Overview

overview

10

Static

static

1

Ziraat Ban...df.exe

windows7-x64

10

Ziraat Ban...df.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Ziraat Bankasi Swift Mesaji_pdf.exe

  • Size

    360KB

  • Sample

    230417-k72qxadf44

  • MD5

    129fc428eedcc54b06becf3c5cda4e72

  • SHA1

    a312b86be1d712ce3ba5156327e273dc47f48959

  • SHA256

    89e2a77118c2c57d2eb0c1e92a3aa305b759529e38a6879b42b2e2f15a76843c

  • SHA512

    22a92a6ad8eadb98fcbec57cfda3860cee0e2911da926d5b82b04867a76cac3b9be5f916126313079d08bfdf383b898289db920359f628a26e4b06d55603354a

  • SSDEEP

    6144:NT5UzmMBom8YX6xf85dhVD6DVM5RDo7Q8Df/AaORv/g45hpWDkUv5ZHIAim8HaX:NT5j3mgZ6hVz9OQ8DgHfpOkUv5ZHIZ9F

Score
10/10
formbookguloadermi94discoverydownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Targets

    • Target

      Ziraat Bankasi Swift Mesaji_pdf.exe

    • Size

      360KB

    • MD5

      129fc428eedcc54b06becf3c5cda4e72

    • SHA1

      a312b86be1d712ce3ba5156327e273dc47f48959

    • SHA256

      89e2a77118c2c57d2eb0c1e92a3aa305b759529e38a6879b42b2e2f15a76843c

    • SHA512

      22a92a6ad8eadb98fcbec57cfda3860cee0e2911da926d5b82b04867a76cac3b9be5f916126313079d08bfdf383b898289db920359f628a26e4b06d55603354a

    • SSDEEP

      6144:NT5UzmMBom8YX6xf85dhVD6DVM5RDo7Q8Df/AaORv/g45hpWDkUv5ZHIAim8HaX:NT5j3mgZ6hVz9OQ8DgHfpOkUv5ZHIZ9F

    Score
    10/10
    formbookguloadermi94discoverydownloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks