formbook | 26c7d3b6ad20ae3c7f44462c4e01d4756ea6ef1d0ad665b806ab3f7ab6b60dba

General

Target

LANXESS India Private Limited.exe
Size

690KB
MD5

bd7ba561c421fc284aa6c30aa840b863
SHA1

01cc6b9876ebee8607b2d230f3d76cdea9bed9d6
SHA256

26c7d3b6ad20ae3c7f44462c4e01d4756ea6ef1d0ad665b806ab3f7ab6b60dba
SHA512

0d1eb1d730b95f69d9c26ed2b31b857c12b6bf76c7047661ed63acd28c4e4208507c1cb2ac73ccce29b3f4b16cd7c5920dd1b8400dade452fcc35d121984640a
SSDEEP

12288:UTcSXWlqraY+2pCSgjxKnkJqy6jSC2mZJbxpDF:9zAnnpCSKKnQqEC2

Score

10^/10

formbook a24e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a24e

Decoy

flormarine.co.uk

theglazingsquad.uk

konarkpharma.com

maxpropertyfinanceuk.co.uk

jackson-ifc.com

yvonneazevedoimoveis.net

baystella.com

arexbaba.online

trihgd.xyz

filth520571.com

cikpkg.cfd

jakesupport.com

8863365.com

duniaslot777.online

lop3a.com

berkut-clan.ru

lernnavigator.com

elenaisaprincess.co.uk

daimadaquan.xyz

mychirocart.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2600-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2600-153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3228-156-0x0000000000E60000-0x0000000000E8F000-memory.dmp	formbook
behavioral2/memory/3228-167-0x0000000000E60000-0x0000000000E8F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LANXESS India Private Limited.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	LANXESS India Private Limited.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

LANXESS India Private Limited.exeLANXESS India Private Limited.exewlanext.exe

description	pid	process	target process
PID 876 set thread context of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 2600 set thread context of 1108	2600	LANXESS India Private Limited.exe	Explorer.EXE
PID 3228 set thread context of 1108	3228	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5012 schtasks.exe

pid	process
5012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exeLANXESS India Private Limited.exewlanext.exe

pid	process
3872	powershell.exe
2600	LANXESS India Private Limited.exe
2600	LANXESS India Private Limited.exe
2600	LANXESS India Private Limited.exe
2600	LANXESS India Private Limited.exe
3872	powershell.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe
3228	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LANXESS India Private Limited.exewlanext.exe

pid	process
2600	LANXESS India Private Limited.exe
2600	LANXESS India Private Limited.exe
2600	LANXESS India Private Limited.exe
3228	wlanext.exe
3228	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeLANXESS India Private Limited.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2600	LANXESS India Private Limited.exe
Token: SeDebugPrivilege	3228	wlanext.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LANXESS India Private Limited.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 876 wrote to memory of 3872	876	LANXESS India Private Limited.exe	powershell.exe
PID 876 wrote to memory of 3872	876	LANXESS India Private Limited.exe	powershell.exe
PID 876 wrote to memory of 3872	876	LANXESS India Private Limited.exe	powershell.exe
PID 876 wrote to memory of 5012	876	LANXESS India Private Limited.exe	schtasks.exe
PID 876 wrote to memory of 5012	876	LANXESS India Private Limited.exe	schtasks.exe
PID 876 wrote to memory of 5012	876	LANXESS India Private Limited.exe	schtasks.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 876 wrote to memory of 2600	876	LANXESS India Private Limited.exe	LANXESS India Private Limited.exe
PID 1108 wrote to memory of 3228	1108	Explorer.EXE	wlanext.exe
PID 1108 wrote to memory of 3228	1108	Explorer.EXE	wlanext.exe
PID 1108 wrote to memory of 3228	1108	Explorer.EXE	wlanext.exe
PID 3228 wrote to memory of 1956	3228	wlanext.exe	cmd.exe
PID 3228 wrote to memory of 1956	3228	wlanext.exe	cmd.exe
PID 3228 wrote to memory of 1956	3228	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\LANXESS India Private Limited.exe
  "C:\Users\Admin\AppData\Local\Temp\LANXESS India Private Limited.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cZzdExxEu.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cZzdExxEu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5012
- - C:\Users\Admin\AppData\Local\Temp\LANXESS India Private Limited.exe
    "C:\Users\Admin\AppData\Local\Temp\LANXESS India Private Limited.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\LANXESS India Private Limited.exe"
    3⤵
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp

Filesize
1KB

MD5
b34afe6495892c80965b266efdecb90f

SHA1
a81f3dc8470a38900f0da073ebb515925af46f88

SHA256
6996c9c1669bcf93a43e369e9c7ea395887b8b007537e847fc8277ffb7e7b74a

SHA512
bee2ef9c3a6d87a1f90112fd7da8c16c3b7085ca552fc3fc6a13a8453dcd920e8ff44fe74a390286d6e2956cb6fbd2a4ae454c1c61fdb24e869583f97e86027e

Download Submit
memory/876-133-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/876-134-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/876-135-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/876-136-0x00000000013B0000-0x000000000144C000-memory.dmp

Filesize
624KB

Download
memory/876-132-0x00000000009D0000-0x0000000000A82000-memory.dmp

Filesize
712KB

Download
memory/1108-168-0x0000000007030000-0x0000000007154000-memory.dmp

Filesize
1.1MB

Download
memory/1108-166-0x0000000007030000-0x0000000007154000-memory.dmp

Filesize
1.1MB

Download
memory/1108-150-0x0000000002A70000-0x0000000002BA1000-memory.dmp

Filesize
1.2MB

Download
memory/1956-157-0x0000000000000000-mapping.dmp

Download
memory/2600-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-148-0x0000000001420000-0x000000000176A000-memory.dmp

Filesize
3.3MB

Download
memory/2600-149-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/2600-141-0x0000000000000000-mapping.dmp

Download
memory/2600-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-165-0x0000000001470000-0x0000000001503000-memory.dmp

Filesize
588KB

Download
memory/3228-154-0x0000000001550000-0x000000000189A000-memory.dmp

Filesize
3.3MB

Download
memory/3228-156-0x0000000000E60000-0x0000000000E8F000-memory.dmp

Filesize
188KB

Download
memory/3228-155-0x0000000000990000-0x00000000009A7000-memory.dmp

Filesize
92KB

Download
memory/3228-167-0x0000000000E60000-0x0000000000E8F000-memory.dmp

Filesize
188KB

Download
memory/3228-152-0x0000000000000000-mapping.dmp

Download
memory/3872-151-0x0000000005260000-0x000000000527E000-memory.dmp

Filesize
120KB

Download
memory/3872-163-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/3872-145-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/3872-144-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/3872-158-0x0000000006AB0000-0x0000000006AE2000-memory.dmp

Filesize
200KB

Download
memory/3872-159-0x0000000070C80000-0x0000000070CCC000-memory.dmp

Filesize
304KB

Download
memory/3872-160-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/3872-161-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/3872-162-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/3872-146-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/3872-164-0x0000000007A80000-0x0000000007B16000-memory.dmp

Filesize
600KB

Download
memory/3872-143-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/3872-139-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/3872-171-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/3872-137-0x0000000000000000-mapping.dmp

Download
memory/3872-169-0x00000000067C0000-0x00000000067CE000-memory.dmp

Filesize
56KB

Download
memory/3872-170-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/5012-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads