formbook | 856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

293KB
MD5

7211ccbff4e2557e067609dcbf6839ae
SHA1

0780420e2f12a4cb8e6f3fb717afba2ea7e102e0
SHA256

856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
SHA512

a546bc8450b220425a3e6a70a6de0df3e98bcb8d7aa2a0dd0d533e72582c852e9a85ee002eb5260e55ac8b9344ab826d7b85de9ebf97ee0248a476c99830c751
SSDEEP

6144:H6+/tV2ye/x3BfF+WL/uVQXXXv+fHLhTySnjprxwPLbQ7:Pn2ye/DMWL2VCv+frh+w9W87

Score

10^/10

formbook guloader mi94 discovery downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/692-92-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/692-96-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/692-104-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/1808-111-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1808-113-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Ziraat Bankasi Swift Mesaji.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Ziraat Bankasi Swift Mesaji.exe

Loads dropped DLL 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

316 Ziraat Bankasi Swift Mesaji.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

692 Ziraat Bankasi Swift Mesaji.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

pid process

316 Ziraat Bankasi Swift Mesaji.exe
692 Ziraat Bankasi Swift Mesaji.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exe

description	pid	process	target process
PID 316 set thread context of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 692 set thread context of 1220	692	Ziraat Bankasi Swift Mesaji.exe	Explorer.EXE
PID 692 set thread context of 1220	692	Ziraat Bankasi Swift Mesaji.exe	Explorer.EXE
PID 1808 set thread context of 1220	1808	help.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description ioc process

File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh Ziraat Bankasi Swift Mesaji.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh	Ziraat Bankasi Swift Mesaji.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exehelp.exe

pid	process
692	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe
1808	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exe

pid	process
316	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
692	Ziraat Bankasi Swift Mesaji.exe
1808	help.exe
1808	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeExplorer.EXEhelp.exe

description	pid	process
Token: SeDebugPrivilege	692	Ziraat Bankasi Swift Mesaji.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeDebugPrivilege	1808	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exe

description	pid	process	target process
PID 316 wrote to memory of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 316 wrote to memory of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 316 wrote to memory of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 316 wrote to memory of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 316 wrote to memory of 692	316	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 692 wrote to memory of 1808	692	Ziraat Bankasi Swift Mesaji.exe	help.exe
PID 692 wrote to memory of 1808	692	Ziraat Bankasi Swift Mesaji.exe	help.exe
PID 692 wrote to memory of 1808	692	Ziraat Bankasi Swift Mesaji.exe	help.exe
PID 692 wrote to memory of 1808	692	Ziraat Bankasi Swift Mesaji.exe	help.exe
PID 1808 wrote to memory of 528	1808	help.exe	cmd.exe
PID 1808 wrote to memory of 528	1808	help.exe	cmd.exe
PID 1808 wrote to memory of 528	1808	help.exe	cmd.exe
PID 1808 wrote to memory of 528	1808	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1220

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
5⤵
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DORME.ini
Filesize
31B

MD5
3000f7f0f12b7139ea28160c52098e25

SHA1
9d032395f38d341881019b996e591160d542054b

SHA256
467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

SHA512
a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

Download Submit
\Users\Admin\AppData\Local\Temp\nsi253.tmp\System.dll
Filesize
11KB

MD5
e23600029d1b09bdb1d422fb4e46f5a6

SHA1
5d64a2f6a257a98a689a3db9a087a0fd5f180096

SHA256
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

SHA512
c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

Download Submit
memory/316-86-0x0000000003400000-0x0000000005F13000-memory.dmp

Filesize
43.1MB

Download
memory/316-87-0x0000000003400000-0x0000000005F13000-memory.dmp

Filesize
43.1MB

Download
memory/692-94-0x0000000001470000-0x0000000003F83000-memory.dmp

Filesize
43.1MB

Download
memory/692-89-0x0000000001470000-0x0000000003F83000-memory.dmp

Filesize
43.1MB

Download
memory/692-90-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/692-92-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/692-104-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/692-93-0x0000000001470000-0x0000000003F83000-memory.dmp

Filesize
43.1MB

Download
memory/692-96-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/692-99-0x0000000033DC0000-0x0000000033DD5000-memory.dmp

Filesize
84KB

Download
memory/692-98-0x0000000034220000-0x0000000034523000-memory.dmp

Filesize
3.0MB

Download
memory/692-107-0x0000000001470000-0x0000000003F83000-memory.dmp

Filesize
43.1MB

Download
memory/692-88-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/692-102-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1220-101-0x0000000002D20000-0x0000000002E20000-memory.dmp

Filesize
1024KB

Download
memory/1220-103-0x00000000062E0000-0x0000000006470000-memory.dmp

Filesize
1.6MB

Download
memory/1220-100-0x0000000006010000-0x0000000006194000-memory.dmp

Filesize
1.5MB

Download
memory/1220-114-0x00000000062E0000-0x0000000006470000-memory.dmp

Filesize
1.6MB

Download
memory/1220-117-0x0000000006470000-0x00000000065CF000-memory.dmp

Filesize
1.4MB

Download
memory/1220-118-0x0000000006470000-0x00000000065CF000-memory.dmp

Filesize
1.4MB

Download
memory/1220-120-0x0000000006470000-0x00000000065CF000-memory.dmp

Filesize
1.4MB

Download
memory/1808-106-0x0000000000F60000-0x0000000000F66000-memory.dmp

Filesize
24KB

Download
memory/1808-108-0x0000000000F60000-0x0000000000F66000-memory.dmp

Filesize
24KB

Download
memory/1808-111-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1808-112-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1808-113-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1808-116-0x0000000000640000-0x00000000006D4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads