Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample name:	Ziraat Bankasi Swift Mesaji.exe
Analysis ID:	1520404
MD5:	676813934849b161d6dfd5062536318f
SHA1:	de400cd5edbf8cb741691f13c338744842c0f1a2
SHA256:	7ef09922582a622f7333d2987d63efc14ecc000a51e160b808dd9520c31f771c
Tags:	exegeoSnakeKeyloggerTURZiraatBankuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk/sendMessage?chat_id=1645099110", "Username": "selcukacar@emmioglu.com", "Password": "Kaya2758+", "Host": "mail.emmioglu.com", "Port": "587", "Token": "7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk", "Chat_id": "1645099110", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Ziraat Bankasi Swift Mesaji.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Ziraat Bankasi Swift Mesaji.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812928144.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 00C3F1F6h	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 00C3FB80h	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_00C3E528
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8DA51h	2_2_04F8D7A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8B791h	2_2_04F8B4E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8E759h	2_2_04F8E4B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F80751h	2_2_04F804A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8DEA9h	2_2_04F8DC00
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C041h	2_2_04F8BD98
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81011h	2_2_04F80D60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F009h	2_2_04F8ED60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8D1A1h	2_2_04F8CEF8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C8F1h	2_2_04F8C648
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81620
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F8B9h	2_2_04F8F610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8E301h	2_2_04F8E058
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F802F1h	2_2_04F80040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C499h	2_2_04F8C1F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81471h	2_2_04F811C0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F461h	2_2_04F8F1B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81966
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8BBE9h	2_2_04F8B940
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8EBB1h	2_2_04F8E908
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F80BB1h	2_2_04F80900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8CD49h	2_2_04F8CAA0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8FD11h	2_2_04F8FA68
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8D5F9h	2_2_04F8D350
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698945h	2_2_06698608
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06697BA9h	2_2_06697900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06695D19h	2_2_06695A70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066958C1h	2_2_06695618
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696171h	2_2_06695EC8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066936CE
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696A21h	2_2_06696778
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066965C9h	2_2_06696320
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696E79h	2_2_06696BD0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066933A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066933B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066902E9h	2_2_06690040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066972FAh	2_2_06697050
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690B99h	2_2_066908F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06697751h	2_2_066974A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690741h	2_2_06690498
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690FF1h	2_2_06690D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698001h	2_2_06697D58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698459h	2_2_066981B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06695441h	2_2_06695198

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49706 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 188.114.97.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BFF000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgh
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgh

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2920138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C6B1F8	0_2_04C6B1F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C61094	0_2_04C61094
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C69FE7	0_2_04C69FE7
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C62F40	0_2_04C62F40
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C62F50	0_2_04C62F50
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3F007	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C190	2_2_00C3C190
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C36108	2_2_00C36108
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3B328	2_2_00C3B328
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C473	2_2_00C3C473
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C752	2_2_00C3C752
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C36730	2_2_00C36730
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C39858	2_2_00C39858
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C34AD9	2_2_00C34AD9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3CA32	2_2_00C3CA32
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3BBD2	2_2_00C3BBD2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3BEB2	2_2_00C3BEB2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3B4F2	2_2_00C3B4F2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C33572	2_2_00C33572
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3E517	2_2_00C3E517
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3E528	2_2_00C3E528
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D7A8	2_2_04F8D7A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B4E8	2_2_04F8B4E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B4D7	2_2_04F8B4D7
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E4B0	2_2_04F8E4B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F804A0	2_2_04F804A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E4A0	2_2_04F8E4A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80490	2_2_04F80490
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F88460	2_2_04F88460
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8DC00	2_2_04F8DC00
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8BD98	2_2_04F8BD98
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F87D90	2_2_04F87D90
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8BD88	2_2_04F8BD88
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80D60	2_2_04F80D60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ED60	2_2_04F8ED60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ED50	2_2_04F8ED50
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80D51	2_2_04F80D51
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CEF8	2_2_04F8CEF8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CEE9	2_2_04F8CEE9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C648	2_2_04F8C648
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C638	2_2_04F8C638
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F610	2_2_04F8F610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F600	2_2_04F8F600
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D798	2_2_04F8D798
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E8F8	2_2_04F8E8F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F808F0	2_2_04F808F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F83870	2_2_04F83870
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F83860	2_2_04F83860
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E058	2_2_04F8E058
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E049	2_2_04F8E049
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80040	2_2_04F80040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8001E	2_2_04F8001E
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C1F0	2_2_04F8C1F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C1E0	2_2_04F8C1E0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F811C0	2_2_04F811C0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F1B8	2_2_04F8F1B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F811B0	2_2_04F811B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F1A9	2_2_04F8F1A9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B940	2_2_04F8B940
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B930	2_2_04F8B930
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E908	2_2_04F8E908
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80900	2_2_04F80900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CAA0	2_2_04F8CAA0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CA90	2_2_04F8CA90
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8FA68	2_2_04F8FA68
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8FA59	2_2_04F8FA59
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8DBF1	2_2_04F8DBF1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F873E8	2_2_04F873E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F873D8	2_2_04F873D8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F87B70	2_2_04F87B70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D350	2_2_04F8D350
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D340	2_2_04F8D340
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D670	2_2_0669D670
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669AA58	2_2_0669AA58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06698608	2_2_06698608
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B6E8	2_2_0669B6E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C388	2_2_0669C388
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06698C51	2_2_06698C51
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D028	2_2_0669D028
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669A408	2_2_0669A408
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B0A0	2_2_0669B0A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669BD38	2_2_0669BD38
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697900	2_2_06697900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C9D8	2_2_0669C9D8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066911A0	2_2_066911A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695A60	2_2_06695A60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D662	2_2_0669D662
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695A70	2_2_06695A70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669AA48	2_2_0669AA48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695609	2_2_06695609
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695618	2_2_06695618
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695EC8	2_2_06695EC8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B6D9	2_2_0669B6D9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695EB8	2_2_06695EB8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669676A	2_2_0669676A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696778	2_2_06696778
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C378	2_2_0669C378
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696320	2_2_06696320
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06693730	2_2_06693730
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696311	2_2_06696311
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669A3F8	2_2_0669A3F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696BC1	2_2_06696BC1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696BD0	2_2_06696BD0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066933A8	2_2_066933A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066933B8	2_2_066933B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690040	2_2_06690040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697040	2_2_06697040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697050	2_2_06697050
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06694430	2_2_06694430
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06692807	2_2_06692807
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690006	2_2_06690006
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06692818	2_2_06692818
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D018	2_2_0669D018
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066908E0	2_2_066908E0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066908F0	2_2_066908F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066978F0	2_2_066978F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066974A8	2_2_066974A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690488	2_2_06690488
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B08F	2_2_0669B08F
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690498	2_2_06690498
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697497	2_2_06697497
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690D48	2_2_06690D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697D48	2_2_06697D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697D58	2_2_06697D58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669BD28	2_2_0669BD28
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690D39	2_2_06690D39
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066985F8	2_2_066985F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C9C8	2_2_0669C9C8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066981A0	2_2_066981A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066981B0	2_2_066981B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669518A	2_2_0669518A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695198	2_2_06695198

Sample file is different than original file name gathered from version info

Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.1342791028.000000000024A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOvin.exe* vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3809277636.000000000089E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812928144.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808802102.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: OriginalFilenameOvin.exe* vs Ziraat Bankasi Swift Mesaji.exe

Yara signature match

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2920138.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Base64 encoded string: 'k3oxk6CnehHQeJsaKyNHWq+Wi6Dswd1zBFznyEpUHzGcTtzZgG+f0Q5rHT/7QLQ8'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Base64 encoded string: 'k3oxk6CnehHQeJsaKyNHWq+Wi6Dswd1zBFznyEpUHzGcTtzZgG+f0Q5rHT/7QLQ8'

Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: .vbproj
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: .csprojC Exception while reading XmlDoc:

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Mutant created: NULL

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ziraat Bankasi Swift Mesaji.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C69541 push ss; mov dword ptr [esp], 5504BE7Fh	0_2_04C6954A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C643A0 pushfd ; ret	0_2_04C643A1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C65372 push eax; retf	0_2_04C65379
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C63AB7 push ebx; retf	0_2_04C63ADA
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8AC28 push eax; retf	2_2_04F8AC2A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F82E78 push esp; iretd	2_2_04F82E79
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ABF6 push eax; retf	2_2_04F8AC2A

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598795	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Window / User API: threadDelayed 8592			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Window / User API: threadDelayed 1270			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7208	Thread sleep count: 8592 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7208	Thread sleep count: 1270 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: Mono.Debugger.Soft.VirtualMachineManager+<ConnectInternalAsync>d__1, Ovin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: SetVirtualMachine
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: get_VirtualMachine
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3809393478.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false		unknown

ID:	1520404
Product:	CloudBasic
Start time:	10:38:59
Start date:	27.09.2024
Sample:	Ziraat Bankasi Swift Mesaji.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	676813934849b161d6dfd5062536318f
SHA1:	de400cd5edbf8cb741691f13c338744842c0f1a2
SHA256:	7ef09922582a622f7333d2987d63efc14ecc000a51e160b808dd9520c31f771c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Malware Threat Intel
Provided by