Overview

overview

10

Static

static

New Order ...81.exe

windows7-x64

10

New Order ...81.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Order 23112200881.exe

  • Size

    1.1MB

  • Sample

    221123-nl142ahb87

  • MD5

    29d854c5c94cc9c0f35b50187fcf9e23

  • SHA1

    fc5b74e5a6e1e4289532c6501ed9b22811528072

  • SHA256

    75b803222917f13da307cd36a22b56e0192860ede2c368cab45d53cef5f4422f

  • SHA512

    ac91de3ed540491307d7bbbf97f578ac42d1d0a17d3f55203f73890c48e1a03df327f45de3a54a4e4a4ba4a8fd524cb5d21d2983f9f28a7d88263e8f6bf98d95

  • SSDEEP

    24576:AzErgh/awe2DzVv99n+oHZIRXs0xWcPhFpyk:AzEkh/dZdv9JzIRXs05Pfpyk

Score
10/10
formbooksnkyratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

snky

Decoy

AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=

tvj/KUTKeKgxszIemQ==

DTrTokBrjB5leF4=

tPeTOuIjJPtH

taxtMdIygEdpskxzOQ2ZjoAEeA==

CxLuaKAFRrJyuIqQUPbhZw==

Tn4fapT5kPmk1H0gpXQ=

h5p8hDqGSiRzdSbV

i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx

EwbfBo6m+UXU2qaVUPbhZw==

WpeenFSMquJ3xXD1/b43

niV5qTFu3tfmcgrI

fqyyyElbdxWswJ7A

Lh7o92ZOr4ghbwvK

Y2RYMDue4x+KszIemQ==

lN3Y3z5AS85eah1MDvfFQQA=

uq+Oqh8MNRxHOOkqA9lqYEZZhJU=

FEtGDeGnnRoSQEM=

TkMlruotvsmtpFwg6shr03LjwMWGow==

7PGx8hNMep8EMj5Q39dsq16IbbaIrA==

Targets

    • Target

      New Order 23112200881.exe

    • Size

      1.1MB

    • MD5

      29d854c5c94cc9c0f35b50187fcf9e23

    • SHA1

      fc5b74e5a6e1e4289532c6501ed9b22811528072

    • SHA256

      75b803222917f13da307cd36a22b56e0192860ede2c368cab45d53cef5f4422f

    • SHA512

      ac91de3ed540491307d7bbbf97f578ac42d1d0a17d3f55203f73890c48e1a03df327f45de3a54a4e4a4ba4a8fd524cb5d21d2983f9f28a7d88263e8f6bf98d95

    • SSDEEP

      24576:AzErgh/awe2DzVv99n+oHZIRXs0xWcPhFpyk:AzEkh/dZdv9JzIRXs05Pfpyk

    Score
    10/10
    formbooksnkyratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks