General
-
Target
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
-
Size
1.2MB
-
Sample
201125-vqp73pbhwn
-
MD5
cd4a8d5b7b52bad98531415d46545391
-
SHA1
d2646f03108d4063899716427c5dac918b264a5a
-
SHA256
bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
-
SHA512
2ad8c0097734eac098c043b95df314114d1fd1f677ddc3cc7be08ae1330de642621d73c6418082eabb97b4dbc94e6a05f058b2834ab9ecdd86615991c3a0bdff
Static task
static1
Behavioral task
behavioral1
Sample
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.hansonkx.xyz/mkv/
gungorevdenevenakliyat.com
tungsten-projects.com
sensualdelightsboutique.com
mageedigital.com
101cv.online
kuaiditianxia.com
theretailwalk.com
autolinkpa.com
checkpoints.xyz
primeshoppinghouse.com
mapdial.com
yxj66.net
angrysymphony.com
manausservico.com
saqiralsharq.com
cocoabeachconeys.com
messianicentertainment.com
gip7.com
1111dcafe.com
mortgagesafetynet.com
webhostingsrilanka.info
brandsrx.technology
arcreditcards.com
28fenfa.com
mrt555.com
hongdajunheng.com
ta-recruitment.com
themusicchannellive.com
hagiwara.store
batesklinkemfg.com
digsnutrition.com
justrainservices.com
dombeograd.com
4bbconnect.com
usalignassociate.com
trialfacts.site
euphoricmoondust.com
elfraza.com
xiaomaque555.com
airlinereason.asia
threepeninsulas.com
hurricanelauraroofing.com
trendhour.icu
wh534.com
thedigitalinteractive.com
shinbi.info
aist72.com
didemfoods.com
abuyoghotel.com
surptalb.xyz
bcndelicious.cat
bjtzmp.com
worthyworks.site
pleasanthavendaycare.com
agenthaq.net
topferhimmel.com
heyteddi.com
bicegrandcafe.com
consommeresponsable.com
treasuretrovepropertyllc.com
boimgo.com
carolinaclothinggroup.com
residentialwarantyservices.com
fithappenstx.com
Targets
-
-
Target
RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
-
Size
1.2MB
-
MD5
cd4a8d5b7b52bad98531415d46545391
-
SHA1
d2646f03108d4063899716427c5dac918b264a5a
-
SHA256
bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
-
SHA512
2ad8c0097734eac098c043b95df314114d1fd1f677ddc3cc7be08ae1330de642621d73c6418082eabb97b4dbc94e6a05f058b2834ab9ecdd86615991c3a0bdff
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload
-
ModiLoader First Stage
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-