Overview

overview

10

Static

static

1

Ziraat Ban...ji.exe

windows7-x64

10

Ziraat Ban...ji.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ziraat Bankasi Swift Mesaji.exe

  • Size

    311KB

  • Sample

    230322-xqc3facf61

  • MD5

    17e860b41dc286806e477310a4cbef79

  • SHA1

    221996f82df76554d7e7dc5e3f0426a2c768020d

  • SHA256

    06243274174960778e1adac528d0c2641cf742fa2ba0759c9fe762f7a0692aff

  • SHA512

    e07ca910adbce9478e97bf68c556874f4d5d6bce64530eae3abe5ef96b7af5b8d316ced1cf39980cc356f18f3a2ee18a6c419ee78322a2f45a1926aa027a5f10

  • SSDEEP

    6144:hT5UzmTaDizyCSx6atVIt9lN9CaYf6XJ/tzklftBL7mCsVesYY4+NJTRK:hT55TwIlShVkN9U4VITl7mvYY4WJE

Score
10/10
formbookmi94discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Targets

    • Target

      Ziraat Bankasi Swift Mesaji.exe

    • Size

      311KB

    • MD5

      17e860b41dc286806e477310a4cbef79

    • SHA1

      221996f82df76554d7e7dc5e3f0426a2c768020d

    • SHA256

      06243274174960778e1adac528d0c2641cf742fa2ba0759c9fe762f7a0692aff

    • SHA512

      e07ca910adbce9478e97bf68c556874f4d5d6bce64530eae3abe5ef96b7af5b8d316ced1cf39980cc356f18f3a2ee18a6c419ee78322a2f45a1926aa027a5f10

    • SSDEEP

      6144:hT5UzmTaDizyCSx6atVIt9lN9CaYf6XJ/tzklftBL7mCsVesYY4+NJTRK:hT55TwIlShVkN9U4VITl7mvYY4WJE

    Score
    10/10
    formbookmi94discoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks