Edit tour

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample name:	Ziraat Bankasi Swift Mesaji.exe
Analysis ID:	1520404
MD5:	676813934849b161d6dfd5062536318f
SHA1:	de400cd5edbf8cb741691f13c338744842c0f1a2
SHA256:	7ef09922582a622f7333d2987d63efc14ecc000a51e160b808dd9520c31f771c
Tags:	exegeoSnakeKeyloggerTURZiraatBankuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat Bankasi Swift Mesaji.exe (PID: 1432 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: 676813934849B161D6DFD5062536318F)

Ziraat Bankasi Swift Mesaji.exe (PID: 3884 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: 676813934849B161D6DFD5062536318F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk/sendMessage?chat_id=1645099110", "Username": "selcukacar@emmioglu.com", "Password": "Kaya2758+", "Host": "mail.emmioglu.com", "Port": "587", "Token": "7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk", "Chat_id": "1645099110", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148c9:$a1: get_encryptedPassword 0x14bb5:$a2: get_encryptedUsername 0x146d5:$a3: get_timePasswordChanged 0x147d0:$a4: get_passwordField 0x148df:$a5: set_encryptedPassword 0x15f4a:$a7: get_logins 0x15ead:$a10: KeyLoggerEventArgs 0x15b18:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19958:$x1: $%SMTPDV$ 0x1826c:$x2: $#TheHashHere%& 0x19900:$x3: %FTPDV$ 0x1820c:$x4: $%TelegramDv$ 0x15b18:$x5: KeyLoggerEventArgs 0x15ead:$x5: KeyLoggerEventArgs 0x19924:$m2: Clipboard Logs ID 0x19b62:$m2: Screenshot Logs ID 0x19c72:$m2: keystroke Logs ID 0x19f4c:$m3: SnakePW 0x19b3a:$m4: \SnakeKeylogger\
00000002.00000002.3810115705.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf40d9:$a1: get_encryptedPassword 0x114d09:$a1: get_encryptedPassword 0x135729:$a1: get_encryptedPassword 0xf43c5:$a2: get_encryptedUsername 0x114ff5:$a2: get_encryptedUsername 0x135a15:$a2: get_encryptedUsername 0xf3ee5:$a3: get_timePasswordChanged 0x114b15:$a3: get_timePasswordChanged 0x135535:$a3: get_timePasswordChanged 0xf3fe0:$a4: get_passwordField 0x114c10:$a4: get_passwordField 0x135630:$a4: get_passwordField 0xf40ef:$a5: set_encryptedPassword 0x114d1f:$a5: set_encryptedPassword 0x13573f:$a5: set_encryptedPassword 0xf575a:$a7: get_logins 0x11638a:$a7: get_logins 0x136daa:$a7: get_logins 0xf56bd:$a10: KeyLoggerEventArgs 0x1162ed:$a10: KeyLoggerEventArgs 0x136d0d:$a10: KeyLoggerEventArgs
00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf9168:$x1: $%SMTPDV$ 0x119d98:$x1: $%SMTPDV$ 0x13a7b8:$x1: $%SMTPDV$ 0xf7a7c:$x2: $#TheHashHere%& 0x1186ac:$x2: $#TheHashHere%& 0x1390cc:$x2: $#TheHashHere%& 0xf9110:$x3: %FTPDV$ 0x119d40:$x3: %FTPDV$ 0x13a760:$x3: %FTPDV$ 0xf7a1c:$x4: $%TelegramDv$ 0x11864c:$x4: $%TelegramDv$ 0x13906c:$x4: $%TelegramDv$ 0xf5328:$x5: KeyLoggerEventArgs 0xf56bd:$x5: KeyLoggerEventArgs 0x115f58:$x5: KeyLoggerEventArgs 0x1162ed:$x5: KeyLoggerEventArgs 0x136978:$x5: KeyLoggerEventArgs 0x136d0d:$x5: KeyLoggerEventArgs 0xf9134:$m2: Clipboard Logs ID 0xf9372:$m2: Screenshot Logs ID 0xf9482:$m2: keystroke Logs ID
00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x984aa:$a1: get_encryptedPassword 0x986f5:$a2: get_encryptedUsername 0x982d9:$a3: get_timePasswordChanged 0x983bb:$a4: get_passwordField 0x984c0:$a5: set_encryptedPassword 0x9a38f:$a7: get_logins 0x9a310:$a10: KeyLoggerEventArgs 0x9a07e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9a07e:$x5: KeyLoggerEventArgs 0x9a310:$x5: KeyLoggerEventArgs 0x9a888:$x5: KeyLoggerEventArgs 0x9abe9:$x5: KeyLoggerEventArgs 0x9c461:$m2: Clipboard Logs ID 0x9c567:$m2: Screenshot Logs ID 0x9c5bd:$m2: keystroke Logs ID 0x9c6f2:$m3: SnakePW 0x9c553:$m4: \SnakeKeylogger\
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ffa4:$a1: get_encryptedPassword 0x20286:$a2: get_encryptedUsername 0x1fdba:$a3: get_timePasswordChanged 0x1feb5:$a4: get_passwordField 0x1ffba:$a5: set_encryptedPassword 0x22490:$a7: get_logins 0x223f3:$a10: KeyLoggerEventArgs 0x2205e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2205e:$x5: KeyLoggerEventArgs 0x223f3:$x5: KeyLoggerEventArgs 0x229c9:$x5: KeyLoggerEventArgs 0x22d2a:$x5: KeyLoggerEventArgs 0x2468f:$m2: Clipboard Logs ID 0x24795:$m2: Screenshot Logs ID 0x247eb:$m2: keystroke Logs ID 0x24920:$m3: SnakePW 0x24781:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cc9:$a1: get_encryptedPassword 0x12fb5:$a2: get_encryptedUsername 0x12ad5:$a3: get_timePasswordChanged 0x12bd0:$a4: get_passwordField 0x12cdf:$a5: set_encryptedPassword 0x1434a:$a7: get_logins 0x142ad:$a10: KeyLoggerEventArgs 0x13f18:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19940:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d73:$a4: \Orbitum\User Data\Default\Login Data 0x1adb2:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13899:$s1: UnHook 0x138a0:$s2: SetHook 0x138a8:$s3: CallNextHook 0x138b5:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d58:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17d00:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f18:$x5: KeyLoggerEventArgs 0x142ad:$x5: KeyLoggerEventArgs 0x17d24:$m2: Clipboard Logs ID 0x17f62:$m2: Screenshot Logs ID 0x18072:$m2: keystroke Logs ID 0x1834c:$m3: SnakePW 0x17f3a:$m4: \SnakeKeylogger\
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac9:$a1: get_encryptedPassword 0x14db5:$a2: get_encryptedUsername 0x148d5:$a3: get_timePasswordChanged 0x149d0:$a4: get_passwordField 0x14adf:$a5: set_encryptedPassword 0x1614a:$a7: get_logins 0x160ad:$a10: KeyLoggerEventArgs 0x15d18:$a11: KeyLoggerEventArgsEventHandler
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15699:$s1: UnHook 0x156a0:$s2: SetHook 0x156a8:$s3: CallNextHook 0x156b5:$s4: _hook
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b58:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x19b00:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x15d18:$x5: KeyLoggerEventArgs 0x160ad:$x5: KeyLoggerEventArgs 0x19b24:$m2: Clipboard Logs ID 0x19d62:$m2: Screenshot Logs ID 0x19e72:$m2: keystroke Logs ID 0x1a14c:$m3: SnakePW 0x19d3a:$m4: \SnakeKeylogger\
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cc9:$a1: get_encryptedPassword 0x12fb5:$a2: get_encryptedUsername 0x12ad5:$a3: get_timePasswordChanged 0x12bd0:$a4: get_passwordField 0x12cdf:$a5: set_encryptedPassword 0x1434a:$a7: get_logins 0x142ad:$a10: KeyLoggerEventArgs 0x13f18:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a70e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19940:$a3: \Google\Chrome\User Data\Default\Login Data 0x19d73:$a4: \Orbitum\User Data\Default\Login Data 0x1adb2:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13899:$s1: UnHook 0x138a0:$s2: SetHook 0x138a8:$s3: CallNextHook 0x138b5:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d58:$x1: $%SMTPDV$ 0x1666c:$x2: $#TheHashHere%& 0x17d00:$x3: %FTPDV$ 0x1660c:$x4: $%TelegramDv$ 0x13f18:$x5: KeyLoggerEventArgs 0x142ad:$x5: KeyLoggerEventArgs 0x17d24:$m2: Clipboard Logs ID 0x17f62:$m2: Screenshot Logs ID 0x18072:$m2: keystroke Logs ID 0x1834c:$m3: SnakePW 0x17f3a:$m4: \SnakeKeylogger\
0.2.Ziraat Bankasi Swift Mesaji.exe.2920138.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa491c:$x1: In$J$ct0r 0xa5930:$a1: WriteProcessMemory 0xa59bc:$a1: WriteProcessMemory 0xa5a90:$a4: VirtualAllocEx 0xa5cb4:$a4: VirtualAllocEx 0xa5d34:$a4: VirtualAllocEx
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20dc:$x1: In$J$ct0r 0xa30f0:$a1: WriteProcessMemory 0xa317c:$a1: WriteProcessMemory 0xa3250:$a4: VirtualAllocEx 0xa3474:$a4: VirtualAllocEx 0xa34f4:$a4: VirtualAllocEx
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac9:$a1: get_encryptedPassword 0x354e9:$a1: get_encryptedPassword 0x14db5:$a2: get_encryptedUsername 0x357d5:$a2: get_encryptedUsername 0x148d5:$a3: get_timePasswordChanged 0x352f5:$a3: get_timePasswordChanged 0x149d0:$a4: get_passwordField 0x353f0:$a4: get_passwordField 0x14adf:$a5: set_encryptedPassword 0x354ff:$a5: set_encryptedPassword 0x1614a:$a7: get_logins 0x36b6a:$a7: get_logins 0x160ad:$a10: KeyLoggerEventArgs 0x36acd:$a10: KeyLoggerEventArgs 0x15d18:$a11: KeyLoggerEventArgsEventHandler 0x36738:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf2e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c160:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x3c593:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data 0x3d5d2:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15699:$s1: UnHook 0x360b9:$s1: UnHook 0x156a0:$s2: SetHook 0x360c0:$s2: SetHook 0x156a8:$s3: CallNextHook 0x360c8:$s3: CallNextHook 0x156b5:$s4: _hook 0x360d5:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b58:$x1: $%SMTPDV$ 0x3a578:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x38e8c:$x2: $#TheHashHere%& 0x19b00:$x3: %FTPDV$ 0x3a520:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x38e2c:$x4: $%TelegramDv$ 0x15d18:$x5: KeyLoggerEventArgs 0x160ad:$x5: KeyLoggerEventArgs 0x36738:$x5: KeyLoggerEventArgs 0x36acd:$x5: KeyLoggerEventArgs 0x19b24:$m2: Clipboard Logs ID 0x19d62:$m2: Screenshot Logs ID 0x19e72:$m2: keystroke Logs ID 0x3a544:$m2: Clipboard Logs ID 0x3a782:$m2: Screenshot Logs ID 0x3a892:$m2: keystroke Logs ID 0x1a14c:$m3: SnakePW 0x3ab6c:$m3: SnakePW 0x19d3a:$m4: \SnakeKeylogger\
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac9:$a1: get_encryptedPassword 0x356f9:$a1: get_encryptedPassword 0x56119:$a1: get_encryptedPassword 0x14db5:$a2: get_encryptedUsername 0x359e5:$a2: get_encryptedUsername 0x56405:$a2: get_encryptedUsername 0x148d5:$a3: get_timePasswordChanged 0x35505:$a3: get_timePasswordChanged 0x55f25:$a3: get_timePasswordChanged 0x149d0:$a4: get_passwordField 0x35600:$a4: get_passwordField 0x56020:$a4: get_passwordField 0x14adf:$a5: set_encryptedPassword 0x3570f:$a5: set_encryptedPassword 0x5612f:$a5: set_encryptedPassword 0x1614a:$a7: get_logins 0x36d7a:$a7: get_logins 0x5779a:$a7: get_logins 0x160ad:$a10: KeyLoggerEventArgs 0x36cdd:$a10: KeyLoggerEventArgs 0x576fd:$a10: KeyLoggerEventArgs
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c50e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d13e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db5e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b740:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c370:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cd90:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bb73:$a4: \Orbitum\User Data\Default\Login Data 0x3c7a3:$a4: \Orbitum\User Data\Default\Login Data 0x5d1c3:$a4: \Orbitum\User Data\Default\Login Data 0x1cbb2:$a5: \Kometa\User Data\Default\Login Data 0x3d7e2:$a5: \Kometa\User Data\Default\Login Data 0x5e202:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15699:$s1: UnHook 0x362c9:$s1: UnHook 0x56ce9:$s1: UnHook 0x156a0:$s2: SetHook 0x362d0:$s2: SetHook 0x56cf0:$s2: SetHook 0x156a8:$s3: CallNextHook 0x362d8:$s3: CallNextHook 0x56cf8:$s3: CallNextHook 0x156b5:$s4: _hook 0x362e5:$s4: _hook 0x56d05:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b58:$x1: $%SMTPDV$ 0x3a788:$x1: $%SMTPDV$ 0x5b1a8:$x1: $%SMTPDV$ 0x1846c:$x2: $#TheHashHere%& 0x3909c:$x2: $#TheHashHere%& 0x59abc:$x2: $#TheHashHere%& 0x19b00:$x3: %FTPDV$ 0x3a730:$x3: %FTPDV$ 0x5b150:$x3: %FTPDV$ 0x1840c:$x4: $%TelegramDv$ 0x3903c:$x4: $%TelegramDv$ 0x59a5c:$x4: $%TelegramDv$ 0x15d18:$x5: KeyLoggerEventArgs 0x160ad:$x5: KeyLoggerEventArgs 0x36948:$x5: KeyLoggerEventArgs 0x36cdd:$x5: KeyLoggerEventArgs 0x57368:$x5: KeyLoggerEventArgs 0x576fd:$x5: KeyLoggerEventArgs 0x19b24:$m2: Clipboard Logs ID 0x19d62:$m2: Screenshot Logs ID 0x19e72:$m2: keystroke Logs ID
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5169:$a1: get_encryptedPassword 0xc5d99:$a1: get_encryptedPassword 0xe67b9:$a1: get_encryptedPassword 0xa5455:$a2: get_encryptedUsername 0xc6085:$a2: get_encryptedUsername 0xe6aa5:$a2: get_encryptedUsername 0xa4f75:$a3: get_timePasswordChanged 0xc5ba5:$a3: get_timePasswordChanged 0xe65c5:$a3: get_timePasswordChanged 0xa5070:$a4: get_passwordField 0xc5ca0:$a4: get_passwordField 0xe66c0:$a4: get_passwordField 0xa517f:$a5: set_encryptedPassword 0xc5daf:$a5: set_encryptedPassword 0xe67cf:$a5: set_encryptedPassword 0xa67ea:$a7: get_logins 0xc741a:$a7: get_logins 0xe7e3a:$a7: get_logins 0xa674d:$a10: KeyLoggerEventArgs 0xc737d:$a10: KeyLoggerEventArgs 0xe7d9d:$a10: KeyLoggerEventArgs
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5d39:$s1: UnHook 0xc6969:$s1: UnHook 0xe7389:$s1: UnHook 0xa5d40:$s2: SetHook 0xc6970:$s2: SetHook 0xe7390:$s2: SetHook 0xa5d48:$s3: CallNextHook 0xc6978:$s3: CallNextHook 0xe7398:$s3: CallNextHook 0xa5d55:$s4: _hook 0xc6985:$s4: _hook 0xe73a5:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xaa1f8:$x1: $%SMTPDV$ 0xcae28:$x1: $%SMTPDV$ 0xeb848:$x1: $%SMTPDV$ 0xa8b0c:$x2: $#TheHashHere%& 0xc973c:$x2: $#TheHashHere%& 0xea15c:$x2: $#TheHashHere%& 0xaa1a0:$x3: %FTPDV$ 0xcadd0:$x3: %FTPDV$ 0xeb7f0:$x3: %FTPDV$ 0xa8aac:$x4: $%TelegramDv$ 0xc96dc:$x4: $%TelegramDv$ 0xea0fc:$x4: $%TelegramDv$ 0xa63b8:$x5: KeyLoggerEventArgs 0xa674d:$x5: KeyLoggerEventArgs 0xc6fe8:$x5: KeyLoggerEventArgs 0xc737d:$x5: KeyLoggerEventArgs 0xe7a08:$x5: KeyLoggerEventArgs 0xe7d9d:$x5: KeyLoggerEventArgs 0xaa1c4:$m2: Clipboard Logs ID 0xaa402:$m2: Screenshot Logs ID 0xaa512:$m2: keystroke Logs ID
0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
Click to see the 40 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T10:39:56.501387+0200	2803305	3	Unknown Traffic	192.168.2.9	49710	188.114.97.3	443	TCP
2024-09-27T10:39:57.604654+0200	2803305	3	Unknown Traffic	192.168.2.9	49713	188.114.97.3	443	TCP
2024-09-27T10:39:59.850286+0200	2803305	3	Unknown Traffic	192.168.2.9	49718	188.114.97.3	443	TCP
2024-09-27T10:40:19.213429+0200	2803305	3	Unknown Traffic	192.168.2.9	49727	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T10:39:54.905510+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49706	193.122.130.0	80	TCP
2024-09-27T10:39:55.952215+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49706	193.122.130.0	80	TCP
2024-09-27T10:39:57.030451+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49712	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk/sendMessage?chat_id=1645099110", "Username": "selcukacar@emmioglu.com", "Password": "Kaya2758+", "Host": "mail.emmioglu.com", "Port": "587", "Token": "7793181644:AAGZi9EwhHz_7_W-P3o6zCi0LNG3DYUolRk", "Chat_id": "1645099110", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Ziraat Bankasi Swift Mesaji.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Ziraat Bankasi Swift Mesaji.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812928144.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 00C3F1F6h	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 00C3FB80h	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_00C3E528
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8DA51h	2_2_04F8D7A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8B791h	2_2_04F8B4E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8E759h	2_2_04F8E4B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F80751h	2_2_04F804A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8DEA9h	2_2_04F8DC00
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C041h	2_2_04F8BD98
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81011h	2_2_04F80D60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F009h	2_2_04F8ED60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8D1A1h	2_2_04F8CEF8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C8F1h	2_2_04F8C648
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81620
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F8B9h	2_2_04F8F610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8E301h	2_2_04F8E058
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F802F1h	2_2_04F80040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8C499h	2_2_04F8C1F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81471h	2_2_04F811C0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8F461h	2_2_04F8F1B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F81A38h	2_2_04F81966
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8BBE9h	2_2_04F8B940
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8EBB1h	2_2_04F8E908
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F80BB1h	2_2_04F80900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8CD49h	2_2_04F8CAA0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8FD11h	2_2_04F8FA68
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 04F8D5F9h	2_2_04F8D350
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698945h	2_2_06698608
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06697BA9h	2_2_06697900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06695D19h	2_2_06695A70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066958C1h	2_2_06695618
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696171h	2_2_06695EC8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066936CE
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696A21h	2_2_06696778
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066965C9h	2_2_06696320
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06696E79h	2_2_06696BD0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066933A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_066933B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066902E9h	2_2_06690040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 066972FAh	2_2_06697050
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690B99h	2_2_066908F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06697751h	2_2_066974A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690741h	2_2_06690498
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06690FF1h	2_2_06690D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698001h	2_2_06697D58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06698459h	2_2_066981B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 4x nop then jmp 06695441h	2_2_06695198

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49712 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49706 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49727 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BFF000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgh
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgh

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2920138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C6B1F8	0_2_04C6B1F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C61094	0_2_04C61094
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C69FE7	0_2_04C69FE7
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C62F40	0_2_04C62F40
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C62F50	0_2_04C62F50
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3F007	2_2_00C3F007
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C190	2_2_00C3C190
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C36108	2_2_00C36108
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3B328	2_2_00C3B328
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C473	2_2_00C3C473
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3C752	2_2_00C3C752
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C36730	2_2_00C36730
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C39858	2_2_00C39858
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C34AD9	2_2_00C34AD9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3CA32	2_2_00C3CA32
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3BBD2	2_2_00C3BBD2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3BEB2	2_2_00C3BEB2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3B4F2	2_2_00C3B4F2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C33572	2_2_00C33572
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3E517	2_2_00C3E517
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00C3E528	2_2_00C3E528
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D7A8	2_2_04F8D7A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B4E8	2_2_04F8B4E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B4D7	2_2_04F8B4D7
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E4B0	2_2_04F8E4B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F804A0	2_2_04F804A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E4A0	2_2_04F8E4A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80490	2_2_04F80490
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F88460	2_2_04F88460
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8DC00	2_2_04F8DC00
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8BD98	2_2_04F8BD98
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F87D90	2_2_04F87D90
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8BD88	2_2_04F8BD88
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80D60	2_2_04F80D60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ED60	2_2_04F8ED60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ED50	2_2_04F8ED50
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80D51	2_2_04F80D51
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CEF8	2_2_04F8CEF8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CEE9	2_2_04F8CEE9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C648	2_2_04F8C648
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C638	2_2_04F8C638
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F610	2_2_04F8F610
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F600	2_2_04F8F600
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D798	2_2_04F8D798
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E8F8	2_2_04F8E8F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F808F0	2_2_04F808F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F83870	2_2_04F83870
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F83860	2_2_04F83860
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E058	2_2_04F8E058
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E049	2_2_04F8E049
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80040	2_2_04F80040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8001E	2_2_04F8001E
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C1F0	2_2_04F8C1F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8C1E0	2_2_04F8C1E0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F811C0	2_2_04F811C0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F1B8	2_2_04F8F1B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F811B0	2_2_04F811B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8F1A9	2_2_04F8F1A9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B940	2_2_04F8B940
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8B930	2_2_04F8B930
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8E908	2_2_04F8E908
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F80900	2_2_04F80900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CAA0	2_2_04F8CAA0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8CA90	2_2_04F8CA90
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8FA68	2_2_04F8FA68
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8FA59	2_2_04F8FA59
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8DBF1	2_2_04F8DBF1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F873E8	2_2_04F873E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F873D8	2_2_04F873D8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F87B70	2_2_04F87B70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D350	2_2_04F8D350
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8D340	2_2_04F8D340
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D670	2_2_0669D670
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669AA58	2_2_0669AA58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06698608	2_2_06698608
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B6E8	2_2_0669B6E8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C388	2_2_0669C388
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06698C51	2_2_06698C51
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D028	2_2_0669D028
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669A408	2_2_0669A408
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B0A0	2_2_0669B0A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669BD38	2_2_0669BD38
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697900	2_2_06697900
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C9D8	2_2_0669C9D8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066911A0	2_2_066911A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695A60	2_2_06695A60
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D662	2_2_0669D662
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695A70	2_2_06695A70
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669AA48	2_2_0669AA48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695609	2_2_06695609
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695618	2_2_06695618
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695EC8	2_2_06695EC8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B6D9	2_2_0669B6D9
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695EB8	2_2_06695EB8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669676A	2_2_0669676A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696778	2_2_06696778
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C378	2_2_0669C378
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696320	2_2_06696320
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06693730	2_2_06693730
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696311	2_2_06696311
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669A3F8	2_2_0669A3F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696BC1	2_2_06696BC1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06696BD0	2_2_06696BD0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066933A8	2_2_066933A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066933B8	2_2_066933B8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690040	2_2_06690040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697040	2_2_06697040
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697050	2_2_06697050
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06694430	2_2_06694430
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06692807	2_2_06692807
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690006	2_2_06690006
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06692818	2_2_06692818
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669D018	2_2_0669D018
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066908E0	2_2_066908E0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066908F0	2_2_066908F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066978F0	2_2_066978F0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066974A8	2_2_066974A8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690488	2_2_06690488
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669B08F	2_2_0669B08F
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690498	2_2_06690498
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697497	2_2_06697497
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690D48	2_2_06690D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697D48	2_2_06697D48
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06697D58	2_2_06697D58
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669BD28	2_2_0669BD28
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06690D39	2_2_06690D39
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066985F8	2_2_066985F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669C9C8	2_2_0669C9C8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066981A0	2_2_066981A0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_066981B0	2_2_066981B0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0669518A	2_2_0669518A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_06695198	2_2_06695198

Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3810794744.00000000028CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.1342791028.000000000024A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOvin.exe* vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3809277636.000000000089E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3812928144.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808802102.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: OriginalFilenameOvin.exe* vs Ziraat Bankasi Swift Mesaji.exe

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2920138.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, O--.cs	Base64 encoded string: 'k3oxk6CnehHQeJsaKyNHWq+Wi6Dswd1zBFznyEpUHzGcTtzZgG+f0Q5rHT/7QLQ8'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.4c90000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, O--.cs	Base64 encoded string: 'k3oxk6CnehHQeJsaKyNHWq+Wi6Dswd1zBFznyEpUHzGcTtzZgG+f0Q5rHT/7QLQ8'

Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: .vbproj
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: .csprojC Exception while reading XmlDoc:

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Mutant created: NULL

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ziraat Bankasi Swift Mesaji.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3811557580.0000000003AFD000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat Bankasi Swift Mesaji.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: 0xCB1891CC [Wed Dec 22 07:50:36 2077 UTC]

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C69541 push ss; mov dword ptr [esp], 5504BE7Fh	0_2_04C6954A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C643A0 pushfd ; ret	0_2_04C643A1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C65372 push eax; retf	0_2_04C65379
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_04C63AB7 push ebx; retf	0_2_04C63ADA
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8AC28 push eax; retf	2_2_04F8AC2A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F82E78 push esp; iretd	2_2_04F82E79
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_04F8ABF6 push eax; retf	2_2_04F8AC2A

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: section name: .text entropy: 7.368072547253828

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598795	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Window / User API: threadDelayed 8592			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Window / User API: threadDelayed 1270			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7208	Thread sleep count: 8592 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7208	Thread sleep count: 1270 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -597032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 7204	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598795	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: Mono.Debugger.Soft.VirtualMachineManager+<ConnectInternalAsync>d__1, Ovin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: SetVirtualMachine
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: get_VirtualMachine
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3809393478.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2922978.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Memory written: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3810115705.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3769240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3748610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.36b7f70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3810115705.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 3884, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat Bankasi Swift Mesaji.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
Ziraat Bankasi Swift Mesaji.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BFF000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgh	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B27000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.orgh	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://reallyfreegeoip.org	Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002BC9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.3810115705.0000000002B36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520404
Start date and time:	2024-09-27 10:38:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat Bankasi Swift Mesaji.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 132 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Ziraat Bankasi Swift Mesaji.exe, PID 3884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Ziraat Bankasi Swift Mesaji.exe

Simulations

Behavior and APIs

Time	Type	Description
04:39:55	API Interceptor	10900532x Sleep call for process: Ziraat Bankasi Swift Mesaji.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
193.122.130.0	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	REMITTANCE ADVICE.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Details.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	#docs_8299010377388200191-pdf.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	dekont.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	REMITTANCE ADVICE.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	#docs_8299010377388200191-pdf.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	dekont.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	REMITTANCE ADVICE.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	VbcXXnmIwPPhh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	#docs_8299010377388200191-pdf.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	162.159.129.233
	AGMETIGA zapytanie ofertowe.xls	Get hash	malicious	PureLog Stealer	Browse	172.67.179.215
	175-33-26-24.HTA.hta	Get hash	malicious	Unknown	Browse	104.16.231.132
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	dekont.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Purchase Inquiry-0012.xls	Get hash	malicious	Unknown	Browse	104.21.64.88
	QT2Q1292.xla.xlsx	Get hash	malicious	FormBook	Browse	104.21.64.88
	https://bgbonline.cecchinatoonline.top/	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
ORACLE-BMC-31898US	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	dekont.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	REMITTANCE ADVICE.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.6879.11943.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	#docs_8299010377388200191-pdf.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	dekont.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Adware.DownwareNET.4.15389.24193.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	TLS20242025.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.357342741996699
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Ziraat Bankasi Swift Mesaji.exe
File size:	552'960 bytes
MD5:	676813934849b161d6dfd5062536318f
SHA1:	de400cd5edbf8cb741691f13c338744842c0f1a2
SHA256:	7ef09922582a622f7333d2987d63efc14ecc000a51e160b808dd9520c31f771c
SHA512:	0325329d32778625583254222a014c3d9cee7c132c5ecdb132e3fcb0adc97345f9632ded15b294800666a67648d84470b01a564fb234997320f1e6ddab46706e
SSDEEP:	6144:+6ej0DdEWMhO7ZiDBqOV2eR05OvP7jXXgC/MVgWJNYRy7nKx9hO+w7wHQ3SZfTUP:+69EWKq6ucPp0VhJvTKviaxoZ
TLSH:	7FC4C0B013FC437AE29F2BBBE4215C21C7B6A912A817E35DAC01E87D0556B57C6A1733
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..f............... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48841e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCB1891CC [Wed Dec 22 07:50:36 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x883d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x86424	0x86600	a4fecb262f6cd9c781ab34072efa825a	False	0.6136646075581396	data	7.368072547253828	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x586	0x600	0421a811bf444ee3f391ff574b8498b6	False	0.4134114583333333	data	4.011949996761444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	ef3d2a40a9110656f922ece0fc942076	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x2fc	data			0.43586387434554974
RT_MANIFEST	0x8a39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T10:39:54.905510+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49706	193.122.130.0	80	TCP
2024-09-27T10:39:55.952215+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49706	193.122.130.0	80	TCP
2024-09-27T10:39:56.501387+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49710	188.114.97.3	443	TCP
2024-09-27T10:39:57.030451+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49712	193.122.130.0	80	TCP
2024-09-27T10:39:57.604654+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49713	188.114.97.3	443	TCP
2024-09-27T10:39:59.850286+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49718	188.114.97.3	443	TCP
2024-09-27T10:40:19.213429+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49727	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 10:39:54.282888889 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:54.288050890 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:54.288135052 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:54.288353920 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:54.293780088 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:54.744590044 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:54.759228945 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:54.764075994 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:54.858781099 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:54.905509949 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:55.100183964 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.100250959 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.100311041 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.111403942 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.111426115 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.597910881 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.597981930 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.606339931 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.606353045 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.606818914 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.655328989 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.675621033 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.719420910 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.784893036 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.785013914 CEST	443	49709	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.785064936 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.801960945 CEST	49709	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.806694031 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:55.811621904 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:55.906373978 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:55.909444094 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.909499884 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.909569025 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.909873962 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:55.909884930 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:55.952214956 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.361632109 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:56.364351034 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.364394903 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:56.501409054 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:56.501540899 CEST	443	49710	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:56.501796007 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.502141953 CEST	49710	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.505536079 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.506793976 CEST	49712	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.510761976 CEST	80	49706	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:56.510859013 CEST	49706	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.511652946 CEST	80	49712	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:56.511761904 CEST	49712	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.511833906 CEST	49712	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:56.516588926 CEST	80	49712	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:56.978147030 CEST	80	49712	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:56.979849100 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.979907990 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:56.979974985 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.980264902 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:56.980277061 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:57.030451059 CEST	49712	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:57.455173969 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:57.459758043 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:57.459805012 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:57.604640007 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:57.604743004 CEST	443	49713	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:57.604887009 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:57.605429888 CEST	49713	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:57.609980106 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:57.614919901 CEST	80	49714	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:57.618247032 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:57.618360043 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:57.623188019 CEST	80	49714	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:58.115078926 CEST	80	49714	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:58.116858959 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.116904020 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.116983891 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.117269039 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.117280960 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.155392885 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.600485086 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.602020025 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.602051973 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.737246990 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.737395048 CEST	443	49715	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:58.737483978 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.737940073 CEST	49715	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:58.741092920 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.742235899 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.746479988 CEST	80	49714	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:58.746572018 CEST	49714	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.747128963 CEST	80	49717	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:58.747210026 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.747334957 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:58.752090931 CEST	80	49717	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:59.223490953 CEST	80	49717	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:59.225075006 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.225138903 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.225209951 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.225461006 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.225480080 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.264714956 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.708570004 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.710251093 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.710297108 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.850253105 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.850358963 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 27, 2024 10:39:59.850421906 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.850929976 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:39:59.854460955 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.855564117 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.859719992 CEST	80	49717	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:59.859796047 CEST	49717	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.860372066 CEST	80	49720	193.122.130.0	192.168.2.9
Sep 27, 2024 10:39:59.860435009 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.860512972 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:39:59.865295887 CEST	80	49720	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:00.317445993 CEST	80	49720	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:00.318864107 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.318902016 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.319083929 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.319302082 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.319313049 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.358586073 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.792685986 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.794533014 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.794565916 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.937427044 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.937525988 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:00.937576056 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.938323021 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:00.941811085 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.942981958 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.946922064 CEST	80	49720	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:00.946980953 CEST	49720	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.947824001 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:00.947882891 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.947994947 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:00.952800989 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.194231033 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.194279909 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.194331884 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.194375992 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.194509983 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.195672989 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.195714951 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.195871115 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.196202040 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.196213961 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.682179928 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.684041977 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.684056997 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.820965052 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.821063995 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:12.821115971 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.821592093 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:12.825376987 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.826504946 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.830463886 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.830524921 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.831414938 CEST	80	49726	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:12.831487894 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:12.831567049 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:13.048058033 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:13.048098087 CEST	80	49726	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:13.048103094 CEST	49722	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:13.052963018 CEST	80	49722	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:18.598931074 CEST	80	49726	193.122.130.0	192.168.2.9
Sep 27, 2024 10:40:18.600166082 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:18.600210905 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:18.600286961 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:18.600507975 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:18.600528955 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:18.639791965 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:40:19.055742979 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:19.102925062 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:19.102942944 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:19.213442087 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:19.213538885 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 27, 2024 10:40:19.213637114 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:40:19.214221001 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 27, 2024 10:41:01.977199078 CEST	80	49712	193.122.130.0	192.168.2.9
Sep 27, 2024 10:41:01.977457047 CEST	49712	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:41:23.599626064 CEST	80	49726	193.122.130.0	192.168.2.9
Sep 27, 2024 10:41:23.599778891 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:41:58.610356092 CEST	49726	80	192.168.2.9	193.122.130.0
Sep 27, 2024 10:41:58.615274906 CEST	80	49726	193.122.130.0	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 10:39:54.268184900 CEST	52020	53	192.168.2.9	1.1.1.1
Sep 27, 2024 10:39:54.276606083 CEST	53	52020	1.1.1.1	192.168.2.9
Sep 27, 2024 10:39:54.981664896 CEST	61892	53	192.168.2.9	1.1.1.1
Sep 27, 2024 10:39:54.991286039 CEST	53	61892	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 10:39:54.268184900 CEST	192.168.2.9	1.1.1.1	0xfc37	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.981664896 CEST	192.168.2.9	1.1.1.1	0x840b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.276606083 CEST	1.1.1.1	192.168.2.9	0xfc37	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.991286039 CEST	1.1.1.1	192.168.2.9	0x840b	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 10:39:54.991286039 CEST	1.1.1.1	192.168.2.9	0x840b	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:39:54.288353920 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:39:54.744590044 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9bb304c5f74b3232a417c4a3af9c1dc2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 27, 2024 10:39:54.759228945 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 27, 2024 10:39:54.858781099 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d7c3078ea8a58378ef090e844ddcdc12 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 27, 2024 10:39:55.806694031 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 27, 2024 10:39:55.906373978 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cff77d5321fd8c4753d108d0be39e1e5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49712	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:39:56.511833906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 27, 2024 10:39:56.978147030 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5654415e410d42327117f2d0d7cc4bfd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:39:57.618360043 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:39:58.115078926 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:58 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 949809629745dd4fcc230c69edd08b09 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49717	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:39:58.747334957 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:39:59.223490953 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f859922da4a8e260ec78052f25fd3bd9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:39:59.860512972 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:40:00.317445993 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 840d0dd80ff5c928130b8969d3160dea Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49722	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:40:00.947994947 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:40:12.194231033 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c9dd43a538fbaaddae79adf71b447013 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 27, 2024 10:40:12.194279909 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c9dd43a538fbaaddae79adf71b447013 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 27, 2024 10:40:12.194331884 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c9dd43a538fbaaddae79adf71b447013 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49726	193.122.130.0	80	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 10:40:12.831567049 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 27, 2024 10:40:18.598931074 CEST	320	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 447d27e0ef3b899734fba3b76fd9b537 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49709	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:39:55 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-27 08:39:55 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 951 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2Fiy5XrExm2RHh9pz2nFVcR3usY36v7uUazNndtaeXgfLRoirkCkp1kAGJrIHkmAdEVG%2FwUcQokPnF78EdE%2FMDNGXaMYxk71BDsDrqLx1bCGal9sXW5iKiUl3NSXwnkG3hGZpANy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2f9d4cfd43bd-EWR
2024-09-27 08:39:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:39:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49710	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:39:56 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-27 08:39:56 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 952 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rRTExJ%2F6ih8OsXRZmxpzYlGcPyh4kZZsOQhXvJuV8KpAVWm7azJSiIjOwrZT8bCfBfiwebodLGa4TDgOKqacs%2BXWXPUQTNZL5U2ZwaMylVF7eyzmq9cXSaGWZumrqctpkhh%2Bw5yN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2fa1c9604262-EWR
2024-09-27 08:39:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:39:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49713	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:39:57 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-27 08:39:57 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 953 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gBEoY5Wjckomqa5ewuxVJS9J3fW1bqrm%2B1qEBsHXqBn7pIuzBZQhWMmhaaRLH50vXOrQKgH1vNXT68ePFoElV8Ji88LBhWa89Atpmfg%2BCqoo2AbtZGLT30yLJNhWeM%2FtVkYUm1Li"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2fa89ea13338-EWR
2024-09-27 08:39:57 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:39:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49715	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:39:58 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-27 08:39:58 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 954 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYneD9wj%2BH1Ivl9YD5xpM7T0HOQy22PEEqAOg09rCpUZfMfQTdWZwZHHnRbsOl3ijwVZSVTu57uYjkX49Ushr3xtJKST8aOwRov%2BjBFfgQuvWrC1WiRFiVW%2FXZnuKgGR5NZjufeJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2fafbe22187d-EWR
2024-09-27 08:39:58 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:39:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49718	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:39:59 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-27 08:39:59 UTC	672	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:39:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 955 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jjJX4gBO2nBNQHdc4Vb6OExB8RbbKFa4udOfAme66xQ0ihr0mOOnA1LYBXF93%2BE05h3FcjLPikTV%2B49snJGIrNPX8FpcJMn4M9kkIV7FroL0QYeFjxTYzQpkSjaiWXePnhtoqEkr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2fb6a87f447a-EWR
2024-09-27 08:39:59 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:39:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49721	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:40:00 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-27 08:40:00 UTC	678	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 956 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H6pb9VB%2F6F7qHcfi0qeB5RUtJJeV0OMtLg%2B0L6yfnJPqoe8TwWvCDJEfJHDXjFKKEXXbxAdvC8Q6EhWxnj4x%2BHay4u2J6%2FkT7SYDe7E60jnxrYOcNskpKNYA3g0v2keGixvxZ%2FnG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a2fbd7d1d188d-EWR
2024-09-27 08:40:00 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:40:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49725	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:40:12 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-27 08:40:12 UTC	676	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 968 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JV58whyfrEBxr1soGrM3NZ%2BJP3kBd0ScreUxYJy85BdkeuBPP0%2B4G2llr5%2FdO01VUH7kfUTecAgD2x4SRarOYWnTQW2nT8yPEnUT8LD5v9DinVX1%2F3ZkoEU03AWfJ5ejKlttvqtR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a3007bf699e05-EWR
2024-09-27 08:40:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:40:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49727	188.114.97.3	443	3884	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 08:40:19 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-27 08:40:19 UTC	674	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 08:40:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 975 Last-Modified: Fri, 27 Sep 2024 08:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zzTEEv%2Fq%2FRW0repUWyleFzNxs6Nn6XNtD0CQQF5heeshMzsgqIRSkmX4KWDtVdglZfJFgSVXVwZWr2OGTDE846xSyr3zrpRGjaH2TxNpY7mY2nDHu7tpiEv4oN%2BNFoFG3F7uzxZ6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a302fbe9143ed-EWR
2024-09-27 08:40:19 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-27 08:40:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:39:52
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Imagebase:	0x1c0000
File size:	552'960 bytes
MD5 hash:	676813934849B161D6DFD5062536318F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.3812510312.0000000004C90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.3811241960.0000000003669000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:39:53
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Imagebase:	0x640000
File size:	552'960 bytes
MD5 hash:	676813934849B161D6DFD5062536318F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.3808615300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3810115705.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3810115705.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.5%
Total number of Nodes:	161
Total number of Limit Nodes:	10

Executed Functions

Function 04C6B1F8 Relevance: 1.9, Strings: 1, Instructions: 618
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 04C6B9B8

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2ba7433ebf4abd122110934def19f9c2404f36b71cf177caca7a279f011914bc
Instruction ID: c977ddf376de9b38a285060d251d83f6d3e65cf26348f4e1f56e01987f7e8db1
Opcode Fuzzy Hash: 2ba7433ebf4abd122110934def19f9c2404f36b71cf177caca7a279f011914bc
Instruction Fuzzy Hash: ED52A075E01228CFEB64DF65C994BEDBBB2AF89300F1481E9D409A7291DB346E85CF50

Function 04C60550 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C605DE
GetCurrentThread.KERNEL32 ref: 04C6061B
GetCurrentProcess.KERNEL32 ref: 04C60658
GetCurrentThreadId.KERNEL32 ref: 04C606B1

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 55aa05aa8cdba93b240ab2e2f902f2e33f65a2452a0e5b45864ca3a52fe2880b
Instruction ID: 819932d7a51e16790593c8916055c4f75defee18640ac253856aa29f9e81cca8
Opcode Fuzzy Hash: 55aa05aa8cdba93b240ab2e2f902f2e33f65a2452a0e5b45864ca3a52fe2880b
Instruction Fuzzy Hash: BD5169B0D017498FDB14CFAAD5887DEBBF1AF88304F24849AD409B7350D774A944CB66

Function 04C60560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 04C605DE
GetCurrentThread.KERNEL32 ref: 04C6061B
GetCurrentProcess.KERNEL32 ref: 04C60658
GetCurrentThreadId.KERNEL32 ref: 04C606B1

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c6bd2ae82c1fb8ba9960a24e54f037d0b282eae0a2a411a5cca575787051adbc
Instruction ID: ed91f1b268f577dbccffc7172fcfae8db16b61419b1d8a8a21e380c62bd8f30c
Opcode Fuzzy Hash: c6bd2ae82c1fb8ba9960a24e54f037d0b282eae0a2a411a5cca575787051adbc
Instruction Fuzzy Hash: 035155B09017498FEB04CFAAD588B9EBBF1EF88304F248459E409B7390D774A944CB66

Function 04C6BD2C Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04C6BE74

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 28e0f83fe6a55ee39eb58ba3c661d6c5fb7b828eaebf069384bc425706d83643
Instruction ID: 6889ee6a2abea844035b937d6421f0450d89b7b4771c76f7e69b826a9380bbc4
Opcode Fuzzy Hash: 28e0f83fe6a55ee39eb58ba3c661d6c5fb7b828eaebf069384bc425706d83643
Instruction Fuzzy Hash: A451F575901329DFEB20CF95C984BDEBBB6BF49304F1080AAE509AB250D775AA84CF51

Function 04C6BD38 Relevance: 1.6, APIs: 1, Instructions: 137
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 04C6BE74

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 387fb86c733b804cf214a4392776b742528f48af3f90b05c283a90343a9844d3
Instruction ID: 8997ac1fc4bf9009469d1613b040ef7004e12c0042c013e5e954c3c21a27e4ab
Opcode Fuzzy Hash: 387fb86c733b804cf214a4392776b742528f48af3f90b05c283a90343a9844d3
Instruction Fuzzy Hash: 0B510775901329DFEF20CF95C880BDEBBB6BF49300F1080AAE509AB250D775AA84CF51

Function 04C64C05 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C64D22

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a1d9e5cf364faa95b821b030bc2440d58c79349d4813b222bb87ab900bf19984
Instruction ID: 71eb6def4ae12068001e12220fbe6032fad1efba3dbeb2868da8fe9f4b0e62fb
Opcode Fuzzy Hash: a1d9e5cf364faa95b821b030bc2440d58c79349d4813b222bb87ab900bf19984
Instruction Fuzzy Hash: 0C51C2B5D00309EFDB15CF99C884ADEBBF6BF48300F24812AE419AB210D775A985CF94

Function 04C64C10 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C64D22

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4f4e969e332b424bd385190486d4ef7dd48fb799b1e3ab49509bc1eea1061064
Instruction ID: 3cdaff993674d3220d2b7cd5764bdaca57eabc74c9bdd98385c405d41a588bdd
Opcode Fuzzy Hash: 4f4e969e332b424bd385190486d4ef7dd48fb799b1e3ab49509bc1eea1061064
Instruction Fuzzy Hash: 1841B2B5D00309AFDB14CF99C884ADEBFF6BF48310F24812AE819AB250D775A945CF94

Function 04C63AE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C67291

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e791885d7c1a87f2d8fc25d7fed82610a4eef5cf676358972e6166a1cab3ff3d
Instruction ID: 39fdf736bf001ce7d9a12642cec6703987f92fce1340b6be80698d6c05577e5d
Opcode Fuzzy Hash: e791885d7c1a87f2d8fc25d7fed82610a4eef5cf676358972e6166a1cab3ff3d
Instruction Fuzzy Hash: EA41FAB5A00309CFDB14CF95C488AAABBF5FF88314F14C859E51AA7365D375A941CFA0

Function 04C6AEE0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C6AF78

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b5d970d2f98a12887fb4c14b14cec1df0797933281df67b780a2fde912465323
Instruction ID: 2f375b8b19ca938db1e3040bd5829bb16d76e54a40dc8bfb9f50ef996bb304f4
Opcode Fuzzy Hash: b5d970d2f98a12887fb4c14b14cec1df0797933281df67b780a2fde912465323
Instruction Fuzzy Hash: 7A2148B1900309DFDB10CFA9C885BDEBBF1FF48310F10842AE559A7240D7799941CBA1

Function 04C6AEE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C6AF78

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1df49cb8cfc12dac0fb94c1d5c66ee141bd8af52cb0ea5dc598a7e04e0cf0451
Instruction ID: 540383765a030940c5caf6a38591de07fd0e1a11fdeed1c467382c8c8a368084
Opcode Fuzzy Hash: 1df49cb8cfc12dac0fb94c1d5c66ee141bd8af52cb0ea5dc598a7e04e0cf0451
Instruction Fuzzy Hash: 3B2139B59003099FDB10CFA9C885BDEBBF5FF48310F14842AE919A7240D779A944CBA1

Function 04C607A1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C6082F

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f807c7cb2794205b40f740ce6fa3533013c08f6915ae858a93856fc3e0137236
Instruction ID: 32c1a29231d39de010d7b69fa995b4c1f16a842d4be05f7a11738d48a265d7b8
Opcode Fuzzy Hash: f807c7cb2794205b40f740ce6fa3533013c08f6915ae858a93856fc3e0137236
Instruction Fuzzy Hash: 5D2103B5800209DFDB10CFAAD584ADEBBF5EB48310F14802AE919B3310D378A944CFA0

Function 04C6AE08 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C6AE8E

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d16bf12dd7f95c97753079fe9cf7a7a48f5a9cecb7597c64abd707073993f1e3
Instruction ID: 3acc049263e60ce7e3b599e5a5359c44a3d1bd6eba6ee123a780bb10f132e2f5
Opcode Fuzzy Hash: d16bf12dd7f95c97753079fe9cf7a7a48f5a9cecb7597c64abd707073993f1e3
Instruction Fuzzy Hash: 502135B19003098FDB10DFAAC4857EEBBF5EF89310F14C42AD559A7240D779AA45CFA1

Function 04C6AE10 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C6AE8E

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e427018f222e4d34c53a5640038a1b5f10b35c5e76ef0c4203a870c46fce179b
Instruction ID: e1444a62de6b1be16e327506870fdf2879a1c064594d98d60130935c5a2de2c2
Opcode Fuzzy Hash: e427018f222e4d34c53a5640038a1b5f10b35c5e76ef0c4203a870c46fce179b
Instruction Fuzzy Hash: F22135719003098FDB10CFAAC4857EEBBF5EF49310F14C42AD559A7240DB79AA45CFA1

Function 04C607A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C6082F

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4967e3325436f78fcde57df61f22964a26c050d405379e848169cf9d79921be
Instruction ID: 60abed4476f72f55d89652b75c3544dc314a3ba41b9e0494e4185a736193c67e
Opcode Fuzzy Hash: a4967e3325436f78fcde57df61f22964a26c050d405379e848169cf9d79921be
Instruction Fuzzy Hash: 5E21E4B59002099FDB10CF9AD484ADEBBF5FB48310F14801AE919A3350D375A940CFA1

Function 04C6C018 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C6C091

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 33e98615b15312b03f69c05408521dfb09ff32ea83d4674ddd4904dab736e457
Instruction ID: cc8a2087bc0fc6870e973c25d8640c1187d1789fd0386fc293063444863fc726
Opcode Fuzzy Hash: 33e98615b15312b03f69c05408521dfb09ff32ea83d4674ddd4904dab736e457
Instruction Fuzzy Hash: 4721E4B5C00219DFDB10CF99C984BDEBBF5FB48320F10842AE958A7250D375A544CFA5

Function 04C6C020 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C6C091

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a08001d84bac0e26f56eb111bf7c637c25d0b55ded922b0891270a75fe3b0088
Instruction ID: d9345440da1b28891ab53f2361b106aef7a012019d7334e78e015eb4dfa00d89
Opcode Fuzzy Hash: a08001d84bac0e26f56eb111bf7c637c25d0b55ded922b0891270a75fe3b0088
Instruction Fuzzy Hash: 0D21C2B58003599FDB10CF9AD884BDEFBF8FB48310F10842AE958A3250D379A944CFA5

Function 04C6AFD0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C6B046

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 079df3f6b68ad0bce78d19bc08cedf3ee7bede82ec991ba380d54063de5d95f1
Instruction ID: 780ff67f3dc14fd5194746fdcc856bf111549890d824358604b1dbf4e9ab18fa
Opcode Fuzzy Hash: 079df3f6b68ad0bce78d19bc08cedf3ee7bede82ec991ba380d54063de5d95f1
Instruction Fuzzy Hash: 92114772800249CFDB10DFAAC845BDEBBF5EF88310F148419D516A7250D776A940CBA0

Function 04C6BF60 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04C6BFD3

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0abefdfddeae42745fda4a5c249cef4e78b3fb384bad0b08a88dbecca002f429
Instruction ID: 3b6ba87187dfc5d2d1ce6cd168fe40ea79527cab264a99fdec2745f1e88d5d65
Opcode Fuzzy Hash: 0abefdfddeae42745fda4a5c249cef4e78b3fb384bad0b08a88dbecca002f429
Instruction Fuzzy Hash: 3E1126B58002598FDB10CF9AC484BDEFBF5EB88320F14C02AE459A3650E779A545CFA1

Function 04C6BF68 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 04C6BFD3

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a22581122cb4bbf50aa6e22023d852643adfe3c2384803dc8ac51e9ddeb7d249
Instruction ID: dc0855fad0c8fca21af5bec52f42d40149f948a866aef52d4339798faa0bc0ae
Opcode Fuzzy Hash: a22581122cb4bbf50aa6e22023d852643adfe3c2384803dc8ac51e9ddeb7d249
Instruction Fuzzy Hash: B11107B5D002598FDB10CF9AC844BDEFBF5EB88320F14C02AE459A3650E779A545CFA1

Function 04C6AFD8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C6B046

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f671295099fd0fe8a016511819d359c26d2534c3ef84c838dbcdd62e969dca98
Instruction ID: 237fb95db296802dfcca6d6261fd03e186ed1b228e31311d8fc5ee3af16af614
Opcode Fuzzy Hash: f671295099fd0fe8a016511819d359c26d2534c3ef84c838dbcdd62e969dca98
Instruction Fuzzy Hash: 5F1126768003499FDB10DFAAC845BDEBBF5EF48310F14841AE519A7250D77AA944CBA1

Function 04C6B090 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04C6B0FA

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 519a050d41fe264daf36993f73259e0dac2e8d94ac21213a3ce869a233bcc57b
Instruction ID: 03173b98c8bfd6e269050ee6988f81554bc7f63c3f0281f57d032eddbd5cb625
Opcode Fuzzy Hash: 519a050d41fe264daf36993f73259e0dac2e8d94ac21213a3ce869a233bcc57b
Instruction Fuzzy Hash: 6E1158B19003498FDB20DFAAC445BDEFBF5EF88310F14842AD51AA7240D77AA940CF94

Function 04C6B098 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04C6B0FA

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e14fabfa063d9d2f0c56b8f7c4f8edbef039e3ef8b78a4969778e24c1ebc5161
Instruction ID: f9ba70fec19496bc42a5954b7a6a5c235036e066b91ef0d617fa9a7e6432e500
Opcode Fuzzy Hash: e14fabfa063d9d2f0c56b8f7c4f8edbef039e3ef8b78a4969778e24c1ebc5161
Instruction Fuzzy Hash: 02113AB5D003498FDB10DFAAC4457DEFBF5EF88210F14841AD519A7240D779A944CF95

Function 04C64E50 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04C64EB5

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a2e15fefc039608bb70c1575be0622405726779938ee86a0789abc28f82a3f1e
Instruction ID: b0446f2254e62a1b97bc541e71c6a4f9fac116f2a5cd788fd56ffe0e5e0c8fa1
Opcode Fuzzy Hash: a2e15fefc039608bb70c1575be0622405726779938ee86a0789abc28f82a3f1e
Instruction Fuzzy Hash: AD1145B5800249CFDB10CF9AD584BDEFBF4EB48320F10851AD969A7740D375A944CFA5

Function 00CCE398 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CCE3FE

Memory Dump Source

Source File: 00000000.00000002.3809844051.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8a1e891f0d948054d3521c12312776f23d5dc65328408f03cdfc802a29ed1b88
Instruction ID: 17125c633d89fac21c000b2574438c9c140ba774fb871e25e2255298b85bbcd7
Opcode Fuzzy Hash: 8a1e891f0d948054d3521c12312776f23d5dc65328408f03cdfc802a29ed1b88
Instruction Fuzzy Hash: 5811E0B5C006498FDB14CF9AC444BDEFBF4AB89314F14842AD429A7610D379A545CFA1

Function 04C64E58 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04C64EB5

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f17b5d0a9c34d9c0387411fd940e32349e614386fc878cce9113c706b22802b2
Instruction ID: 0fc3a4a14e233f0adae0aa72a219ef33013dcfe8d8cc00d3214e4344f77d870b
Opcode Fuzzy Hash: f17b5d0a9c34d9c0387411fd940e32349e614386fc878cce9113c706b22802b2
Instruction Fuzzy Hash: 4B1112B58002498FDB10CF9AD585BDEFBF8EB48320F20841AD919A3740D375A944CFA5

Function 0082D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809033336.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca310b0e48bf688b4eb73eb2261c628b7e3068c25a600e8442e0cb6fea62634
Instruction ID: 09a3fc575482ee8bbec3b9cdfbf6dc2020224fbbe8717cf441a668483eb19f28
Opcode Fuzzy Hash: aca310b0e48bf688b4eb73eb2261c628b7e3068c25a600e8442e0cb6fea62634
Instruction Fuzzy Hash: 7C210471604744DFDB14DF10E9C0B26BF65FB84318F24C56DD80A8B2A6C73AD887CAA2

Function 0082D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809033336.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f37a7306599a8ee2452915b8207379d044a56c65c92e4fcf0a591253a41ac4
Instruction ID: fa2469ca2017a753d2249638e6b0618b649e395b0bb0010ec805059bf8dfc189
Opcode Fuzzy Hash: a8f37a7306599a8ee2452915b8207379d044a56c65c92e4fcf0a591253a41ac4
Instruction Fuzzy Hash: 5921D875504344DFDB14DF14E5C4B2ABF65FB88324F24C569D8498B382D37AE886CAA2

Function 0082D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809033336.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: bb784715d69eac7213798aecfc2f083fb50fdb9c0e5fc0f9291877ab3e3a2d00
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 82118E75504780DFCB15CF14E5C4B15BF61FB44314F24C6AAD8498B6A6C33AD84ACB61

Function 0082D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3809033336.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction ID: 600f0764d877001539065b071e86a0f52aaf79c31352c506cc4705cbd5c37cb1
Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
Instruction Fuzzy Hash: 2111BF76504680CFCB11CF10E5C4B59FF61FB84324F28C6AAD8498B756C33AD84ACBA2

Non-executed Functions

Function 04C62F50 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cdfc3633182786c3101be4abb3c082667ca2620234b82bb5ffe07fd46b9265
Instruction ID: 2c83b08fab6bc152b4ddb02deb794e4639d4b1bb4cd1b894f9030256577c33e4
Opcode Fuzzy Hash: 45cdfc3633182786c3101be4abb3c082667ca2620234b82bb5ffe07fd46b9265
Instruction Fuzzy Hash: 5912A4B0C81745CAEB19CF25EA5C18D7BA1B78131CBD04A19D2651F2E1EBB4126EEF4C

Function 04C61094 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c23a30bb2c73b7c9c2c353c3cd09a0c89b545a92f617a7279d4c0519b80d74
Instruction ID: 3d2869945db70a7fd58aabca265e9331330bbce504fae2121e33aa3df77fac07
Opcode Fuzzy Hash: 55c23a30bb2c73b7c9c2c353c3cd09a0c89b545a92f617a7279d4c0519b80d74
Instruction Fuzzy Hash: BEA15D36E00219CFCF05DFA5C88059EB7B3FF85305B1985AAE806AB265DB31E955DF40

Function 04C69FE7 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da8e74cf32205546ca1405393eb94c58da505223460b167e7ca8ce353ea6e24
Instruction ID: d4396b32ab2a0ab087292f57ee12d7fc6da0656ca01aaca73e85b833be8d7465
Opcode Fuzzy Hash: 0da8e74cf32205546ca1405393eb94c58da505223460b167e7ca8ce353ea6e24
Instruction Fuzzy Hash: 73918134F00219DBDB08EBB5986477E77B7BFC9600B09C969D447E7388DE3A98019B91

Function 04C62F40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3811934155.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c60000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0295309ed88432ae1ffc52df3c542e95f3c6faf5f3b9ece7656c0b3f2c7f26
Instruction ID: e243dfe13731bd16108c544ad6c303f82a680db9ec973ad2fca40480f1df4338
Opcode Fuzzy Hash: de0295309ed88432ae1ffc52df3c542e95f3c6faf5f3b9ece7656c0b3f2c7f26
Instruction Fuzzy Hash: 90C12AB0C80745CBEB19CF25E95818D7BB1BB8131CF904A19D2652F2D1EBB4126EEF48

Analysis Process: Ziraat Bankasi Swift Mesaji.exePID: 3884, Parent PID: 1432COMMON

Executed Functions

Function 00C3B328 Relevance: 4.1, Strings: 3, Instructions: 351COMMON

Download Yara Rule

Strings

0o#p, xrefs: 00C3B562
Lj#p, xrefs: 00C3B6CF
Lj#p, xrefs: 00C3B6E5

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: f0d65accde821ff5054b1b091afb2664720745bedc97a2683c59360d98a6d1f1
Instruction ID: dcd366c3f55f7acff78ad3b6a7aa937c4c347c8ba3765048743b15b60dbe0713
Opcode Fuzzy Hash: f0d65accde821ff5054b1b091afb2664720745bedc97a2683c59360d98a6d1f1
Instruction Fuzzy Hash: 62E11974A10218CFDB14CFA9D984A9DBBB1FF89310F1580A9E919AB362DB31ED41CF54

Function 00C3C752 Relevance: 3.9, Strings: 3, Instructions: 191COMMON

Download Yara Rule

Strings

0o#p, xrefs: 00C3C7C2
Lj#p, xrefs: 00C3C945
Lj#p, xrefs: 00C3C92F

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: c26e21900457bbbc8ce26e3f3476566e8a755eff25dcf0b7c92261d1f1c57d01
Instruction ID: 0dbc8f39a72d0831386cfd28fe9571e016b4792fe33d735d3f92869b434810db
Opcode Fuzzy Hash: c26e21900457bbbc8ce26e3f3476566e8a755eff25dcf0b7c92261d1f1c57d01
Instruction Fuzzy Hash: 6581AF74E11218CFDB14DFAAD994B9DBBF2BF89300F258469E419AB265DB309941CF10

Function 00C3BBD2 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

0o#p, xrefs: 00C3BC42
Lj#p, xrefs: 00C3BDAF
Lj#p, xrefs: 00C3BDC5

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: f2a1f74173a5246833577de56663b0da8f6a921a6f6aa0805c50fecf1d860ad4
Instruction ID: d6fd3456b4f7189e81fd61d0b10ea62f7101fec1362095bd629a64cce03c3b3a
Opcode Fuzzy Hash: f2a1f74173a5246833577de56663b0da8f6a921a6f6aa0805c50fecf1d860ad4
Instruction Fuzzy Hash: EF819074E10218CFDB18DFAAD984A9DBBF2BF89300F248069E519AB365DB309D41CF10

Function 00C34AD9 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 00C34CB8
Lj#p, xrefs: 00C34CCE
0o#p, xrefs: 00C34B4A

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 1c10765274766f2fb96be874abf8c9f1005a021ae2e7bd4bab8aa7e9519185b5
Instruction ID: ff8a843eeacf90af84d1498fb3d6e93e8bff57b35de44173366619fca5feeb6a
Opcode Fuzzy Hash: 1c10765274766f2fb96be874abf8c9f1005a021ae2e7bd4bab8aa7e9519185b5
Instruction Fuzzy Hash: DE81A174E11218CFDB18DFAAD984B9DBBF2BF89301F149069E419AB365DB34A941CF10

Function 00C3C190 Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 00C3C385
Lj#p, xrefs: 00C3C36F
0o#p, xrefs: 00C3C202

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 87eb6dd9d26480842e68182af5ffc20bf5464793bd53a17081ac953a62adec72
Instruction ID: b83a304f78f06d4ab1abd878aa114e5f5424ca92815481121815c444334ad133
Opcode Fuzzy Hash: 87eb6dd9d26480842e68182af5ffc20bf5464793bd53a17081ac953a62adec72
Instruction Fuzzy Hash: 3A819E74E10218CFDB54DFAAD984A9DBBF2BF89300F25C06AE419BB265DB349941DF10

Function 00C3CA32 Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 00C3CC0F
Lj#p, xrefs: 00C3CC25
0o#p, xrefs: 00C3CAA2

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 6ed23beb1ca1996efa001a9d94f3ee2154f3389ff5c9868d69ea29d669a4cad9
Instruction ID: af2e4034ac1d54f24600c2b91b39c63a3a125d2b73ecc03cccd1f31268ad7c74
Opcode Fuzzy Hash: 6ed23beb1ca1996efa001a9d94f3ee2154f3389ff5c9868d69ea29d669a4cad9
Instruction Fuzzy Hash: F9819F74E10218CFDB14DFAAD984A9DFBF2BF89300F149069E819AB365DB349941DF10

Function 00C3C473 Relevance: 3.9, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

0o#p, xrefs: 00C3C4E2
Lj#p, xrefs: 00C3C64F
Lj#p, xrefs: 00C3C665

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 7f19410ec7f4cd48d9d047130a77d363d86728d7092da986134d6e39de9fecd9
Instruction ID: 5f8ff18154e44b106dcdb27c6f3c54ee6e8b9be54726dd2d457db8caba513435
Opcode Fuzzy Hash: 7f19410ec7f4cd48d9d047130a77d363d86728d7092da986134d6e39de9fecd9
Instruction Fuzzy Hash: 23818074E10218CFDB14DFAAD984B9DBBF2BF89301F249069E419AB365DB349941DF10

Function 00C3BEB2 Relevance: 3.9, Strings: 3, Instructions: 184COMMON

Download Yara Rule

Strings

Lj#p, xrefs: 00C3C0A5
0o#p, xrefs: 00C3BF22
Lj#p, xrefs: 00C3C08F

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: a829f7f0b9ffe3f107e689f2e744b559c9c5c00046780605e8c9077cc4e2be66
Instruction ID: 689739f3e49d4625d6622df592832886354f766f13792b8420a8ce8e44ee69c1
Opcode Fuzzy Hash: a829f7f0b9ffe3f107e689f2e744b559c9c5c00046780605e8c9077cc4e2be66
Instruction Fuzzy Hash: 97818074E10258CFDB18DFAAD984A9DBBF2BF89300F14C06AE419AB365DB319941DF50

Function 00C3B4F2 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

0o#p, xrefs: 00C3B562

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p
API String ID: 0-2085137917
Opcode ID: 03c8ac150b4ae7d5e7c7837fa0c4d3c71d92d75feec43495fe0d4d6578eb0db3
Instruction ID: cad0f1ce581c05c22d7da0eb02b9643b95079e456b826f02307fa1ab88da74e4
Opcode Fuzzy Hash: 03c8ac150b4ae7d5e7c7837fa0c4d3c71d92d75feec43495fe0d4d6578eb0db3
Instruction Fuzzy Hash: 6661B174E106089FDB18DFAAD984A9DFBF2FF89300F148069E519AB365DB345942CF10

Function 00C39858 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62df6658765d3648bfb3671dfff4a817a48da0b28bfbff5f725c67fff5284f34
Instruction ID: 083f44cfe17e211005314221171a95660c2b78ba57ca3faac0142e6953a1043b
Opcode Fuzzy Hash: 62df6658765d3648bfb3671dfff4a817a48da0b28bfbff5f725c67fff5284f34
Instruction Fuzzy Hash: C5728C70A10209DFCB15CF68C984AAEBBF2FF88300F158559E856AB3A1D770ED51DB61

Function 066911A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfe83de7c229afdc365fcda0fb3af5bfadd68a1e851afd95dcdf6e1c4b36096
Instruction ID: 938039868fe3543f95396945fc0091669ac0073182ff56c0e5ef55ec53d99a3f
Opcode Fuzzy Hash: 0cfe83de7c229afdc365fcda0fb3af5bfadd68a1e851afd95dcdf6e1c4b36096
Instruction Fuzzy Hash: 8E827E74E012288FDB64DF69DD98BDDBBB2BB89301F1081E9980DA7260DB345E81DF41

Function 00C3F007 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5636853d138c3d23a0c9a64f02356b75d8303499dcd1cc71bfc280ed3f7c1786
Instruction ID: 8ce31b1c549b4bbb06ee2f90d8bdc39a35a0fdcbea1d5c88cdf8ca97c9bcb3cc
Opcode Fuzzy Hash: 5636853d138c3d23a0c9a64f02356b75d8303499dcd1cc71bfc280ed3f7c1786
Instruction Fuzzy Hash: B072BF74E01228CFDB64DF69D980BEDBBB2BB49300F2485E9D449A7255DB349E82CF50

Function 00C36108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287e2ce62e8aeadba3d1254a32205e2b33a5c1f610d29556d996e53c696d8360
Instruction ID: e76c57c45b82dd3b50ce26ace85e557fb1a753c2cfbbfe935d9746f5f38d2081
Opcode Fuzzy Hash: 287e2ce62e8aeadba3d1254a32205e2b33a5c1f610d29556d996e53c696d8360
Instruction Fuzzy Hash: 92128D70A002189FDB14DFA9C954BAEBBF6FF88304F208569E416EB391DB349D41DB90

Function 00C36730 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093a7e4f056adccc9237be5f92dcb6a59990eb66e67625abf51e4a5852491c04
Instruction ID: f661fca50b67dced0da184afd0ac88cb6922dc1dcbd127221900ce464d39bb24
Opcode Fuzzy Hash: 093a7e4f056adccc9237be5f92dcb6a59990eb66e67625abf51e4a5852491c04
Instruction Fuzzy Hash: 76023970A10209EFCB15CFA9D988AAEBBB2FF89304F15C069E455EB261D730ED41DB51

Function 06698608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3339ba2bb4fb42b9b9cfcb91b42ad0657fa02b7a9e8c3233dc08ef7fc1915e6b
Instruction ID: 78c3e42fca5d3fba94048bc80697eee8ec4ce25179ad0d3328bfe18abadf2caa
Opcode Fuzzy Hash: 3339ba2bb4fb42b9b9cfcb91b42ad0657fa02b7a9e8c3233dc08ef7fc1915e6b
Instruction Fuzzy Hash: ACE1E274E01218CFEB54DFA5D844B9DBBB2FF89304F2081AAD809AB395DB355A85CF10

Function 04F8D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d44c5be50f40ed7834fdb4ce632d5fcc9afcbc929cfd69ef0aa103a4850882e
Instruction ID: 08d4b8095e5a85a64320a9489aed5875eea13b18192a4345a4aad5f162670ed8
Opcode Fuzzy Hash: 3d44c5be50f40ed7834fdb4ce632d5fcc9afcbc929cfd69ef0aa103a4850882e
Instruction Fuzzy Hash: 11C1B174E01218CFDB14EFA5D944B9DBBB2FF89304F1081A9D409AB395DB349A82CF50

Function 06697900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2c3d2ce2d7ba33497c8452ffc39582c61b48fce3b895fdae76cd860d8cd366
Instruction ID: d288d9ca0761f934d2528f2d582e386dd632962e37348e7bdafbced09ce65401
Opcode Fuzzy Hash: 2e2c3d2ce2d7ba33497c8452ffc39582c61b48fce3b895fdae76cd860d8cd366
Instruction Fuzzy Hash: 9DC1B074E00218CFEB54DFA5D984B9DBBB2FF88304F2081A9D809AB355DB359A85CF50

Function 0669D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a9000d52d419fe1268f9b5161773667a13abbb4c2083c65a5655140e3cd2f3
Instruction ID: f8a0d9348913622d9ea1185ba9cfa7fef020291cea445a9524f02d638ad502a3
Opcode Fuzzy Hash: 79a9000d52d419fe1268f9b5161773667a13abbb4c2083c65a5655140e3cd2f3
Instruction Fuzzy Hash: 56A1A270E016189FEB68CF6AD944B9DFBF2AF89300F14C0AAD40DA7255DB745A85CF60

Function 0669B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6eef530e721dbedc60451249a621796582d5a72a31ad5291c5acb948437444
Instruction ID: cf598fdebe00d695d9908a46bdf9150ea442fbc4306ab2e91bbf3cc8693242f5
Opcode Fuzzy Hash: ef6eef530e721dbedc60451249a621796582d5a72a31ad5291c5acb948437444
Instruction Fuzzy Hash: 34A19574E012188FEB68CF6AD944B9EFBF2AF89300F14C0AAD40DA7255D7745A85CF60

Function 0669C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e520ead0a3449aadb66daf24c3ebe674d0b66f57c00b4efdbaed5e7941c27fb9
Instruction ID: 11b1f616be84c3174a13bccda885d62fdc9892e9446e3ad1cf8ff63ed609230c
Opcode Fuzzy Hash: e520ead0a3449aadb66daf24c3ebe674d0b66f57c00b4efdbaed5e7941c27fb9
Instruction Fuzzy Hash: E7A19475E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD40DA7255DB745A85CF60

Function 0669A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb349ed3262deea2be742ede13b0e7e0d70339ca40486eafbdf0df8f0cdd521a
Instruction ID: 9601b11fe4ce5f63086faea8400245bf46f3c644f0de9c6af34b00948a7238ab
Opcode Fuzzy Hash: eb349ed3262deea2be742ede13b0e7e0d70339ca40486eafbdf0df8f0cdd521a
Instruction Fuzzy Hash: 8EA19374E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD409A7255DB345A85CF61

Function 0669BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3207f4d5048b9f9b44516ab4d107efac835d4ec654d9a522b3d4d47a6b4f1d
Instruction ID: 97a093f29f945345bebfa9b4ade239266ead5115abc8056cd91390f673202adc
Opcode Fuzzy Hash: ce3207f4d5048b9f9b44516ab4d107efac835d4ec654d9a522b3d4d47a6b4f1d
Instruction Fuzzy Hash: B4A19474E012188FEB68CF6AD944B9EFBF6BF89300F14C0AAD409A7255D7345A85CF61

Function 0669C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b7411883727c2a972eafb9259096a3640902508fbc437d5ff31eedcad418a3
Instruction ID: 35c8bbdc392cb633101242293165aecda708e1482cb328555c49b14bb2ebb6a8
Opcode Fuzzy Hash: c8b7411883727c2a972eafb9259096a3640902508fbc437d5ff31eedcad418a3
Instruction Fuzzy Hash: 8FA19474E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF60

Function 0669AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c9997800e817e1e0466ee9290649b481a5fbc765134f249952ddd25cd3ec33
Instruction ID: b72b7ec648aceb2779fd5b52133193db30d26204d33696aa198a2eb2f32d57c0
Opcode Fuzzy Hash: 24c9997800e817e1e0466ee9290649b481a5fbc765134f249952ddd25cd3ec33
Instruction Fuzzy Hash: 14A19474E01218CFEB68CF6AD944B9DFBF2AF89300F14C1AAD409A7255DB745A85CF60

Function 0669D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f4917039597a34c3754bf6788d7067394b14aecd1afcdcdac277b0217b9926
Instruction ID: 1eed3ec2d77c110edb49f08982354850cfce1a6a4ea0309b47eb24568abb9e62
Opcode Fuzzy Hash: 34f4917039597a34c3754bf6788d7067394b14aecd1afcdcdac277b0217b9926
Instruction Fuzzy Hash: 54A19475E016188FEB68CF6AD944B9DFBF2AF89300F14C0AAD50CA7255D7345A85CF60

Function 0669B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c215600262032af265eff66d7986a85ee8e42dc7ffd33d3e2445d3330f472c3
Instruction ID: 276b1d95a711c620a80936bb08260cec5f00217255c59c142cf74f2e8682f5de
Opcode Fuzzy Hash: 8c215600262032af265eff66d7986a85ee8e42dc7ffd33d3e2445d3330f472c3
Instruction Fuzzy Hash: DEA19574E012188FEB68CF6AD944B9EFBF2AF89300F14C1AAD409A7255D7345A85CF50

Function 0669B08F Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88be51024225e251f46c2b35631550810fadb54d1692370e0d6c53d0da5007fd
Instruction ID: b2eb5801098b82a7d1feed7ab3f898ca1bacd1d92b83efa9b278388e1b5b61a8
Opcode Fuzzy Hash: 88be51024225e251f46c2b35631550810fadb54d1692370e0d6c53d0da5007fd
Instruction Fuzzy Hash: 7191FAB1D052588FEB28CF6AD884BD9BBB2FF89304F14C0EAD408AB255D7311A85DF51

Function 06698C51 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ebdb994942196422e5e9161ad9f025ecb63b31c69e08b04f49ebfb97924308
Instruction ID: beec354e716e26168fd20be4c9e794698ecd5ae377e8ffd478783d7f5ad8c4a1
Opcode Fuzzy Hash: 01ebdb994942196422e5e9161ad9f025ecb63b31c69e08b04f49ebfb97924308
Instruction Fuzzy Hash: 3981EF74E01218CFDF58CFAAD854BADBBB2BF89300F20816AD819AB354DB345946CF50

Function 0669AA48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc42b03b5e16a23c2f36b3524c56197a5a0b195519788e2d2f7cd4bac9f3acb5
Instruction ID: 6d37e1388cb7195e087c92de72bb91498d9ed844284b0205711b7e18806f483f
Opcode Fuzzy Hash: cc42b03b5e16a23c2f36b3524c56197a5a0b195519788e2d2f7cd4bac9f3acb5
Instruction Fuzzy Hash: 12718571E016188FEB68CF6AC944B9DFBF2AF89300F14C1AAD40DA7255DB745A85CF50

Function 0669D018 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ed1580f9e563e0f18b3416e1b5e7edc1710df9359b35d716aa9295482035ff
Instruction ID: fa0b3794de294a332f4b41b1dc02aaf28a0763189c75aba6e90d481a3f413497
Opcode Fuzzy Hash: 51ed1580f9e563e0f18b3416e1b5e7edc1710df9359b35d716aa9295482035ff
Instruction Fuzzy Hash: A0718671D016188FEB68CF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF51

Function 066985F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6925bfbd623d7acbf28d4dde541a7fbc5bd35d772f2519b0f1b1bd8a0669177
Instruction ID: 0a4588091c25784f18b5a1a77c050bd13ac046b85a050525e9dbb2f470c43c58
Opcode Fuzzy Hash: f6925bfbd623d7acbf28d4dde541a7fbc5bd35d772f2519b0f1b1bd8a0669177
Instruction Fuzzy Hash: C841F3B0D002088FEB18DFAAD8447DEBBF2AF89300F14C16AC418BB294DB751946CF64

Function 0669C9C8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4da4616468e0e8a12a7252b984ffee4d4b579fab6a888a08562732eadda8445
Instruction ID: f5660180959949c5742f12f35649938aa98c55345b880a8021bc530ab17884ff
Opcode Fuzzy Hash: a4da4616468e0e8a12a7252b984ffee4d4b579fab6a888a08562732eadda8445
Instruction Fuzzy Hash: 185178B1E016189BEB58CF6BDD457D9FAF3AFC9310F04C1AAC50CA6264DB740A868F51

Function 0669A3F8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f068d36377a023f045dba2bd0cd0ae73256142762edf78de801537c0b48ffda0
Instruction ID: 1c2e9b13d4067234b30b5d01daf483f10a2475b021ba3ce245998ea36a83221b
Opcode Fuzzy Hash: f068d36377a023f045dba2bd0cd0ae73256142762edf78de801537c0b48ffda0
Instruction Fuzzy Hash: 094158B1E016188FEB58CF6BC9457DAFAF3AFC8300F14C1AAD50CA6265DB740A858F51

Function 0669C378 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20ead3a8cc8fd478d823b681d6bebf00f9b826f238559bb083c830ae9e5f3f8
Instruction ID: 65f2ae7afcb781932221f2d1134cafd9fa6dfa89be8ba6494eb2f83dc9a9756f
Opcode Fuzzy Hash: e20ead3a8cc8fd478d823b681d6bebf00f9b826f238559bb083c830ae9e5f3f8
Instruction Fuzzy Hash: 164189B1D016189BEB58CF6BCD457CAFAF7AFC9300F04C0AAD50CA6254DB741A868F64

Function 0669BD28 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ce4ddadae55ad1db94809aa5c941219005a8b7efae00f549ff331d31f03127
Instruction ID: a9466f775ef425419e57424179f83c0dc7f86ca3b615451ba786dbf33126ce99
Opcode Fuzzy Hash: c7ce4ddadae55ad1db94809aa5c941219005a8b7efae00f549ff331d31f03127
Instruction Fuzzy Hash: A6416AB1D016188BEB58CF6BDD457CAFAF7AFC9300F14C1AAC50CA6255DB740A858F54

Function 0669D662 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd04c927030e6d907d262ccc8ba7daf9d6e741b8727d8e107fa8aa5a47c56030
Instruction ID: 9232cc8354a1ea8807f5a61ea521f2af90880199ada04fc35ed48c2e7ecd044b
Opcode Fuzzy Hash: cd04c927030e6d907d262ccc8ba7daf9d6e741b8727d8e107fa8aa5a47c56030
Instruction Fuzzy Hash: EF4157B1E016189BEB58CF6BCD457CAFAF3AFC9300F14C1AAC50CA6265DB740A858F50

Function 0669B6D9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f154c77b5c3fd6b37f0f3fc580af3433c8a8546faf1910c4981d1d7310e3fa3
Instruction ID: 4b69562803850764e5bdabbd4cb3eaf96a82e94ca1df17045eeb1476b228e719
Opcode Fuzzy Hash: 7f154c77b5c3fd6b37f0f3fc580af3433c8a8546faf1910c4981d1d7310e3fa3
Instruction Fuzzy Hash: 2C4158B1D016188BEB58CF6BDD557DAFAF3AFC9300F14C1AAC50CA6264DB740A868F51

Function 04F8D798 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c99f30fb45c404b6287f01c7ebca151309593731d3079029d0cc63d1863486
Instruction ID: 62a87a2a3eeee9430e22c0d32da5ea02f9d0caa589df3556c94b70af7abae79b
Opcode Fuzzy Hash: c0c99f30fb45c404b6287f01c7ebca151309593731d3079029d0cc63d1863486
Instruction Fuzzy Hash: C941F571D01248CBEB18DFAAD8456EEFBF2AF88300F24C12DC415AB299DB345946CF40

Function 066978F0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe46e427205ce8c6d42da0e3fb7c32cf6bca1d76ec637778d84f4fecfbd7c717
Instruction ID: 04d280351202570a14d1e90b9c84b5ebeadaf3c41c750ebed7d8d653cd47f9e9
Opcode Fuzzy Hash: fe46e427205ce8c6d42da0e3fb7c32cf6bca1d76ec637778d84f4fecfbd7c717
Instruction Fuzzy Hash: 4841E271E01248CFEF58DFAAD9406AEBBF2AF89300F24D12AC815AB254DB345946CF50

Function 00C377F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18615fcc21d4975502e548e3e68fdffbb15ffb0b96f8f90d5e61fde1404ae0b5
Instruction ID: 4dcf2596b3a2f31f652450f224c0bf96a52f67be9ef5742af7680d670b271326
Opcode Fuzzy Hash: 18615fcc21d4975502e548e3e68fdffbb15ffb0b96f8f90d5e61fde1404ae0b5
Instruction Fuzzy Hash: 86520E34A003188FEB55DBA0D860BAEBBB2FF49300F1480A9D11A6B7A5CF359E45DF55

Function 00C387E9 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edff836dbffcc1e6ae6483260ebe5c25057937115550344c815e1db05f3c5b6b
Instruction ID: c1e76fdf8e1545be3849e9e7078a4d75d5e38071dde43a339b0fa5723eeeb173
Opcode Fuzzy Hash: edff836dbffcc1e6ae6483260ebe5c25057937115550344c815e1db05f3c5b6b
Instruction Fuzzy Hash: 6BF19D703243028FDB159B39C968B3977A6AF85704F2840AAF552CF3E1EE29CD49E751

Function 00C36E58 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72af83f579010792308ab13e116a208d44e26c5fe74d0a581e4736cc64f4149e
Instruction ID: d3a24dfc0b72bfb5e7112dedd27e410ffb5c353d21083f826b5057798f7143f7
Opcode Fuzzy Hash: 72af83f579010792308ab13e116a208d44e26c5fe74d0a581e4736cc64f4149e
Instruction Fuzzy Hash: C9126A70A14209DFCB24CFA9D984E9EBBF2BF48314F158699E819DB261DB31ED41CB50

Function 00C3A818 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31fc3a613290b30a8ddaa33f9511ad524348fe1b9410dcab383d3a33c542cf5
Instruction ID: 8179b945ff1cc450e97e28a3de84668a5968e5a6f630af6db3f457e1faaee9b1
Opcode Fuzzy Hash: b31fc3a613290b30a8ddaa33f9511ad524348fe1b9410dcab383d3a33c542cf5
Instruction Fuzzy Hash: AFF11B75A102188FCB04CF6DD984AADBBF2FF88314F1A8069E455AB361CB35ED51CB51

Function 00C30C8F Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a28ce5fbd710c95aed97738adb1acc42be5a7ec9203521fbfc90b01375bd8f6
Instruction ID: 13ffb763c9f5aa409806040b5d92ca03c37b87824304e99f17e8e0880d762803
Opcode Fuzzy Hash: 8a28ce5fbd710c95aed97738adb1acc42be5a7ec9203521fbfc90b01375bd8f6
Instruction Fuzzy Hash: 5922927490021ACFCB54EF64ED95B9DBBB2FF48301F1086A9D409A7369DB306946DF81

Function 00C30CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efc88dd857e9e4ccde6066be6779f567163e74d6a2be148716e50c51db24ba0
Instruction ID: c9d9cbc507e7c7db95c1d8caab5ebc9d658a4d19d384734b8e6ef779a161a1b5
Opcode Fuzzy Hash: 7efc88dd857e9e4ccde6066be6779f567163e74d6a2be148716e50c51db24ba0
Instruction Fuzzy Hash: FE22827490021ACFCB54EF64ED95B9DBBB2FF48301F1086A9D409A7368DB306986DF91

Function 00C356A8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254d81513c5e9326c5c1ba230e7ba81c244a184ef245e48b58101a198333b344
Instruction ID: a4474b181aa14f6998e12b32d6e7336af50ec3dd3a929039f5e814b6345254a3
Opcode Fuzzy Hash: 254d81513c5e9326c5c1ba230e7ba81c244a184ef245e48b58101a198333b344
Instruction Fuzzy Hash: EFB1EB30718618CFDB159F78C998B3A7BE2AF89310F148929E456CB391DB78CD42E791

Function 066923E0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b1d4bd50fb2c752e7842bb3290e16a90df5d288f1acf274365bbdd0e9229c4
Instruction ID: 7287f22997d581e289b60f9a7ce5c5fbebff1e6d2737610ca69d353743dcdaac
Opcode Fuzzy Hash: f2b1d4bd50fb2c752e7842bb3290e16a90df5d288f1acf274365bbdd0e9229c4
Instruction Fuzzy Hash: 9581C334B201059FDB44DF78D864A6E77F9EF89600B1581A9E805DB3B5DB30DD02CBA0

Function 00C35C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b21c8721e95b894829cec302733793e28309e9d8ecb05130de82bdb8034de3
Instruction ID: 982a06871c3522d0538eb3c04414240f61352e15e06ce1268d97a2aa7b0b4925
Opcode Fuzzy Hash: f1b21c8721e95b894829cec302733793e28309e9d8ecb05130de82bdb8034de3
Instruction Fuzzy Hash: 1D81A030B24A05CFCB14DF69C988AAAB7F2BF89305F248169D416EB361D735ED41CB90

Function 06699510 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0cd09c3fd831064275f428fa44a91baa9bda6ef3d502757ad2b6ac36d66ccf
Instruction ID: 015c086d0ebbe75105926562ff703dceb87a57b9b3f62f6f7b27f84050bdfee2
Opcode Fuzzy Hash: 1b0cd09c3fd831064275f428fa44a91baa9bda6ef3d502757ad2b6ac36d66ccf
Instruction Fuzzy Hash: 4171A131F002189BEF55DFA9D8506AEBBF6AF89700F18452AE405BB380DF749D42C7A5

