General

  • Target

    Ziraat Bankasi Swift Mesaji.exe

  • Size

    295KB

  • Sample

    230327-mja96ada32

  • MD5

    892c52f192cb1905afbf9f09d8c1bf38

  • SHA1

    623c6e347b5ebb0c788fc0a4bf39e6a6e690b1e9

  • SHA256

    83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9

  • SHA512

    d5c2587d19fde5c57b21053691501fc1e040305838c1b9fa61a04e229fbe7158d92b81dfce587970c3ad522e67f7aabbcca523c2ce9c871b06eb2d5cc5350863

  • SSDEEP

    6144:H6+/tVm/dXDf5kRHVUUTbPQYO4BevqKe2u4Mw2t10uqVrYT4YezDMloPLbQX:Pnm/BDf58VUUoYTFKe7pbqlYT4YeGA8X

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Targets

    • Target

      Ziraat Bankasi Swift Mesaji.exe

    • Size

      295KB

    • MD5

      892c52f192cb1905afbf9f09d8c1bf38

    • SHA1

      623c6e347b5ebb0c788fc0a4bf39e6a6e690b1e9

    • SHA256

      83104e0cf5b8f50ec9724e7a27ba87ef39ecbfd81d4f456d42b7fd06fd9c28e9

    • SHA512

      d5c2587d19fde5c57b21053691501fc1e040305838c1b9fa61a04e229fbe7158d92b81dfce587970c3ad522e67f7aabbcca523c2ce9c871b06eb2d5cc5350863

    • SSDEEP

      6144:H6+/tVm/dXDf5kRHVUUTbPQYO4BevqKe2u4Mw2t10uqVrYT4YezDMloPLbQX:Pnm/BDf58VUUoYTFKe7pbqlYT4YeGA8X

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks