize
712KB
-
memory/1988-131-0x0000000007D50000-0x00000000082F4000-memory.dmpFilesize
5.6MB
-
memory/1988-132-0x0000000007840000-0x00000000078D2000-memory.dmpFilesize
584KB
-
memory/1988-133-0x0000000007830000-0x000000000783A000-memory.dmpFilesize
40KB
-
memory/1988-134-0x000000000B130000-0x000000000B1CC000-memory.dmpFilesize
624KB
-
memory/1988-135-0x000000000B5C0000-0x000000000B626000-memory.dmpFilesize
408KB
-
memory/3152-141-0x0000000002F00000-0x0000000002FEF000-memory.dmpFilesize
956KB
-
memory/3152-151-0x0000000008720000-0x0000000008863000-memory.dmpFilesize
1.3MB
-
memory/3152-149-0x0000000008720000-0x0000000008863000-memory.dmpFilesize
1.3MB
-
memory/3808-137-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3808-139-0x0000000001360000-0x00000000016AA000-memory.dmpFilesize
3.3MB
-
memory/3808-140-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/3808-136-0x0000000000000000-mapping.dmp
-
memory/3808-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4324-146-0x0000000001700000-0x0000000001A4A000-memory.dmpFilesize
3.3MB
-
memory/4324-147-0x0000000000CA0000-0x0000000000CCF000-memory.dmpFilesize
188KB
-
memory/4324-145-0x0000000000880000-0x000000000088E000-memory.dmpFilesize
56KB
-
memory/4324-148-0x0000000001600000-0x0000000001694000-memory.dmpFilesize
592KB
-
memory/4324-150-0x0000000000CA0000-0x0000000000CCF000-memory.dmpFilesize
188KB
-
memory/4324-142-0x0000000000000000-mapping.dmp
-
memory/4736-144-0x0000000000000000-mapping.dmp