Function 00C37438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c96977fdc4cb77554d436bf8ce9329e113ce0839f984015fc5ce0dfea74d89
Instruction ID: e4cf21d04cce08c1c1e663044de6d211165528c2cca06017806a801ba6704873
Opcode Fuzzy Hash: 40c96977fdc4cb77554d436bf8ce9329e113ce0839f984015fc5ce0dfea74d89
Instruction Fuzzy Hash: 2A712874718605CFDB28DF29C899AA97BF5AF49300F1541A9E812CB3B1DB70ED41DB90

Function 06691191 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d53662d665283c44590d1f8a7c49dfae256420e466ef2b27ef5edea6c853ae
Instruction ID: ca254af9e87fa2b616bbf40337f39783d1d86dead347e2702248759d18b24534
Opcode Fuzzy Hash: 42d53662d665283c44590d1f8a7c49dfae256420e466ef2b27ef5edea6c853ae
Instruction Fuzzy Hash: CF81B374E412299FDB64DF29DD91BEDBBB6BB89300F1081EAD809A7250DB305E81DF40

Function 00C3CEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6b041a9be470e85e476d0ad9f00aa3c08b2c5a95add3619f3d6d8fd7497756
Instruction ID: 3709b76d4400f4c4937cb9a2effae915ae1421bdb1f5296cf7c14cdf1d350e70
Opcode Fuzzy Hash: 8e6b041a9be470e85e476d0ad9f00aa3c08b2c5a95add3619f3d6d8fd7497756
Instruction Fuzzy Hash: 1551C33002174A8FC3546F20AEAEA6EBBA4FB4F3177056E64A14E870319F755445EA12

Function 00C3CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b79d39a0ed00ce347d70c71779248dbfcdea4eeed2e6df051f1b3db26fc7f4
Instruction ID: 1e4c7493bac37d14100196d2c69212dd592de29ba5f7851ba06aa281242420a6
Opcode Fuzzy Hash: 69b79d39a0ed00ce347d70c71779248dbfcdea4eeed2e6df051f1b3db26fc7f4
Instruction Fuzzy Hash: 1D51A27002174B8FC3587B20EEAEA6EBB64FB4F3177456E24A14E830359F715445EA26

Function 00C3E2D9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f397d087bc087269326a5fd6151c4d184d0126d870f65518705da23daa9dadf
Instruction ID: abed65ffaac02da6e0a2bf5a41cec9b5614a93273befe141d5d27bf92d52d85e
Opcode Fuzzy Hash: 3f397d087bc087269326a5fd6151c4d184d0126d870f65518705da23daa9dadf
Instruction Fuzzy Hash: 29612074D11218CFDB15DFA4D898BADBBB2FF88300F208529E806AB395CB355A46DF40

Function 00C338F9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28965c295573b0dc52b14e98fd8c243519efd3530123b5f4a5d8003ca97b5e98
Instruction ID: c7ab9436b4e134648985342d2a8fa5862aa1367217d31741c7e2647f17303a20
Opcode Fuzzy Hash: 28965c295573b0dc52b14e98fd8c243519efd3530123b5f4a5d8003ca97b5e98
Instruction Fuzzy Hash: E951A475E01208CFCB08DFA9D99499DBBB2FF89301B248569E805BB364DB31A946DF50

Function 00C3CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0c7996b96714105cee268b3a94a471ffa7ae7290e2d02dde6f9519633a3f4e
Instruction ID: 5b261b73009d0ed02a38ffcfae622eb2c9248b002ac3c2e6cc96d04fc5f866db
Opcode Fuzzy Hash: dc0c7996b96714105cee268b3a94a471ffa7ae7290e2d02dde6f9519633a3f4e
Instruction Fuzzy Hash: A851A474E01208DFDB54DFA9D984A9DBBF2FF89700F24806AE415AB365DB30A901CF10

Function 0669DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685a41870b58d97d5b9d090744650ed7ebf85e4d1e906c718a6f24d8df3c0e87
Instruction ID: ae547681813c2d097b6e9b3e51a28207cfdd2a18b97ae2984581edaeca363e4b
Opcode Fuzzy Hash: 685a41870b58d97d5b9d090744650ed7ebf85e4d1e906c718a6f24d8df3c0e87
Instruction Fuzzy Hash: 8B413A31901719DFDB14AFA0E86C7EEBBB5EB4A312F104969D542632D0CBB90A45CFA1

Function 00C33908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a4d5475054e508c4a020ab9e6721eae78258efcd762b10eb4ffa9190643a4a
Instruction ID: 96b331ddd5d002070848913abe6dbcf658d9b3ead4b7949f249852b617f7b475
Opcode Fuzzy Hash: f6a4d5475054e508c4a020ab9e6721eae78258efcd762b10eb4ffa9190643a4a
Instruction Fuzzy Hash: 6E519275E01208CFDB08DFA9D89499DBBB2FF89301F208569E805BB364DB31A946DF50

Function 00C39A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1decfd739f7a624b7d46aa8c49ba1ecf6454f5683de6e4c229ae5c885ccbf970
Instruction ID: e2f1263e331c0107d5136a4966be1963fa98dc433aa2de6c789e2dd477ea21db
Opcode Fuzzy Hash: 1decfd739f7a624b7d46aa8c49ba1ecf6454f5683de6e4c229ae5c885ccbf970
Instruction Fuzzy Hash: 0151CF31A14249DFCF11CFA4D844A9EBFB2EF89314F148156E855AF2A1D3B0ED51DBA0

Function 00C3A650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e278a41ae03e41a9efbe14ec1ac777e004922bb06218557f26b57162d31045b
Instruction ID: 692510890831e42fae34840259fc9d0efe8aba343900d9617d5d3466bc80f808
Opcode Fuzzy Hash: 2e278a41ae03e41a9efbe14ec1ac777e004922bb06218557f26b57162d31045b
Instruction Fuzzy Hash: 154116357042089FCB159B75D955AAE7BF6BFC9310F18806DE546E73A1CE318C02D7A1

Function 06699500 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3613faa86a14c00ec3849429361d4a6f93f809e43cc2732aeaf39b1e7655c46
Instruction ID: 603967b7fc488132aa8e259308a2f919398e78afe9d6b13db0575927a2e41936
Opcode Fuzzy Hash: c3613faa86a14c00ec3849429361d4a6f93f809e43cc2732aeaf39b1e7655c46
Instruction Fuzzy Hash: 2C414531E002199BEF54CFA5C890ADEBBF5BF84710F188229E815B7384DB70A945CBE0

Function 06699A49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458e720f23ba5dfee18202d1d25470a12f814cfbafad3571076a01f88f2e6d5e
Instruction ID: 09eb25ce8ce114d93b66edffd447e16efe5e609f4effd9faf1a6be5225c676b1
Opcode Fuzzy Hash: 458e720f23ba5dfee18202d1d25470a12f814cfbafad3571076a01f88f2e6d5e
Instruction Fuzzy Hash: 9441EE74E01208CFCB44DFA9D994BEDBBB2EF48304F14852AD805AB394DB346A46DF50

Function 00C3D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9aa192eace581ba734d00ce9aa9fe324ed0124de4cf76c8e2a17faf0d6b88e
Instruction ID: a2a7dcaefac67a1f9286c5955a4b8000035aec711805a1a688c8234e92b7a926
Opcode Fuzzy Hash: ab9aa192eace581ba734d00ce9aa9fe324ed0124de4cf76c8e2a17faf0d6b88e
Instruction Fuzzy Hash: FD414774D24208CFCB14DFA9E885BEDFBB2FB4A301F208119E41AA7298D7749842DF55

Function 00C33428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a938b885db2be8f10775f2eb14db4f6c5e2fff8a055ca4de8b18ba43e5229f0
Instruction ID: b1e3dda43667713549b8b59c3f31d4709ba2106615fb6f5f164588778298c8f0
Opcode Fuzzy Hash: 4a938b885db2be8f10775f2eb14db4f6c5e2fff8a055ca4de8b18ba43e5229f0
Instruction Fuzzy Hash: 01314B317203558BEF189BB6499433EA6EAFBC4350F144039D826D7390DF75CF019661

Function 00C3D7F1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129b44ff8cc31474cde61016c2ef5f95b6305bb2755d8a73ce2067f472d229a7
Instruction ID: 0a5e9ea7ba8f3a04114a97fd5faf7ce6827dadf6379978ecd56c45b19616faa3
Opcode Fuzzy Hash: 129b44ff8cc31474cde61016c2ef5f95b6305bb2755d8a73ce2067f472d229a7
Instruction Fuzzy Hash: 61413574D14208CFCB04DFA8E884AEDFBB2FB4A301F218519E41AA7295D7749842DF95

Function 06699A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f686e142cb6872a6714867d9fc298fe4e9e4a0dc35cba7d3a086d304e823571a
Instruction ID: 57c9e875344eb661982aa91fe8a56c335e73074bc343a8106d5de5896e0674d5
Opcode Fuzzy Hash: f686e142cb6872a6714867d9fc298fe4e9e4a0dc35cba7d3a086d304e823571a
Instruction Fuzzy Hash: 4441BE74E01208CFDB44DFA9D994AEDBBF2EF49304F14852AD805AB394DB785A46CF50

Function 00C3D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb36f1887dfa1906049af2eaad8d1d692f1b30e2e7ff79c6151a3b3fef80ab69
Instruction ID: 1548fefcbda635cf0a57713d81db4ca07b5bc8c3658faede89bf0f43649ed0f6
Opcode Fuzzy Hash: fb36f1887dfa1906049af2eaad8d1d692f1b30e2e7ff79c6151a3b3fef80ab69
Instruction Fuzzy Hash: 69411570D14208CFDB04DFA8E884AEDFBB1FB4A301F209519E41AA7295D7749882CF94

Function 00C3D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7579e4ec78480c9226934e8d3cc2393814a978bc876009f28af45e8f55740e77
Instruction ID: 0c978cb9f5dc29302922c2b14127348829018580496d3f5d1c3b11b664cb9ce8
Opcode Fuzzy Hash: 7579e4ec78480c9226934e8d3cc2393814a978bc876009f28af45e8f55740e77
Instruction Fuzzy Hash: AC412770D10208CFDB08DFAAE845ADEFBB2BB89301F24D529D415B7255DB749842DF94

Function 00C34DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d8738d3e8d5876b6c49dfd0f33214f6f50a18a0db3976098e2bb72d437d35b
Instruction ID: ddf53a506786b981d0150d5a8d3834cb9aa29c6e038b6120d128c530e169febd
Opcode Fuzzy Hash: 43d8738d3e8d5876b6c49dfd0f33214f6f50a18a0db3976098e2bb72d437d35b
Instruction Fuzzy Hash: 4831A13120420E9FCB09AF64D955EAF7BA2FB88304F104468F92687351CB35ED61EBE1

Function 00C376D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef9ae7c596ebdadbad1934a6533fd307dfd75badec1a8a424f40b61e3d55777
Instruction ID: e202ed3abac5dc1cc38d94218540ee2e3ea0c85afa276f0159c971f93e2f1c92
Opcode Fuzzy Hash: 7ef9ae7c596ebdadbad1934a6533fd307dfd75badec1a8a424f40b61e3d55777
Instruction Fuzzy Hash: 6F21213432C2058BEB2217398DA4A7937D7AFCA714F1842B9D512CB7A5EE25CC42E381

Function 00C3A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39aa2e612cefa4d161ef73df5308103f7564eba6ade1c16f581048dbf4e39c9
Instruction ID: 6f6c72ec87ac3070cb7a2ab2b8f5daf6769f05a1d1aa4399855025b374538f35
Opcode Fuzzy Hash: c39aa2e612cefa4d161ef73df5308103f7564eba6ade1c16f581048dbf4e39c9
Instruction Fuzzy Hash: 8931B370A002098FCB04CF7DC884AAEBBF2BF89714B168159E495AB3B1C7359D12CB91

Function 0669DCB1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9639c01812eab4598c2544747e055f583b409aa5eed9ae0895e5f68496625e
Instruction ID: 1c538d500c7707310f39bea5af21a326ada1612ea829bebc2d2b495b5aa2ab5c
Opcode Fuzzy Hash: fc9639c01812eab4598c2544747e055f583b409aa5eed9ae0895e5f68496625e
Instruction Fuzzy Hash: C5318030901309DFDB14AFA0E86C7EEBBB1EF4A312F044569D555672E1CBB80A49CFA1

Function 00C3DF79 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7c80e0b0cbe736f47746a366dea3c1670b2190b7d1663314ad14450d328670
Instruction ID: 823230cc25280c2e4bc2a525d7601ab11a8af9b7456ba6d9d2604c2da40f772a
Opcode Fuzzy Hash: ee7c80e0b0cbe736f47746a366dea3c1670b2190b7d1663314ad14450d328670
Instruction Fuzzy Hash: C321BF71E102488FDB09CFAAE8442EDBBB2AFCE300F14D469D415B72A5DB708506DB64

Function 00C376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87a29a02916aed3fb741b108175a932f41cb65fe5385333840570a67181c5f3
Instruction ID: 81a77289fb83f35860cb18685299c9dda140abd2138343584300120fac74473b
Opcode Fuzzy Hash: e87a29a02916aed3fb741b108175a932f41cb65fe5385333840570a67181c5f3
Instruction Fuzzy Hash: 7C21C57832C20547EB3617368954A7E32D79FCA715F284178D512CB794EE25CC42E780

Function 00C35A60 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8b05a08eff5d4d00f2f3ea81576cd903a20b408b5ca4b0aaed545b242765bb
Instruction ID: 36dd4a01c0d66d57adcbcf2becda6feb57589fb697668b09fad30f1d9ddc9e56
Opcode Fuzzy Hash: fd8b05a08eff5d4d00f2f3ea81576cd903a20b408b5ca4b0aaed545b242765bb
Instruction Fuzzy Hash: AF212530305A118FC3169B34C8A493EBBA2EF89715B1842ADE806CB361CF30DC02EBD0

Function 00C32060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746212ec88ff16b161e95023eca9738d17966f05eb43119f97759b9a083101f2
Instruction ID: a9edf832f1613fd702d34fc1bdb190670c01101e0eb239fa6e79a7cd149cfc5f
Opcode Fuzzy Hash: 746212ec88ff16b161e95023eca9738d17966f05eb43119f97759b9a083101f2
Instruction Fuzzy Hash: 2F21A135A00115DFDF14EF74C8809AE77AAEB99760F10C429E91A9B250DB31EE46CBD1

Function 00BBD006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809035223.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bbd000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57bfbcb753e072aa0724aacc8e9f909b228a03d6e499bfbcd00833cf917dcbe
Instruction ID: 7821185ddc532742fac3746667cc5b57b46061dbd69b74e7afbe1740aa4097d8
Opcode Fuzzy Hash: c57bfbcb753e072aa0724aacc8e9f909b228a03d6e499bfbcd00833cf917dcbe
Instruction Fuzzy Hash: 7831307550D7C08FD703CB20C9A4751BF71AF46214F29C5DBD8898F1A7D27A980ACB62

Function 00BBD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809035223.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bbd000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c9faf67558b79edf0e9dcc437504f242a3544032daa20b1566138a4b45e25d
Instruction ID: 6af9373e6af74fb44043652b026a414cac63fcb10095d99e491c5846c9557c92
Opcode Fuzzy Hash: a5c9faf67558b79edf0e9dcc437504f242a3544032daa20b1566138a4b45e25d
Instruction Fuzzy Hash: B6213471504304DFDB10EF24C8D0B76BBA5FB84314F64C5ADE8094B282D7BAD846CB62

Function 00C3215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca90257dd415d7907b94ee86cc191db0a5a7d62ebaa0a8d4a6d04765c08f08bc
Instruction ID: 90101b11a2fb82dd9788b286a9a8f5f119a245c0d522e012703721629c5073e0
Opcode Fuzzy Hash: ca90257dd415d7907b94ee86cc191db0a5a7d62ebaa0a8d4a6d04765c08f08bc
Instruction Fuzzy Hash: 5C11AB31E1435A9FCF019BB8AC004DEFB34FF89320B208392E521B70A0EA316C06C7A1

Function 066996F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26800a606f145156c0e84da27079d36c0eb20070cf8ce621320fcf3e9fae5db6
Instruction ID: b773ec3e25971bd7a9926470e59a2da0ee3bb1117ecd362e413d37c05758b716
Opcode Fuzzy Hash: 26800a606f145156c0e84da27079d36c0eb20070cf8ce621320fcf3e9fae5db6
Instruction Fuzzy Hash: 0711EB367083545FEB4A5FB898203AE3AA3DFC9250B14446EE909DB391DE398D42C796

Function 0669E0C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f815bb534ebc3673869f886eaacfa057a57b06cb72187a5dc8bf77418042d6
Instruction ID: 21d41676c72d8789848eae0f445e6dd80f03b3e43dbea6958a26be93c927d23e
Opcode Fuzzy Hash: 37f815bb534ebc3673869f886eaacfa057a57b06cb72187a5dc8bf77418042d6
Instruction Fuzzy Hash: 7A11E1307082449FE7054BB59C18AABBBABAFCA250F19847BE546C3296DD398C078771

Function 00C3D60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63d0ed6b6596fcdbc38979320cf37ce3f4963c80c80ae451d11e0dce36e3be0
Instruction ID: b5b1672e68653b1b6bec48f4087853b88ef0d8ca5cb5bb9e34f2ba09b6026a24
Opcode Fuzzy Hash: a63d0ed6b6596fcdbc38979320cf37ce3f4963c80c80ae451d11e0dce36e3be0
Instruction Fuzzy Hash: DE114970D142488BDB08CFBAE8486DEFBB2AFCE301F18C469D419B7265DB7049069F54

Function 00C35A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4337e643fd596d8fc818e6a8e03ce461a8368e2a7a9bbf3301f584bd754f58c2
Instruction ID: 1b412a850f3fcee425ee4aedee4e8daa3900494b8682e9f221b18cb8c0d4c8cf
Opcode Fuzzy Hash: 4337e643fd596d8fc818e6a8e03ce461a8368e2a7a9bbf3301f584bd754f58c2
Instruction Fuzzy Hash: 9B11E531310A168FC7199B29C89493EB7A6FFC8751B1941B8E806CB360CF30DC02A7D0

Function 00C3E201 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43441fecec4c5178afe21d62d7d902acc3ffe269a21cb7c10ae1ac951069541
Instruction ID: e4fa2fffbfa8f0a52ab209864d26ddf888b8db2dac76ffd71e65881c1aa04b3e
Opcode Fuzzy Hash: b43441fecec4c5178afe21d62d7d902acc3ffe269a21cb7c10ae1ac951069541
Instruction Fuzzy Hash: 52216D70D002099FEB45EFB8D9807DEBBF2FB4A300F1186A9D014AB255EB745A06DB81

Function 06699350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e701cdd251dc01310f28b3bafb0defbac9e15cacf9d5210e7cfc95cf587aa4
Instruction ID: 649eccbd67c477829fc49d84a54037d776949b2148ef3e4d6fa22286ac8bb0b5
Opcode Fuzzy Hash: b0e701cdd251dc01310f28b3bafb0defbac9e15cacf9d5210e7cfc95cf587aa4
Instruction Fuzzy Hash: 0B115676800249DFDF10CF99C804BDEBBF8EB48320F14841AE918A7250C379A950CFA5

Function 06699999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b4abb11dd8e614762857208efbe6b0361215c3140dbb2367b51602da7d4482
Instruction ID: d3f95577b9b06015035bdf48ee4357a79f7b4b83d68b2dab8a5024442a612773
Opcode Fuzzy Hash: 67b4abb11dd8e614762857208efbe6b0361215c3140dbb2367b51602da7d4482
Instruction Fuzzy Hash: EE116476800249EFDB10CF99C805BDEBFF8EB48320F14841AE918A3650C339A554DFA0

Function 00C3E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408ae8b1654cf4786a2dfb6a2a35a5418f2fb1d2932e5538368401881d79748a
Instruction ID: 25d2f9409d163a9130bb36b78769e38206f96c6dd0bf77c7b0db13b65ad2ec32
Opcode Fuzzy Hash: 408ae8b1654cf4786a2dfb6a2a35a5418f2fb1d2932e5538368401881d79748a
Instruction Fuzzy Hash: E2115E74E00209DFDB45EFB9D98079EBBF2FB45300F1185A9D014AB355EB745E069B81

Function 06698EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caef44b4c8b5e40a3f656c1697474cedfd1fc2d2c15889e38f9ef4e23a1f4fa
Instruction ID: e103b377a11c070a31abddd844c60f48a0be67093708edd07723af91c8f58cbe
Opcode Fuzzy Hash: 6caef44b4c8b5e40a3f656c1697474cedfd1fc2d2c15889e38f9ef4e23a1f4fa
Instruction Fuzzy Hash: 1D11FE74E402498FEF14DFE8E950BEEFBB6EB89315F009459EC08A7345E6349D428B60

Function 00C31F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ba302443c76bcc25b14f96fe4e5905c372576341e39720aa7665a1452ec7d4
Instruction ID: bc9dabfbd63f75fa71ef7cdbd333db7b40ef97d55b5804fad3b71f9eb632def3
Opcode Fuzzy Hash: 02ba302443c76bcc25b14f96fe4e5905c372576341e39720aa7665a1452ec7d4
Instruction Fuzzy Hash: 7D21C0B4C152098FCB44EFA8D9559EDBFF0BB49301F10416AD805B3220EB305A45DBA1

Function 00C31F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fd989664246bafe09309673fe84539c23e6e9a666712253ba8fbc7fbb25680
Instruction ID: 64e08670c900b9d272ff69ed9f92d97d04b7109818b8728035872d95d1f9eee9
Opcode Fuzzy Hash: 81fd989664246bafe09309673fe84539c23e6e9a666712253ba8fbc7fbb25680
Instruction Fuzzy Hash: 0E21D0B4D1460D8FCB14EFA8D9859EEBFB0FF49304F14416AD805B7264EB305A86DBA1

Function 06692670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8645cd2fa4173a99a787eff30dee31797f0b68bbc209bab84c0b1d8d18f8f2de
Instruction ID: f1b0f789941af85f49f9c53dafb89c67acbd940faa24127f329d035ed97b63d3
Opcode Fuzzy Hash: 8645cd2fa4173a99a787eff30dee31797f0b68bbc209bab84c0b1d8d18f8f2de
Instruction Fuzzy Hash: E5016D75B601258FCB90ABBCE51956D3BF8EF88221710417AE806EB361DE31D9038BA1

Function 00C35607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0716dfd2b8bb83347936309401aacea4068ebf67a64fa7f210735ceafbb9194
Instruction ID: d45ff303dc62b31760e63a350c3ec00b140a2c386f22f61e681f54cd2916eac2
Opcode Fuzzy Hash: f0716dfd2b8bb83347936309401aacea4068ebf67a64fa7f210735ceafbb9194
Instruction Fuzzy Hash: 170128717041096FCB028E659811BEF3BE7DFC9761F18807AF905CB294CA75CD02A7A1

Function 066925E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c704b9f04ac9e9abd99ed3b6f0d33cafb95e12a3a2dba57b01974bb62b9011
Instruction ID: c0fc2936263127bf6203e347c076fd5093b5062fefb85a752289e204da2ba370
Opcode Fuzzy Hash: 01c704b9f04ac9e9abd99ed3b6f0d33cafb95e12a3a2dba57b01974bb62b9011
Instruction Fuzzy Hash: C501E470E10219DFCF44EFBAC8546AEB7F9AF48200F10856AD819E7250E7349A12CBA0

Function 06699760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d26754f12469b29f788acc9b5a918ad4b4526f865e62d1ae7d0fd17978d6418
Instruction ID: b3bc0b09e0496a0450210313808e8415a44fccd6852f2794e02e1f0741317ef3
Opcode Fuzzy Hash: 6d26754f12469b29f788acc9b5a918ad4b4526f865e62d1ae7d0fd17978d6418
Instruction Fuzzy Hash: 04F05E333042187B9F459E98A8109AF7FABEBC8260B04442EFA0997251DA369D11A7A5

Function 00C3D449 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83100fa56c36d6f5e18f94f21ea6883fc7e217d25143eab81449f10536913bbb
Instruction ID: b4f76dc7bc61481a06bab7f284c57883ac05dafec736f82ca8886f177debfb1b
Opcode Fuzzy Hash: 83100fa56c36d6f5e18f94f21ea6883fc7e217d25143eab81449f10536913bbb
Instruction Fuzzy Hash: B9F02B70D142849BCB0A9B74AD187FA77749B8F301F4455A8D054B72B2CB71511A9750

Function 00C3DF08 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a64fad2ecb82b3a66cfc79e21156e40c6c11358aa4f6d7a8168b56a348d026
Instruction ID: 76f317ad6a653ae75e66bdfe22de272f929763ce942947a12f89c499e3d184fc
Opcode Fuzzy Hash: 98a64fad2ecb82b3a66cfc79e21156e40c6c11358aa4f6d7a8168b56a348d026
Instruction Fuzzy Hash: F2E02B35904244CFCB068F74A9143EABB71EF8F301F441868D046731B1CBB15619C785

Function 00C3D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b41ef1ec19751ee2328f221a51976ebf92f82ac76dfda4a94956cc6c9ee2c5
Instruction ID: d4aba588b8aa934b9cd426a182207291ebf0edb451a3ffef275af7b4338d20d4
Opcode Fuzzy Hash: 98b41ef1ec19751ee2328f221a51976ebf92f82ac76dfda4a94956cc6c9ee2c5
Instruction Fuzzy Hash: E9E026E3C08184CBD7109BA678162B8BF70DDD3301F4460DBC09BDB121D724E606AB16

Function 00C32010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecc7b6f60d835a60011f43f83d5d6b113e8e16b1bce96125105e9588010496d
Instruction ID: 65bda576c87dc7f018f372c603ee249918c74a7ce0fc17e3738decc613899584
Opcode Fuzzy Hash: 6ecc7b6f60d835a60011f43f83d5d6b113e8e16b1bce96125105e9588010496d
Instruction Fuzzy Hash: 6BE0D831D293965FC71297B49C180EEBF34EDD7310B1586BBE0A067491EB70151AC761

Function 00C32020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062d974d7919b7e0dee189189cdac98d05b12cc9eadaba68cb413fc2089bbbab
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: 062d974d7919b7e0dee189189cdac98d05b12cc9eadaba68cb413fc2089bbbab
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 00C38258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: e6586c92b370aefca2ece75422b1018c13ce8208ecdd91ca7e349fb24ce8502d
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 18C0123324C2282AAA24108F7C40AB3AB8CC2C17B4E250137F92CA3240A8429C8401A8

Function 00C3A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe741882685a05175be713d5b4c7a720f657f10841bf921c581a0584744caff
Instruction ID: 00b4039709550769eeddc889639b96defa207c65c4f3813ab98cd3a6a1685d63
Opcode Fuzzy Hash: dfe741882685a05175be713d5b4c7a720f657f10841bf921c581a0584744caff
Instruction Fuzzy Hash: E3D0677AB01008EFDB049F98EC40DDDB7B6FB9C221B048116E915A7260C631A961DB54

Function 00C35EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7ecd933e53aefd2ead6786f75d9741b46bbbbb308656d30942a3ee8ea41f4
Instruction ID: fcc65362c117753751aa2b7fd91b5c707d6aeafe532a61854bec4d6455e6a7b0
Opcode Fuzzy Hash: 33d7ecd933e53aefd2ead6786f75d9741b46bbbbb308656d30942a3ee8ea41f4
Instruction Fuzzy Hash: B1D02B7040D3890BC706F330ED954683F216E81108B4441D9F4420A417EAB958078B53

Function 00C35EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260bcc1a361f42260faac9ce68d07daac2e929808f2397aa4614bf066be0a230
Instruction ID: 2141d4cab1ab7e16f69b124030dba6cab5b6efaa628fb59332935557e92e160c
Opcode Fuzzy Hash: 260bcc1a361f42260faac9ce68d07daac2e929808f2397aa4614bf066be0a230
Instruction Fuzzy Hash: 06C0807010430D47D505F771FE85925335AF7C0604F408550F1090611AEF7DBD5647D2

Non-executed Functions

Function 066933B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0o#p, xrefs: 06693423

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p
API String ID: 0-2085137917
Opcode ID: 69bc31e22daf9cd10e6dc9390ba1e0a239e74d50e40308dc1dcc2dcfaa132baa
Instruction ID: 7eea6fea919c62ccd36a0fba328c93c8a2232d40beb375e2333f0b63c84a0aec
Opcode Fuzzy Hash: 69bc31e22daf9cd10e6dc9390ba1e0a239e74d50e40308dc1dcc2dcfaa132baa
Instruction Fuzzy Hash: 65B19574E00218CFDB54DFA9D984A9DBBB2FF89310F2481A9D819AB365DB34AD41CF50

Function 066933A8 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

0o#p, xrefs: 06693423

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID: 0o#p
API String ID: 0-2085137917
Opcode ID: d74d5aff25cf61b3420031e5747b562a4f79eed6c969518ac2498617de3c1e2a
Instruction ID: 410edc3e2146d09112133e56f8dcc2407338f2fedb64284b3382daa04dae896a
Opcode Fuzzy Hash: d74d5aff25cf61b3420031e5747b562a4f79eed6c969518ac2498617de3c1e2a
Instruction Fuzzy Hash: 9651A575E01608CFDB48DFAAD884A9DBBF6FF89300F248169D815AB365DB349942CF50

Function 00C3E528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3809364012.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c30000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ed6c5d7ecf42c584e55720ef07f242a0eb5090f8a91b8a51025b599f4b6f01
Instruction ID: 3d7e7f026bfbe4dbbfd1d35cf56192a157f1944cc401459c74118960d56881af
Opcode Fuzzy Hash: 35ed6c5d7ecf42c584e55720ef07f242a0eb5090f8a91b8a51025b599f4b6f01
Instruction Fuzzy Hash: 22528A74E01228CFDB64DF69C984BDDBBB2BB89300F1085EAE409A7255DB359E81DF50

Function 04F8CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa417830aa0134501dff38aa15f31f2197e99191f707bc31d13b0859576a561b
Instruction ID: a82e9fcc0d9302598d643eca51fb7696f93bf7e62a6e29bb05403ffd9c02ec75
Opcode Fuzzy Hash: fa417830aa0134501dff38aa15f31f2197e99191f707bc31d13b0859576a561b
Instruction Fuzzy Hash: E8C1A174E00218CFEB14DFA5D994B9DBBB2FF89304F1081A9D409AB395DB349A82CF50

Function 04F8B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50159a2b21a651b17ce33fb885a31c47d0fa436d1029ff771b05671fc3e21bf
Instruction ID: e551d486fc630fb9ad1483ff6cca9c612371b2f4b59b03c95f893137f675dbe5
Opcode Fuzzy Hash: c50159a2b21a651b17ce33fb885a31c47d0fa436d1029ff771b05671fc3e21bf
Instruction Fuzzy Hash: 9BC1A174E00218CFDB14DFA5D994B9DBBB2EF89304F2081A9D409AB355DB346A86CF50

Function 04F8E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83cd3d67d8a3dc29b1d855244fde24141595c461d72d99063f606fbbd56b3a4
Instruction ID: ef29c39e2f5146dc258227a6a8d685f26c739c22804d8e428742ff5578bfd879
Opcode Fuzzy Hash: a83cd3d67d8a3dc29b1d855244fde24141595c461d72d99063f606fbbd56b3a4
Instruction Fuzzy Hash: DBC1B074E01218CFDB14EFA5D994B9DBBB2FF88304F2081A9D409AB355DB349A86CF50

Function 04F804A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6794ee15e92c20f1288061f3dec915152c4ea9ead4fa533aef1004d513a2da
Instruction ID: 20f556346c96d5f90b311fd83ed6184a6a2578b4d26f63412acff4e2d9771e11
Opcode Fuzzy Hash: ef6794ee15e92c20f1288061f3dec915152c4ea9ead4fa533aef1004d513a2da
Instruction Fuzzy Hash: 7FC1CF74E01218CFDB14DFA5D984B9DBBB2FF89300F2081A9D809AB365DB359A85CF50

Function 04F8CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d1fed8c72f9e446873f35f3adc3438cbf9da40f594fd95741ae4855cdba022
Instruction ID: 9c278912aa1b34ce3692d0b28edd4a2dc7d3f0f113cc1d765e5c5b7cd3f6ca88
Opcode Fuzzy Hash: 80d1fed8c72f9e446873f35f3adc3438cbf9da40f594fd95741ae4855cdba022
Instruction Fuzzy Hash: 29C1C074E00218CFDB14EFA5D984B9DBBB2FF89304F2081A9D409AB355DB349A86CF50

Function 04F8FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892eda9ed09f0ed0f42a8fa29d90d4ce7f51bc1d3b024f40b0296b98cdae235b
Instruction ID: 957f6dc4b5882a53ce8215caa85d0c5850db6d95a22b850a31ba46510c25f340
Opcode Fuzzy Hash: 892eda9ed09f0ed0f42a8fa29d90d4ce7f51bc1d3b024f40b0296b98cdae235b
Instruction Fuzzy Hash: 46C1A074E00218CFDB14EFA5D994B9DBBB2EF89304F2081A9D409AB355DB359A86CF50

Function 04F8E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ff3439fb30e88ac525681d56838fdbbd1d59503594ac89d22463eb7e0c9299
Instruction ID: b67254eb52bc5ee1f4c8350129533afd57fda80f0c9e670f52e1046b43bb6b7b
Opcode Fuzzy Hash: e2ff3439fb30e88ac525681d56838fdbbd1d59503594ac89d22463eb7e0c9299
Instruction Fuzzy Hash: 5AC1B174E01218CFDB14DFA5D984B9DBBB2FF88304F2081A9D409AB355DB359A86CF50

Function 04F8C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa14d0f4439559c6e363964c4ccbab5622b1d3a39997e8bcc8fe755bfa79398
Instruction ID: 3fdf100e29fee933afd54a6bf5a412db4b64653a56451c4c8ff5353995ee5f55
Opcode Fuzzy Hash: eaa14d0f4439559c6e363964c4ccbab5622b1d3a39997e8bcc8fe755bfa79398
Instruction Fuzzy Hash: D9C1B074E00218CFDB14EFA5D994B9DBBB2BF89304F1081A9D409AB355DB349A86CF50

Function 04F80040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ae2de5d7c58d3a190d22972df759e6bc940e003d93748eed67eff8e881ff8d
Instruction ID: 060a5a6bc0378e17dc8ccbf5f7c7388331975728dff03794fea1920b9cd02e70
Opcode Fuzzy Hash: f8ae2de5d7c58d3a190d22972df759e6bc940e003d93748eed67eff8e881ff8d
Instruction Fuzzy Hash: A4C1BF74E01218CFDB14DFA5D994B9DBBB2FF89300F2081A9D809AB365DB359A85DF10

