MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2688c4f64f2d9eeb929cbbe30f99b4b6d592163f509c2845398c638fb2c19a4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2688c4f64f2d9eeb929cbbe30f99b4b6d592163f509c2845398c638fb2c19a4f
SHA3-384 hash: d9f4dd95c7085272855d4678f9aa64d10610543f0df6dae9896b4c8f28231f7e63d17957e4a0ef55cea61104a4b9aef3
SHA1 hash: 85d352c696b4dd822ae6ab81d8a245ced3640991
MD5 hash: 60dcece81ae04993c4e1b6944536de67
humanhash: minnesota-seven-south-zulu
File name:UPS-FORM.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:323'584 bytes
First seen:2020-06-17 06:24:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:5FsSc6eTRItZot3jkbHz2XdNSofCagcoHWvnMVysi2IALSy2bZ:5dc6eTR4Ct+EdvCOCWMVtVzOZ
Threatray 5'138 similar samples on MalwareBazaar
TLSH 0864F10777DCC615C57D1A3AC8EA446403B8AF652A22E31E3BC8336E1D927D79D1728E
Reporter abuse_ch
Tags:exe FormBook UPS


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: srv.epromnet.com
Sending IP: 37.230.104.10
From: UPS
Subject: ✉ [RESEND] UPS Shipment Notification
Attachment: UPS-FORM.ISO (contains "UPS-FORM.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19149/
Detection(s):
SecuriteInfo.com.FakeAlert.9060.1798.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 06:26:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2emj5spfwpoxeu4xprq7gnuw3kzefr7kcocqrjzrrry7mwbtjhq._file
Verdict:
malicious
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
FormBook
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
4359188e33f22ea7022cb6e57a3870f2613a1c37dbc483475e02b38cde5bfa8e
FormBook
46d500e1f512e941b4c282d92908fb244439bede7a604381f761823d66f8ba2f
FormBook
783c6835be34af1803983890ec14e1edb2ac7cef4442dff43cddb719d97236b2
FormBook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
FormBook
8f684309eb4b620c8b81b30aa2d1b8f09d3f8e3dd69dadfb69f7b6db8e1bb1e3
FormBook
97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200624-s7zgl3tyq6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

iso e8a3d04bf42c517f73164c962bbdcb55bb7ddedf3740e227b21d874be659ea80

FormBook

Executable exe 2688c4f64f2d9eeb929cbbe30f99b4b6d592163f509c2845398c638fb2c19a4f

(this sample)

  
Dropped by
MD5 20c4138adc6960e39b59916727ba58d7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8a3d04bf42c517f73164c962bbdcb55bb7ddedf3740e227b21d874be659ea80
Cape
Cape
https://www.capesandbox.com/analysis/19149/

Comments