formbook | 52426e75e25f69d9d7a8121464fe16a213ab48519ae10b2e2fc028ce86794a8b

General

Target

Ziraat Bankasi Swift Mesaji20221129-34221.exe
Size

719KB
MD5

6a0ff43510923c27b144bf86b5e0a867
SHA1

880c264f12ea2175a81f7030dec9c7043093253f
SHA256

52426e75e25f69d9d7a8121464fe16a213ab48519ae10b2e2fc028ce86794a8b
SHA512

18f0247de11b5d3a7139f8c577560a2987fa706ed0b1eb8f08b01384d320508edbce31ceab050a82a09a97b8892680b3cab3e878bac4a1e7bfaa797ac8595c60
SSDEEP

12288:vX1wDXZCg8FEJLIJWyBgFuPDhd55slqVvsH4B4oks60PoSpK:vFwJpVIJxBnTzsOBI0Poo

Score

10^/10

formbook qmpa rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

qmpa

Decoy

IEiN8oqOnNUEkfZd

LWyAr1P5PHPV

tMGP9gYCIc9DKQ==

fWi2stCh2E3DBWuEK612

B3LCCi2JvPxfNA==

NjLnNjX+DDWt/VuEK612

AvK5/JdMDLztPRg=

U+zn2FswDLztPRg=

3bRIXGwsIc9DKQ==

EXmAoj3/7Cyl+VuEK612

1gkKPklP1odxx7c/Zm+L6HeV4g==

1cMaHDg0ypV0vbT2Ibh+/5Cj5xmAVxA=

MSyBdIV+6nFRloTQAwmFklQ=

qilszGJvhMUsHgaUx/MNSKuo6A==

WYKLwmYEij4q2Hy6sOc=

sjII/IyFmORBFPJ2dVjpG0Q=

mTjzaRwZ9OsEkfZd

iL27vFhbX5ECbBIJxvJKbPHFf9M=

5A5Xr0D5PHPV

IpxsaTO4a1/I

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	Ziraat Bankasi Swift Mesaji20221129-34221.exe

Loads dropped DLL 1 IoCs

Processes:

explorer.exe

pid process

1000 explorer.exe

pid	process
1000	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exeZiraat Bankasi Swift Mesaji20221129-34221.exeexplorer.exe

description	pid	process	target process
PID 1116 set thread context of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1712 set thread context of 1272	1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Explorer.EXE
PID 1712 set thread context of 1272	1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Explorer.EXE
PID 1000 set thread context of 1272	1000	explorer.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exeZiraat Bankasi Swift Mesaji20221129-34221.exeexplorer.exe

pid	process
1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exeexplorer.exe

pid	process
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exeZiraat Bankasi Swift Mesaji20221129-34221.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe
Token: SeDebugPrivilege	1712	Ziraat Bankasi Swift Mesaji20221129-34221.exe
Token: SeDebugPrivilege	1000	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Ziraat Bankasi Swift Mesaji20221129-34221.exeExplorer.EXEexplorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
3⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
3⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
memory/1000-84-0x0000000002250000-0x00000000022DF000-memory.dmp

Filesize
572KB

Download
memory/1000-76-0x0000000000000000-mapping.dmp

Download
memory/1000-86-0x0000000000310000-0x000000000033D000-memory.dmp

Filesize
180KB

Download
memory/1000-80-0x0000000074851000-0x0000000074853000-memory.dmp

Filesize
8KB

Download
memory/1000-81-0x0000000000070000-0x00000000002F1000-memory.dmp

Filesize
2.5MB

Download
memory/1000-82-0x0000000000310000-0x000000000033D000-memory.dmp

Filesize
180KB

Download
memory/1000-83-0x0000000002310000-0x0000000002613000-memory.dmp

Filesize
3.0MB

Download
memory/1116-57-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/1116-56-0x0000000002150000-0x00000000021F0000-memory.dmp

Filesize
640KB

Download
memory/1116-58-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/1116-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1116-54-0x0000000000330000-0x00000000003EA000-memory.dmp

Filesize
744KB

Download
memory/1116-60-0x0000000002000000-0x0000000002034000-memory.dmp

Filesize
208KB

Download
memory/1116-59-0x00000000053F0000-0x0000000005460000-memory.dmp

Filesize
448KB

Download
memory/1272-75-0x0000000004440000-0x000000000450E000-memory.dmp

Filesize
824KB

Download
memory/1272-72-0x0000000004080000-0x0000000004157000-memory.dmp

Filesize
860KB

Download
memory/1272-85-0x0000000006CB0000-0x0000000006E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1272-87-0x0000000006CB0000-0x0000000006E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1712-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-79-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1712-74-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/1712-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-71-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1712-70-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1712-68-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1712-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-65-0x00000000004012B0-mapping.dmp

Download
memory/1712-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

description	pid	process	target process
PID 1116 wrote to memory of 1120	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1120	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1120	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1120	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1140	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1140	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1140	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1140	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1744	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1744	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1744	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1744	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1116 wrote to memory of 1712	1116	Ziraat Bankasi Swift Mesaji20221129-34221.exe	Ziraat Bankasi Swift Mesaji20221129-34221.exe
PID 1272 wrote to memory of 1000	1272	Explorer.EXE	explorer.exe
PID 1272 wrote to memory of 1000	1272	Explorer.EXE	explorer.exe
PID 1272 wrote to memory of 1000	1272	Explorer.EXE	explorer.exe
PID 1272 wrote to memory of 1000	1272	Explorer.EXE	explorer.exe
PID 1000 wrote to memory of 1084	1000	explorer.exe	Firefox.exe
PID 1000 wrote to memory of 1084	1000	explorer.exe	Firefox.exe
PID 1000 wrote to memory of 1084	1000	explorer.exe	Firefox.exe
PID 1000 wrote to memory of 1084	1000	explorer.exe	Firefox.exe
PID 1000 wrote to memory of 1084	1000	explorer.exe	Firefox.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads