formbook | 7f64aa4801b0cbae5fdda52ae4fe848ef03650a4dec91b4f4d5131a0def6b464

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

457KB
MD5

bfd5416efae1ecc1517f4b286c30b655
SHA1

6debd272160fe05b0c3397f612f1c8e7d005f376
SHA256

7f64aa4801b0cbae5fdda52ae4fe848ef03650a4dec91b4f4d5131a0def6b464
SHA512

4e29a8d547abaed04837a4e02a0b47b5b8d1a8fc435eadcb8115b5b4d3464c5239aef5a25becfb995a0f3da2536bce798bcf944d422a7211d2aef3725e8ff7c4

Score

10^/10

formbook pr28 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

warehouseufohighbay.com

kingasia77.xyz

americanoutfittes.com

jemodaevangica.com

holigantv82.com

creamkidslife.com

skillzplanetoutreach.com

goldencityofficial.com

choiceaccessorise.com

kdgkzy.com

patra.tech

chicaglo.com

9491countyroad106.com

theultracleanser.com

lesmacarons.biz

kfaluminum.com

institutodiversidade.com

woodanqnmz.store

teslabuyerusa.com

cityofbastop.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1708-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1708-63-0x000000000041F1C0-mapping.dmp	formbook
behavioral1/memory/1708-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/844-72-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/844-76-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1692 cmd.exe

pid	process
1692	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execmmon32.exe

description	pid	process	target process
PID 852 set thread context of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 1708 set thread context of 1428	1708	Ziraat Bankasi Swift Mesaji.exe	Explorer.EXE
PID 844 set thread context of 1428	844	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.execmmon32.exe

pid	process
1708	Ziraat Bankasi Swift Mesaji.exe
1708	Ziraat Bankasi Swift Mesaji.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe
844	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.execmmon32.exe

pid process

1708 Ziraat Bankasi Swift Mesaji.exe
1708 Ziraat Bankasi Swift Mesaji.exe
1708 Ziraat Bankasi Swift Mesaji.exe
844 cmmon32.exe
844 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1708 Ziraat Bankasi Swift Mesaji.exe
Token: SeDebugPrivilege 844 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1708	Ziraat Bankasi Swift Mesaji.exe
Token: SeDebugPrivilege	844	cmmon32.exe

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 852 wrote to memory of 1708	852	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 1428 wrote to memory of 844	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 844	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 844	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 844	1428	Explorer.EXE	cmmon32.exe
PID 844 wrote to memory of 1692	844	cmmon32.exe	cmd.exe
PID 844 wrote to memory of 1692	844	cmmon32.exe	cmd.exe
PID 844 wrote to memory of 1692	844	cmmon32.exe	cmd.exe
PID 844 wrote to memory of 1692	844	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
- Deletes itself
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-76-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/844-69-0x0000000000000000-mapping.dmp

Download
memory/844-72-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/844-71-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/844-73-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/844-74-0x0000000001DA0000-0x0000000001E34000-memory.dmp

Filesize
592KB

Download
memory/852-57-0x0000000004F80000-0x0000000004FEE000-memory.dmp

Filesize
440KB

Download
memory/852-54-0x0000000000B20000-0x0000000000B98000-memory.dmp

Filesize
480KB

Download
memory/852-58-0x0000000002190000-0x00000000021C4000-memory.dmp

Filesize
208KB

Download
memory/852-56-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/852-55-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1428-77-0x0000000007CD0000-0x0000000007E43000-memory.dmp

Filesize
1.4MB

Download
memory/1428-75-0x0000000007CD0000-0x0000000007E43000-memory.dmp

Filesize
1.4MB

Download
memory/1428-68-0x00000000068C0000-0x0000000006A08000-memory.dmp

Filesize
1.3MB

Download
memory/1692-70-0x0000000000000000-mapping.dmp

Download
memory/1708-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-67-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/1708-66-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

Filesize
3.0MB

Download
memory/1708-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-63-0x000000000041F1C0-mapping.dmp

Download
memory/1708-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads