formbook | 8a530805d14a1d39f4016d711091acc26f7404a1dca050407f6d6ba4eeaef0f5

Analysis

max time kernel
59s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZiraatBankasi-SwiftMesaji20221123.exe
Size

1.1MB
MD5

0f46ecb9b5ea6f5fcbaf7056c316259c
SHA1

bc171b3c828566a705e82dce3a96f78e836c2dd1
SHA256

8a530805d14a1d39f4016d711091acc26f7404a1dca050407f6d6ba4eeaef0f5
SHA512

8fdde0979eb61549793725bb95455291a32ef7b674af43602239e697886941d4189d35ceb9b70b5e440b4f480fa8e333dbb960b4b7f586061697296d14a73bb4
SSDEEP

24576:8sGpbZ7QlqRYYlQ6SdVqeK0kUBwUaFkwWR+UBqdOp:iNJtRMnV0UcywWR+UBqdO

Score

10^/10

formbook go5o rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

go5o

Decoy

fS9ce6bj/U7J6Q==

KPSUZUVU42J3IaXPjqsA

cDR9Sz1n2BN9eTutNa2QNg==

POJskuyBUqUdVp2wiI8=

t9gcQ5yNydIfrO4=

9oakDnoh0VXC

o2Z9n/2iYtDFcJ2wiI8=

GLBJZsgVkt3eXZragNJjYiGQ

axuNlck5BkA8plrI

khk2/+G5g43K

Fauoa7FQG6EN2QyITg==

fgaVrOb4mLl1KGNUX6jkXCU=

HQkML53cm6Ae+zIhRg==

TBodPq4E4AJylpZiNa2QNg==

wHghSq49EVU54E8mChOvRi5W3cn3ItLVVw==

rET2JY8u+TgVpzRtRF54Kw==

b0mCXc5pcXHZ9A==

QfuIoOgHl9IfrO4=

87fV+WQT5IKlSnTqmb6SbSMctA==

E+Yg8EqQKJi9XJKVqrA2i9TO78H53I97

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

ZiraatBankasi-SwiftMesaji20221123.exe

description pid process target process

PID 1276 set thread context of 864 1276 ZiraatBankasi-SwiftMesaji20221123.exe ZiraatBankasi-SwiftMesaji20221123.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ZiraatBankasi-SwiftMesaji20221123.exeZiraatBankasi-SwiftMesaji20221123.exe

pid process

1276 ZiraatBankasi-SwiftMesaji20221123.exe
864 ZiraatBankasi-SwiftMesaji20221123.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ZiraatBankasi-SwiftMesaji20221123.exe

description pid process

Token: SeDebugPrivilege 1276 ZiraatBankasi-SwiftMesaji20221123.exe

description	pid	process	target process
PID 1276 set thread context of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe

pid	process
1276	ZiraatBankasi-SwiftMesaji20221123.exe
864	ZiraatBankasi-SwiftMesaji20221123.exe

description	pid	process
Token: SeDebugPrivilege	1276	ZiraatBankasi-SwiftMesaji20221123.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ZiraatBankasi-SwiftMesaji20221123.exe

description	pid	process	target process
PID 1276 wrote to memory of 1180	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 1180	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 1180	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 1180	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe
PID 1276 wrote to memory of 864	1276	ZiraatBankasi-SwiftMesaji20221123.exe	ZiraatBankasi-SwiftMesaji20221123.exe

C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe
"C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe
"C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe"
2⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe
"C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi-SwiftMesaji20221123.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-64-0x00000000004012B0-mapping.dmp

Download
memory/864-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/864-68-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/1276-55-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1276-56-0x0000000000660000-0x0000000000678000-memory.dmp

Filesize
96KB

Download
memory/1276-57-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/1276-58-0x0000000007FC0000-0x000000000806A000-memory.dmp

Filesize
680KB

Download
memory/1276-59-0x0000000005BB0000-0x0000000005C20000-memory.dmp

Filesize
448KB

Download
memory/1276-54-0x0000000000250000-0x0000000000376000-memory.dmp

Filesize
1.1MB

Download