formbook | 856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

293KB
MD5

7211ccbff4e2557e067609dcbf6839ae
SHA1

0780420e2f12a4cb8e6f3fb717afba2ea7e102e0
SHA256

856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
SHA512

a546bc8450b220425a3e6a70a6de0df3e98bcb8d7aa2a0dd0d533e72582c852e9a85ee002eb5260e55ac8b9344ab826d7b85de9ebf97ee0248a476c99830c751
SSDEEP

6144:H6+/tV2ye/x3BfF+WL/uVQXXXv+fHLhTySnjprxwPLbQ7:Pn2ye/DMWL2VCv+frh+w9W87

Score

10^/10

formbook guloader mi94 discovery downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4948-168-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/4948-177-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/3968-180-0x0000000000190000-0x00000000001BF000-memory.dmp	formbook
behavioral2/memory/3968-199-0x0000000000190000-0x00000000001BF000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Ziraat Bankasi Swift Mesaji.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Ziraat Bankasi Swift Mesaji.exe

Loads dropped DLL 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

4808 Ziraat Bankasi Swift Mesaji.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

pid process

4948 Ziraat Bankasi Swift Mesaji.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

pid process

4808 Ziraat Bankasi Swift Mesaji.exe
4948 Ziraat Bankasi Swift Mesaji.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execontrol.exe

description	pid	process	target process
PID 4808 set thread context of 4948	4808	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4948 set thread context of 732	4948	Ziraat Bankasi Swift Mesaji.exe	Explorer.EXE
PID 3968 set thread context of 732	3968	control.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description ioc process

File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh Ziraat Bankasi Swift Mesaji.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh	Ziraat Bankasi Swift Mesaji.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.execontrol.exe

pid	process
4948	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe
3968	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

732 Explorer.EXE

pid	process
732	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execontrol.exe

pid	process
4808	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
4948	Ziraat Bankasi Swift Mesaji.exe
3968	control.exe
3968	control.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4948	Ziraat Bankasi Swift Mesaji.exe
Token: SeDebugPrivilege	3968	control.exe
Token: SeShutdownPrivilege	732	Explorer.EXE
Token: SeCreatePagefilePrivilege	732	Explorer.EXE
Token: SeShutdownPrivilege	732	Explorer.EXE
Token: SeCreatePagefilePrivilege	732	Explorer.EXE
Token: SeShutdownPrivilege	732	Explorer.EXE
Token: SeCreatePagefilePrivilege	732	Explorer.EXE
Token: SeShutdownPrivilege	732	Explorer.EXE
Token: SeCreatePagefilePrivilege	732	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4808 wrote to memory of 4948	4808	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4808 wrote to memory of 4948	4808	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4808 wrote to memory of 4948	4808	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 4808 wrote to memory of 4948	4808	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 732 wrote to memory of 3968	732	Explorer.EXE	control.exe
PID 732 wrote to memory of 3968	732	Explorer.EXE	control.exe
PID 732 wrote to memory of 3968	732	Explorer.EXE	control.exe
PID 3968 wrote to memory of 1668	3968	control.exe	cmd.exe
PID 3968 wrote to memory of 1668	3968	control.exe	cmd.exe
PID 3968 wrote to memory of 1668	3968	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy76AD.tmp\System.dll
Filesize
11KB

MD5
e23600029d1b09bdb1d422fb4e46f5a6

SHA1
5d64a2f6a257a98a689a3db9a087a0fd5f180096

SHA256
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

SHA512
c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

Download Submit
C:\Users\Admin\AppData\Roaming\DORME.ini
Filesize
31B

MD5
3000f7f0f12b7139ea28160c52098e25

SHA1
9d032395f38d341881019b996e591160d542054b

SHA256
467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

SHA512
a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

Download Submit
memory/732-212-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-213-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-227-0x00000000010A0000-0x00000000010A2000-memory.dmp

Filesize
8KB

Download
memory/732-224-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-193-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-223-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-222-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-221-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-220-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-173-0x0000000009440000-0x00000000095C1000-memory.dmp

Filesize
1.5MB

Download
memory/732-219-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-218-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-217-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-216-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-215-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-214-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-182-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-183-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-184-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-186-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-185-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-187-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-191-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-189-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-190-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-192-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-188-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-225-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-205-0x0000000008CC0000-0x0000000008E1E000-memory.dmp

Filesize
1.4MB

Download
memory/732-194-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-195-0x0000000007850000-0x0000000007860000-memory.dmp

Filesize
64KB

Download
memory/732-197-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-198-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-211-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-210-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/732-202-0x0000000008CC0000-0x0000000008E1E000-memory.dmp

Filesize
1.4MB

Download
memory/732-204-0x0000000008CC0000-0x0000000008E1E000-memory.dmp

Filesize
1.4MB

Download
memory/732-196-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/3968-199-0x0000000000190000-0x00000000001BF000-memory.dmp

Filesize
188KB

Download
memory/3968-181-0x00000000023C0000-0x000000000270A000-memory.dmp

Filesize
3.3MB

Download
memory/3968-201-0x0000000000CA0000-0x0000000000D34000-memory.dmp

Filesize
592KB

Download
memory/3968-176-0x0000000000F80000-0x0000000000FA7000-memory.dmp

Filesize
156KB

Download
memory/3968-174-0x0000000000F80000-0x0000000000FA7000-memory.dmp

Filesize
156KB

Download
memory/3968-180-0x0000000000190000-0x00000000001BF000-memory.dmp

Filesize
188KB

Download
memory/4808-164-0x0000000004620000-0x0000000007133000-memory.dmp

Filesize
43.1MB

Download
memory/4808-165-0x0000000004620000-0x0000000007133000-memory.dmp

Filesize
43.1MB

Download
memory/4948-177-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4948-172-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/4948-166-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4948-171-0x00000000345C0000-0x000000003490A000-memory.dmp

Filesize
3.3MB

Download
memory/4948-170-0x0000000001660000-0x0000000004173000-memory.dmp

Filesize
43.1MB

Download
memory/4948-168-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4948-169-0x0000000001660000-0x0000000004173000-memory.dmp

Filesize
43.1MB

Download
memory/4948-167-0x0000000001660000-0x0000000004173000-memory.dmp

Filesize
43.1MB

Download
memory/4948-175-0x0000000001660000-0x0000000004173000-memory.dmp

Filesize
43.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads