Overview

overview

10

Static

static

Ziraat Ban...21.exe

windows7-x64

10

Ziraat Ban...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ziraat Bankasi Swift Mesaji20221129-34221.exe

  • Size

    719KB

  • MD5

    6a0ff43510923c27b144bf86b5e0a867

  • SHA1

    880c264f12ea2175a81f7030dec9c7043093253f

  • SHA256

    52426e75e25f69d9d7a8121464fe16a213ab48519ae10b2e2fc028ce86794a8b

  • SHA512

    18f0247de11b5d3a7139f8c577560a2987fa706ed0b1eb8f08b01384d320508edbce31ceab050a82a09a97b8892680b3cab3e878bac4a1e7bfaa797ac8595c60

  • SSDEEP

    12288:vX1wDXZCg8FEJLIJWyBgFuPDhd55slqVvsH4B4oks60PoSpK:vFwJpVIJxBnTzsOBI0Poo

Score
10/10
formbookqmparatspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

qmpa

Decoy

IEiN8oqOnNUEkfZd

LWyAr1P5PHPV

tMGP9gYCIc9DKQ==

fWi2stCh2E3DBWuEK612

B3LCCi2JvPxfNA==

NjLnNjX+DDWt/VuEK612

AvK5/JdMDLztPRg=

U+zn2FswDLztPRg=

3bRIXGwsIc9DKQ==

EXmAoj3/7Cyl+VuEK612

1gkKPklP1odxx7c/Zm+L6HeV4g==

1cMaHDg0ypV0vbT2Ibh+/5Cj5xmAVxA=

MSyBdIV+6nFRloTQAwmFklQ=

qilszGJvhMUsHgaUx/MNSKuo6A==

WYKLwmYEij4q2Hy6sOc=

sjII/IyFmORBFPJ2dVjpG0Q=

mTjzaRwZ9OsEkfZd

iL27vFhbX5ECbBIJxvJKbPHFf9M=

5A5Xr0D5PHPV

IpxsaTO4a1/I

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
      "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe
        "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:820
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4600

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/820-143-0x00000000010A0000-0x00000000013EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/820-141-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/820-144-0x0000000000AA0000-0x0000000000AB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/820-137-0x0000000000000000-mapping.dmp
      Download
    • memory/820-138-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/820-140-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/820-142-0x0000000000401000-0x000000000042E000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3092-152-0x0000000007CD0000-0x0000000007DA2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/3092-150-0x0000000002C00000-0x0000000002CF9000-memory.dmp
      Filesize

      996KB

      Download
    • memory/3092-145-0x0000000002C00000-0x0000000002CF9000-memory.dmp
      Filesize

      996KB

      Download
    • memory/3092-154-0x0000000007CD0000-0x0000000007DA2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/3844-149-0x00000000012A0000-0x00000000015EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3844-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3844-147-0x00000000009E0000-0x00000000009FE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3844-148-0x0000000000550000-0x000000000057D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3844-151-0x00000000010C0000-0x000000000114F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/3844-153-0x0000000000550000-0x000000000057D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4764-134-0x0000000005510000-0x00000000055A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4764-133-0x0000000005B80000-0x0000000006124000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4764-136-0x0000000007D20000-0x0000000007DBC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4764-135-0x00000000054F0000-0x00000000054FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4764-132-0x0000000000A80000-0x0000000000B3A000-memory.dmp
      Filesize

      744KB

      Download