Function 04F8F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1085bb6f798e6b7a517c9a52b6eab3279ae6fc46c37594ab1254805b8d0a2783
Instruction ID: 8cf13f11510fc2e2f103da9b6ca52a8c906a48e43a81e904217ee0efef33df0b
Opcode Fuzzy Hash: 1085bb6f798e6b7a517c9a52b6eab3279ae6fc46c37594ab1254805b8d0a2783
Instruction Fuzzy Hash: 1CC1A174E01218CFDB14EFA5D994B9DBBB2FF88304F2081A9D409AB355DB359A86CF50

Function 04F8DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33abf60ae672e4971059f96bd00a4d54924491c3f0d768a0dda6e06c14663c6e
Instruction ID: ebc7ca655125f3f3bf5eac509e57bfb305753b8cd3a3e15fda2499c0c268993b
Opcode Fuzzy Hash: 33abf60ae672e4971059f96bd00a4d54924491c3f0d768a0dda6e06c14663c6e
Instruction Fuzzy Hash: 7BC1A074E01218CFDB14EFA5D994B9DBBB2FF88304F1081A9D409AB395DB359A82CF50

Function 04F8C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9beeb4aee44594e09559cb567d412e436d84958d51e8df36e169d8d6d3315b37
Instruction ID: 194d83e6d7d604498138ae0c80aaba963d7d3453c572b977d564c4bacf4869a7
Opcode Fuzzy Hash: 9beeb4aee44594e09559cb567d412e436d84958d51e8df36e169d8d6d3315b37
Instruction Fuzzy Hash: E1C1B174E01218CFDB14DFA5D994B9DBBB2FF89304F2081A9D409AB355DB34AA86CF50

Function 04F811C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5a3024d176774839d35de80570cb58702f538d66b84cfdb0f1442c9c07534f
Instruction ID: 30d93969090b168d77e9fae8e384759b834ce852cde4a6d692bf64628853479f
Opcode Fuzzy Hash: 5d5a3024d176774839d35de80570cb58702f538d66b84cfdb0f1442c9c07534f
Instruction Fuzzy Hash: 63C1B174E00218CFDB14DFA5D994B9DBBB2FF89300F1081A9D809AB365DB359A86DF50

Function 04F8F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7ef934ad9baabe311698e5d39a8c734fdbbe86fbb8e9790ae7874e6879927a
Instruction ID: 0881c211519a4f4a8b1e96bbaff09fad47af3fb9f59339fcdfd939627f1db9cc
Opcode Fuzzy Hash: af7ef934ad9baabe311698e5d39a8c734fdbbe86fbb8e9790ae7874e6879927a
Instruction Fuzzy Hash: 86C1A074E00218CFDB14EFA5D994B9DBBB2EF89304F2081A9D409AB355DB359A86CF50

Function 04F8BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f97ed091c42fdfb9ad42f562adf5acc2a3537be13b550fb3bd150c231ebd71
Instruction ID: d62406b5a73368cebcff9b70c61239e5b09c2fb7058626a73ecaeddab1222965
Opcode Fuzzy Hash: e9f97ed091c42fdfb9ad42f562adf5acc2a3537be13b550fb3bd150c231ebd71
Instruction Fuzzy Hash: 8FC1A174E00218CFDB14DFA5D994B9DBBB2FF89304F2081A9D409AB355DB35AA86CF50

Function 04F8ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d035deb41de5b6bdf883a708f2425902edbe65441f34f53c1564edbf0fd8ea
Instruction ID: 5062b3d66fd1ed1f6359a967191269732c8b05639667afa80287db888758d8c9
Opcode Fuzzy Hash: 64d035deb41de5b6bdf883a708f2425902edbe65441f34f53c1564edbf0fd8ea
Instruction Fuzzy Hash: 23C1A174E00218CFDB14DFA5D994B9DBBB2FF88304F2081A9D409AB355DB359A86CF50

Function 04F80D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fc2103307bf5bec478f7fc730bcbcd5f8e9b1fa747f0a8faffb119b5408ab0
Instruction ID: ebd32aefdb4275f670bbd715b142847f901ba443f63a148de7be5c7918b9043a
Opcode Fuzzy Hash: 28fc2103307bf5bec478f7fc730bcbcd5f8e9b1fa747f0a8faffb119b5408ab0
Instruction Fuzzy Hash: D8C1B174E00218CFDB14DFA5D994B9DBBB2FF89300F1081A9D809AB365DB359A86DF50

Function 04F8D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897109c37f0f5739c9f68ca25ed9794c65e46fae1cdc93da023f1e7efaa0fec4
Instruction ID: a48d1df54878707ed31fddbf3b3f30dc7f70652044d90c95badf529e474cd217
Opcode Fuzzy Hash: 897109c37f0f5739c9f68ca25ed9794c65e46fae1cdc93da023f1e7efaa0fec4
Instruction Fuzzy Hash: EEC1A274E01218CFDB14DFA5D994B9DBBB2FF88304F1081AAD409AB395DB359A86CF50

Function 04F8B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9ee513c20a83faee2e1dd95c601d9fd8320acd77b5ea1b43ce4215a05f547d
Instruction ID: 205fc517c35fc7cecf375fa02df114407fb548c79a3cf60c48a22c2ae2216835
Opcode Fuzzy Hash: 6e9ee513c20a83faee2e1dd95c601d9fd8320acd77b5ea1b43ce4215a05f547d
Instruction Fuzzy Hash: CCC1B175E00218CFDB14DFA5D994B9DBBB2FF89304F2081A9D409AB355DB34AA86CF50

Function 04F8E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d07a59a99d7a8e4633ba35ff6ad000d9512ab074b0b1a104655926c9d7ba99
Instruction ID: 24b4b6188697f075e665a9c3a2871386f9cf6f92787bb73e73375b96584140c2
Opcode Fuzzy Hash: 83d07a59a99d7a8e4633ba35ff6ad000d9512ab074b0b1a104655926c9d7ba99
Instruction Fuzzy Hash: 95C1A174E00218CFDB14EFA5D994B9DBBB2FF89304F1081A9D409AB355DB359A86CF50

Function 04F80900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980b74a75672dfe6844ea90c24e81a72ac546424b37779243ff3cc6ca18188d2
Instruction ID: b4cfaa6cb9349e65a5e0b4c11241a11170e1a0d6780e2282e1e93fc769076ba5
Opcode Fuzzy Hash: 980b74a75672dfe6844ea90c24e81a72ac546424b37779243ff3cc6ca18188d2
Instruction Fuzzy Hash: ACC1C074E01218CFDB14DFA5D994B9DBBB2FF89300F2081A9D809AB365DB359A85DF10

Function 06695A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a22116762eea0299e0b5b910aeee108d273f1945920bf042bdb9646065a5f4
Instruction ID: ba1157819cbf3976a642269637ed7edc2f319014c959b69f92049658c69f132b
Opcode Fuzzy Hash: 21a22116762eea0299e0b5b910aeee108d273f1945920bf042bdb9646065a5f4
Instruction Fuzzy Hash: 5EC1BF74E01218CFDB54DFA5D994B9DBBB2FF88304F2080AAD809AB355DB359A81CF50

Function 06695618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57152dde8b6cc6958cc479331debbe3407358fbf2a6477bf9f9c8b03bb304b58
Instruction ID: 3a1ce4b5dfa27fcbedcc965077f00aebb88b802a53c00da0307060fa34ebfb6f
Opcode Fuzzy Hash: 57152dde8b6cc6958cc479331debbe3407358fbf2a6477bf9f9c8b03bb304b58
Instruction Fuzzy Hash: F8C1B074E01218CFDB54DFA5D994B9DBBB2FF89304F2081AAD809AB355DB349A81CF50

Function 06695EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d0438f874b6bb83255de312545290e8adc010ff6ce4a94ebddcaaa9bb4e784
Instruction ID: aa7e5e809999446cfcffa1c9b065dc3add803038112c802790a7640c0bd9f82d
Opcode Fuzzy Hash: f7d0438f874b6bb83255de312545290e8adc010ff6ce4a94ebddcaaa9bb4e784
Instruction Fuzzy Hash: A2C1B274E00218CFEB54DFA5D984B9DBBB2FF89304F1081AAD809AB355DB359A85CF50

Function 06696778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab4a7de6edec5c690923f2cc15566ec49d806b690e114fa514bf4d0c4f19bc2
Instruction ID: 8fdde1c89d563dd5f40922245afd7b2172c2afb6ed28217943cafbbfea13ff85
Opcode Fuzzy Hash: 5ab4a7de6edec5c690923f2cc15566ec49d806b690e114fa514bf4d0c4f19bc2
Instruction Fuzzy Hash: A7C1B074E00218CFEB54DFA5D994B9DBBB2FF89304F2081A9D809AB355DB349A85CF50

Function 06696320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc057de94b2bf9c101c0da2a36bc930b0b0bc6a2554d538d5b94ad5f1dd667a
Instruction ID: 8e98bc29cfa6bda20cbbc78ff282a37582628e25600d452c0180483844af7cb1
Opcode Fuzzy Hash: 0bc057de94b2bf9c101c0da2a36bc930b0b0bc6a2554d538d5b94ad5f1dd667a
Instruction Fuzzy Hash: 24C1B174E00218CFEB54DFA5D994B9DBBB2FF88304F1081A9D809AB355DB359A85CF50

Function 06696BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a909486f95c8fbbb13c4815db96aba7c633fc54c01ad6ff27384756f9fc97b4c
Instruction ID: 151757d2d8e883a6a373db99b04a3a9e7d861f99b8832ca2c4a61f33e1db7a9f
Opcode Fuzzy Hash: a909486f95c8fbbb13c4815db96aba7c633fc54c01ad6ff27384756f9fc97b4c
Instruction Fuzzy Hash: 02C1B074E00218CFEB54DFA5D994B9DBBB2FF88304F2081A9D809AB355DB359A85CF50

Function 06690040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350da6bbe384e5ee3cb74e5dfe124175aefd672b7c7337d32ca6ad294175c3a2
Instruction ID: 001290128bdefe41d9c6628909c83b47f7cdc78b91ad6a9d582b26bc248a3498
Opcode Fuzzy Hash: 350da6bbe384e5ee3cb74e5dfe124175aefd672b7c7337d32ca6ad294175c3a2
Instruction Fuzzy Hash: BBC1B074E00218CFDB54DFA5D994B9DBBB2FF89304F2081A9D809AB355DB359A81CF50

Function 06697050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf41f2b42c00d2052b169a5f1ba1065ab3287513932de5a1056fece4672c230
Instruction ID: 9e36ca23299c514d6c3b0537e6c8494c57944cc8f248d48ddb02f36da7112522
Opcode Fuzzy Hash: ebf41f2b42c00d2052b169a5f1ba1065ab3287513932de5a1056fece4672c230
Instruction Fuzzy Hash: 99C1BF74E01218CFDB54DFA5D984B9DBBB2FF89304F2081A9D809AB355DB349A81CF50

Function 066908F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df6aa54ff1310ad6f4b807409dc1715b223058257c593c3f89e8f82cde62506
Instruction ID: 85e2a4cbf6cfd0185e86535c63c6c84ff60863dd1e1351da2bb5c7b58fb481b2
Opcode Fuzzy Hash: 4df6aa54ff1310ad6f4b807409dc1715b223058257c593c3f89e8f82cde62506
Instruction Fuzzy Hash: 84C1BF74E01218CFEB54DFA5D984B9DBBB2BF88304F2081A9D809AB355DB359E81CF50

Function 066974A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd734e88918b44c8a3eb61e890bf07299ea2bd64fea8907a93ef59e187e14a22
Instruction ID: 0645216a29e4d3a7ed7ec0db1fb712c6821bcf2efd821e5de148c96a9d3be73a
Opcode Fuzzy Hash: fd734e88918b44c8a3eb61e890bf07299ea2bd64fea8907a93ef59e187e14a22
Instruction Fuzzy Hash: B7C1B074E00218CFDB54DFA5D984B9DBBB2FF88304F2081AAD809AB355DB359A81CF50

Function 06690498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29adf0c91f04113f4d44fa16e49a6076b02d2a8f96f7fa3a2d549d3b0772de66
Instruction ID: 4b17bed7aab5875e7cd7f4d0d5ad867c553fd2c18d9193c90a1442643b38471d
Opcode Fuzzy Hash: 29adf0c91f04113f4d44fa16e49a6076b02d2a8f96f7fa3a2d549d3b0772de66
Instruction Fuzzy Hash: 26C1AF74E01218CFEB54DFA5D994B9DBBB2FF89304F2081A9D809AB355DB349A81CF50

Function 06690D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2bafda46699c8e1aecd3afe9108e15ad96a72ffe36d1d833143b9027dd0090
Instruction ID: 90123625b6701c94de522066cf3dfb068780d51756e8a9ff694c2f45e87947ed
Opcode Fuzzy Hash: 0c2bafda46699c8e1aecd3afe9108e15ad96a72ffe36d1d833143b9027dd0090
Instruction Fuzzy Hash: 9CC1B074E01218CFDB54DFA5D984B9DBBB2BF89304F2081A9D809AB355DB349E82CF50

Function 06697D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501dc03924682ce882fd643350f339ea5386a6ad58a82f8196246c248cf40e4f
Instruction ID: 9fae0ba98acd957e7785ee4ae7cf2d188d46211b3028f6d273df161c8c49713f
Opcode Fuzzy Hash: 501dc03924682ce882fd643350f339ea5386a6ad58a82f8196246c248cf40e4f
Instruction Fuzzy Hash: 10C1BF74E00218CFDB54DFA5D984B9DBBB2EF89304F2081AAD809AB355DB359E85CF50

Function 066981B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b639e528a0eeae030b3740d4ac7cd34854874f929ae63cc143faf6d0707363a3
Instruction ID: 4bd3438ca76197cf133bfc2a76da7d17df53558a4083bae16e497ef8aa84afbe
Opcode Fuzzy Hash: b639e528a0eeae030b3740d4ac7cd34854874f929ae63cc143faf6d0707363a3
Instruction Fuzzy Hash: ACC1B174E00218CFEB54DFA5D984B9DBBB2FF89304F1081A9D809AB355DB359A85CF50

Function 06695198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a752563e4805d9e1ca24f5ae6ed224326fded06192af7e6a4965e322bb9f49
Instruction ID: 0da09b82643d06d4fee6bc825151ac8bf36685748213fca7aeae4eaa89635844
Opcode Fuzzy Hash: 94a752563e4805d9e1ca24f5ae6ed224326fded06192af7e6a4965e322bb9f49
Instruction Fuzzy Hash: D4C1BF74E00218CFDB54DFA5D984B9DBBB2AF89304F2081AAD809AB355DB349A81CF50

Function 04F81610 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e8138e33c628362db93af51a33434be57208902e6258fe493a83da6f2694e9
Instruction ID: 289c90411aa1d21da0de779064efca756fa1f8ce9795d0edff3a62635496d621
Opcode Fuzzy Hash: 45e8138e33c628362db93af51a33434be57208902e6258fe493a83da6f2694e9
Instruction Fuzzy Hash: A1A1F570E00208CFEB14DFA8D958BDDBBB1BF89304F24826DE449AB2A1DB745985CF55

Function 04F81620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3436630c4d30faaa0667e6ceff8755ceedde86d40d825f7c5a7536d633bc9f70
Instruction ID: d6d3369a89cffb0b52c1d2b2e43a67eee3991705271223e9d859d1bf3d0e5176
Opcode Fuzzy Hash: 3436630c4d30faaa0667e6ceff8755ceedde86d40d825f7c5a7536d633bc9f70
Instruction Fuzzy Hash: CDA10670D00208CFEB14DFA8D948BDDBBB1BF49310F24826DE409AB2A1DB745985CF55

Function 04F81966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3813087738.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f80000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed23cccf40ea1262731af3a7cb2e8f88856dceadb297931f63d69e53a55c2ec2
Instruction ID: cb8e3625b97f1364d1de50478590702fa0b1f722b8422b8c6edc43c91980926d
Opcode Fuzzy Hash: ed23cccf40ea1262731af3a7cb2e8f88856dceadb297931f63d69e53a55c2ec2
Instruction Fuzzy Hash: 1891D470D00218CFEB14DFA8D988BDCBBB1FF49314F249269E449AB291DB749986CF15

Function 066936CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3815349533.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6690000_Ziraat Bankasi Swift Mesaji.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d78f85c00053c9f5409fe3b5b52ca63fe9ba1357a6a246b061afde3b13db9c7
Instruction ID: 6a1239a45a882fbd271ff2f57d342ce232123f4e16d87cce89e95a677106e880
Opcode Fuzzy Hash: 2d78f85c00053c9f5409fe3b5b52ca63fe9ba1357a6a246b061afde3b13db9c7
Instruction Fuzzy Hash: 3DD09234D5425CCBCF20EFA8E8513AEB372FF86300F0024A6D509B7240D7309E629A26

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Function 04C6B1F8 Relevance: 1.9, Strings: 1, Instructions: 618
COMMON

Function 04C60550 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 04C60560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 04C6BD2C Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Function 04C6BD38 Relevance: 1.6, APIs: 1, Instructions: 137
processCOMMON

Function 04C64C05 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 04C64C10 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 04C63AE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 04C6AEE0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 04C6AEE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 04C607A1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 04C6AE08 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Function 04C6AE10 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 04C607A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 04C6C018 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre