Edit tour

Windows Analysis Report
Ziraat Bankasi Swift Mesaji20221129-34221.exe

Overview

General Information

Sample Name:	Ziraat Bankasi Swift Mesaji20221129-34221.exe
Analysis ID:	755920
MD5:	6a0ff43510923c27b144bf86b5e0a867
SHA1:	880c264f12ea2175a81f7030dec9c7043093253f
SHA256:	52426e75e25f69d9d7a8121464fe16a213ab48519ae10b2e2fc028ce86794a8b
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Deletes itself after installation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Ziraat Bankasi Swift Mesaji20221129-34221.exe (PID: 3176 cmdline: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji20221129-34221.exe MD5: 6A0FF43510923C27B144BF86B5E0A867)

Ziraat Bankasi Swift Mesaji20221129-34221.exe (PID: 5152 cmdline: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji20221129-34221.exe MD5: 6A0FF43510923C27B144BF86B5E0A867)

Ziraat Bankasi Swift Mesaji20221129-34221.exe (PID: 1308 cmdline: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji20221129-34221.exe MD5: 6A0FF43510923C27B144BF86B5E0A867)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

systray.exe (PID: 1312 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.erwgcb.top/qmpa/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.560048415.0000000000820000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.560048415.0000000000820000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.560048415.0000000000820000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.560048415.0000000000820000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.559572185.00000000003C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.559572185.00000000003C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.559572185.00000000003C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.559572185.00000000003C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.450620046.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.450620046.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f777:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xafe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1851e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.450620046.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1831c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1841e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e4ee:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f4e1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.450620046.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a7f0:$sqlite3step: 68 34 1C 7B E1 0x1b368:$sqlite3step: 68 34 1C 7B E1 0x1a832:$sqlite3text: 68 38 2A 90 C5 0x1b3ad:$sqlite3text: 68 38 2A 90 C5 0x1a849:$sqlite3blob: 68 53 D8 7F 8C 0x1b3c3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.451409709.0000000001150000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.562531717.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.562531717.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.562531717.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.562531717.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0b9:$sqlite3step: 68 34 1C 7B E1 0x1ac31:$sqlite3step: 68 34 1C 7B E1 0x1a0fb:$sqlite3text: 68 38 2A 90 C5 0x1ac76:$sqlite3text: 68 38 2A 90 C5 0x1a112:$sqlite3blob: 68 53 D8 7F 8C 0x1ac8c:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.413620011.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.413620011.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000000.413620011.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.413620011.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0b9:$sqlite3step: 68 34 1C 7B E1 0xbc31:$sqlite3step: 68 34 1C 7B E1 0xb0fb:$sqlite3text: 68 38 2A 90 C5 0xbc76:$sqlite3text: 68 38 2A 90 C5 0xb112:$sqlite3blob: 68 53 D8 7F 8C 0xbc8c:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.331328236.0000000003337000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.388632949.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.388632949.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000000.388632949.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.388632949.000000000DEDE000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0b9:$sqlite3step: 68 34 1C 7B E1 0xbc31:$sqlite3step: 68 34 1C 7B E1 0xb0fb:$sqlite3text: 68 38 2A 90 C5 0xbc76:$sqlite3text: 68 38 2A 90 C5 0xb112:$sqlite3blob: 68 53 D8 7F 8C 0xbc8c:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.329721340.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji20221129-34221.exe PID: 3176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji20221129-34221.exe PID: 1308	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x60234:$a1: 3C 30 50 4F 53 54 74 09 40 0x8c178:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 1312	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x13413:$a1: 3C 30 50 4F 53 54 74 09 40 0xde3aa:$a1: 3C 30 50 4F 53 54 74 09 40 0xe2492:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Ziraat Bankasi Swift Mesaji20221129-34221.exe.31854c4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
2.2.Ziraat Bankasi Swift Mesaji20221129-34221.exe.31854c4.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xa79e:$v1: SbieDll.dll 0xa7b8:$v2: USER 0xa7c4:$v3: SANDBOX 0xa7d6:$v4: VIRUS 0xa826:$v4: VIRUS 0xa7e4:$v5: MALWARE 0xa7f6:$v6: SCHMIDTI 0xa80a:$v7: CURRENTUSER
2.2.Ziraat Bankasi Swift Mesaji20221129-34221.exe.3169a9c.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
2.2.Ziraat Bankasi Swift Mesaji20221129-34221.exe.3169a9c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x261c6:$v1: SbieDll.dll 0x261e0:$v2: USER 0x261ec:$v3: SANDBOX 0x261fe:$v4: VIRUS 0x2624e:$v4: VIRUS 0x2620c:$v5: MALWARE 0x2621e:$v6: SCHMIDTI 0x26232:$v7: CURRENTUSER

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Ziraat Bankasi Swift Mesaji20221129-34221.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat Bankasi Swift Mesaji20221129-34221.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
Ziraat Bankasi Swift Mesaji20221129-34221.exe