Overview

overview

10

Static

static

RFQ For TR...2).exe

windows7_x64

10

RFQ For TR...2).exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe

  • Size

    1.2MB

  • Sample

    201125-vqp73pbhwn

  • MD5

    cd4a8d5b7b52bad98531415d46545391

  • SHA1

    d2646f03108d4063899716427c5dac918b264a5a

  • SHA256

    bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779

  • SHA512

    2ad8c0097734eac098c043b95df314114d1fd1f677ddc3cc7be08ae1330de642621d73c6418082eabb97b4dbc94e6a05f058b2834ab9ecdd86615991c3a0bdff

Score
10/10
formbookmodiloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.hansonkx.xyz/mkv/

Decoy

gungorevdenevenakliyat.com

tungsten-projects.com

sensualdelightsboutique.com

mageedigital.com

101cv.online

kuaiditianxia.com

theretailwalk.com

autolinkpa.com

checkpoints.xyz

primeshoppinghouse.com

mapdial.com

yxj66.net

angrysymphony.com

manausservico.com

saqiralsharq.com

cocoabeachconeys.com

messianicentertainment.com

gip7.com

1111dcafe.com

mortgagesafetynet.com

Targets

    • Target

      RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe

    • Size

      1.2MB

    • MD5

      cd4a8d5b7b52bad98531415d46545391

    • SHA1

      d2646f03108d4063899716427c5dac918b264a5a

    • SHA256

      bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779

    • SHA512

      2ad8c0097734eac098c043b95df314114d1fd1f677ddc3cc7be08ae1330de642621d73c6418082eabb97b4dbc94e6a05f058b2834ab9ecdd86615991c3a0bdff

    Score
    10/10
    formbookmodiloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook Payload

      rat

    • ModiLoader First Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks