formbook | a7537f2ef1d10ef549145bd8ce586f1cce82ed841eda60b991b01137bd558bab

Analysis

max time kernel
56s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZiraatBankasi_SwiftMesaji20221129.exe
Size

720KB
MD5

850de91289a8d49117ff7b3e28551909
SHA1

83f99c1b73c61434768b0a87aec7eb9d0c3a48d0
SHA256

a7537f2ef1d10ef549145bd8ce586f1cce82ed841eda60b991b01137bd558bab
SHA512

94526ca78e830c53ec08edac0a1831587a6b7d0f6dff0e81294ea174a878a03270d24f0a5197e73134588a6cef6a554d5f7f064d9a242246fd7be31f99149bf4
SSDEEP

12288:/VShRpl3UrNYkFw1S72plNchQ4Vu1AnSq59gEolo0HzeoVCNQuw7rG2Ut8Oe:dSh3l3+NC7qZVCWo+0CosNJcUtXe

Score

10^/10

formbook go5o rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

go5o

Decoy

fS9ce6bj/U7J6Q==

KPSUZUVU42J3IaXPjqsA

cDR9Sz1n2BN9eTutNa2QNg==

POJskuyBUqUdVp2wiI8=

t9gcQ5yNydIfrO4=

9oakDnoh0VXC

o2Z9n/2iYtDFcJ2wiI8=

GLBJZsgVkt3eXZragNJjYiGQ

axuNlck5BkA8plrI

khk2/+G5g43K

Fauoa7FQG6EN2QyITg==

fgaVrOb4mLl1KGNUX6jkXCU=

HQkML53cm6Ae+zIhRg==

TBodPq4E4AJylpZiNa2QNg==

wHghSq49EVU54E8mChOvRi5W3cn3ItLVVw==

rET2JY8u+TgVpzRtRF54Kw==

b0mCXc5pcXHZ9A==

QfuIoOgHl9IfrO4=

87fV+WQT5IKlSnTqmb6SbSMctA==

E+Yg8EqQKJi9XJKVqrA2i9TO78H53I97

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

ZiraatBankasi_SwiftMesaji20221129.exe

description pid process target process

PID 1384 set thread context of 2012 1384 ZiraatBankasi_SwiftMesaji20221129.exe ZiraatBankasi_SwiftMesaji20221129.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ZiraatBankasi_SwiftMesaji20221129.exe

pid process

2012 ZiraatBankasi_SwiftMesaji20221129.exe

description	pid	process	target process
PID 1384 set thread context of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe

pid	process
2012	ZiraatBankasi_SwiftMesaji20221129.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ZiraatBankasi_SwiftMesaji20221129.exe

description	pid	process	target process
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe
PID 1384 wrote to memory of 2012	1384	ZiraatBankasi_SwiftMesaji20221129.exe	ZiraatBankasi_SwiftMesaji20221129.exe

C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi_SwiftMesaji20221129.exe
"C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi_SwiftMesaji20221129.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi_SwiftMesaji20221129.exe
"C:\Users\Admin\AppData\Local\Temp\ZiraatBankasi_SwiftMesaji20221129.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-54-0x0000000000990000-0x0000000000A4A000-memory.dmp

Filesize
744KB

Download
memory/1384-55-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1384-56-0x00000000044A0000-0x0000000004540000-memory.dmp

Filesize
640KB

Download
memory/1384-57-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/1384-58-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1384-59-0x0000000005060000-0x00000000050D0000-memory.dmp

Filesize
448KB

Download
memory/1384-60-0x0000000000950000-0x0000000000984000-memory.dmp

Filesize
208KB

Download
memory/2012-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-65-0x00000000004012B0-mapping.dmp

Download
memory/2012-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-68-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2012-69-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download