MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9
SHA3-384 hash: 39ce6130f460ba6a1dc366c03755d0897176bb1da42823f03c8a8abacf893b6e57244ebf2c902621a713be929ff4c54f
SHA1 hash: be59a4fc4dc769b2ebe64a80de8ca4b435ad16a7
MD5 hash: e23d462d0311b34d4a025a7e594e9ed7
humanhash: michigan-bravo-magazine-south
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:1'059'704 bytes
First seen:2024-01-29 16:48:33 UTC
Last seen:2024-01-30 17:13:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:wtF5TWrTZrtYbfcR2YfUpxrKl0XinWMCyFCd:wtFd8bYbfs2XpklwinFwd
Threatray 4 similar samples on MalwareBazaar
TLSH T1E335239113F96FA6EA2A43FA3065414173B0AA6FBD71D73E0DC001DD4C61BB1E6A2B13
TrID 30.6% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Bitsight
Tags:exe Fabookie signed

Code Signing Certificate

Organisation:installRox inc
Issuer:installRox inc
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-25T18:57:03Z
Valid to:2025-01-25T18:57:03Z
Serial number: e6362f131ab920927268baf3e24baf28
Thumbprint Algorithm:SHA256
Thumbprint: 7c0a1524de81e521ac2b0300273c393414580d63cd3f23760c16ce994cbc3ab6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
Sample downloaded from http://15.204.49.148/files/Setup11.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
348
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473476/
Detection(s):
SecuriteInfo.com.Variant.Zusy.534842.7907.21518.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65b7d70cbc91f83c80704c0e/reports/05cd7738-7bd1-4ae6-9524-4d43569d3699/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45667310-235f-46aa-8980-1fb2c1334f26
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382860
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Drops script or batch files to the startup folder
Malicious sample detected (through community Yara rule)
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1382860 Sample: file.exe Startdate: 29/01/2024 Architecture: WINDOWS Score: 100 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus detection for URL or domain 2->152 154 Multi AV Scanner detection for dropped file 2->154 156 12 other signatures 2->156 9 file.exe 17 4 2->9         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 142 172.67.207.116 CLOUDFLARENETUS United States 9->142 164 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->164 166 Adds extensions / path to Windows Defender exclusion list (Registry) 9->166 168 Adds a directory exclusion to Windows Defender 9->168 170 Disables UAC (registry) 9->170 19 CasPol.exe 14 71 9->19         started        24 powershell.exe 23 9->24         started        26 1UWGhcJkbJGNFo2d0TuCL0jd.exe 13->26         started        28 conhost.exe 13->28         started        30 EprmaGHNQWCiFTL1AiObLnZC.exe 15->30         started        32 conhost.exe 15->32         started        34 fyZ4hAcSN7JSHbH1Rkj5wleW.exe 17->34         started        36 FUBZmRDEwGrLgBiWBGin3Wzn.exe 17->36         started        38 7 other processes 17->38 signatures5 process6 dnsIp7 136 107.167.110.211 OPERASOFTWAREUS United States 19->136 138 107.167.110.216 OPERASOFTWAREUS United States 19->138 140 11 other IPs or domains 19->140 84 C:\Users\...\cFp9psjE2BL3bt08X9Pzbgvu.exe, PE32 19->84 dropped 86 C:\Users\...\ZqtyqmRX54EskFg3NqP6XguX.exe, PE32+ 19->86 dropped 88 C:\Users\...\Y9O3mHXY9N8jr14Mij5DDCNS.exe, PE32 19->88 dropped 94 41 other files (38 malicious) 19->94 dropped 158 Drops script or batch files to the startup folder 19->158 160 Creates HTML files with .exe extension (expired dropper behavior) 19->160 40 5cXZT6GbPol5l8nPLXU7n9a4.exe 19->40         started        43 AFS6zLe0o3edVwuX2axAiMtV.exe 19->43         started        46 ZqtyqmRX54EskFg3NqP6XguX.exe 19->46         started        58 11 other processes 19->58 48 conhost.exe 24->48         started        50 WmiPrvSE.exe 24->50         started        52 Conhost.exe 24->52         started        90 C:\Users\...\1UWGhcJkbJGNFo2d0TuCL0jd.tmp, PE32 26->90 dropped 54 1UWGhcJkbJGNFo2d0TuCL0jd.tmp 26->54         started        92 C:\Users\...prmaGHNQWCiFTL1AiObLnZC.tmp, PE32 30->92 dropped 56 EprmaGHNQWCiFTL1AiObLnZC.tmp 30->56         started        162 Multi AV Scanner detection for dropped file 34->162 file8 signatures9 process10 dnsIp11 96 C:\Users\...\5cXZT6GbPol5l8nPLXU7n9a4.tmp, PE32 40->96 dropped 61 5cXZT6GbPol5l8nPLXU7n9a4.tmp 40->61         started        98 C:\Users\...\862ff09c66ace4c6f2f7a747ef566687, SQLite 43->98 dropped 172 Detected unpacking (creates a PE file in dynamic memory) 43->172 174 Tries to harvest and steal browser information (history, passwords, etc) 43->174 100 C:\Users\...\d7f4e48f89b2d497fbc7f45ffa9d870b, SQLite 46->100 dropped 65 1UWGhcJkbJGNFo2d0TuCL0jd.exe 54->65         started        67 Conhost.exe 54->67         started        69 EprmaGHNQWCiFTL1AiObLnZC.exe 56->69         started        144 74.201.73.52 DEDICATEDUS United States 58->144 146 1.1.1.1 CLOUDFLARENETUS Australia 58->146 148 2 other IPs or domains 58->148 102 C:\Users\...\XqHkJ9tHTYVwNr8QhvAV6xv5.tmp, PE32 58->102 dropped 104 C:\Users\...\Y9O3mHXY9N8jr14Mij5DDCNS.tmp, PE32 58->104 dropped 106 C:\Users\...\WBJQWNhaWXTT8MrnPSNISGKk.tmp, PE32 58->106 dropped 108 3 other malicious files 58->108 dropped 176 Multi AV Scanner detection for dropped file 58->176 71 XqHkJ9tHTYVwNr8QhvAV6xv5.tmp 58->71         started        73 cFp9psjE2BL3bt08X9Pzbgvu.tmp 58->73         started        75 zgubBHYQOvQQR2wH6XfU1V9n.tmp 58->75         started        77 3 other processes 58->77 file12 signatures13 process14 file15 110 C:\Windows\unins000.exe (copy), PE32 61->110 dropped 118 2 other files (1 malicious) 61->118 dropped 178 Modifies Chrome's extension installation force list 61->178 112 C:\Users\...\1UWGhcJkbJGNFo2d0TuCL0jd.tmp, PE32 65->112 dropped 79 1UWGhcJkbJGNFo2d0TuCL0jd.tmp 65->79         started        114 C:\Users\...prmaGHNQWCiFTL1AiObLnZC.tmp, PE32 69->114 dropped 82 EprmaGHNQWCiFTL1AiObLnZC.tmp 69->82         started        120 2 other files (1 malicious) 71->120 dropped 122 2 other files (1 malicious) 73->122 dropped 124 2 other files (1 malicious) 75->124 dropped 116 C:\Windows\is-UL0R1.tmp, PE32 77->116 dropped 126 5 other files (2 malicious) 77->126 dropped signatures16 process17 file18 128 C:\Windows\is-RJSP4.tmp, PE32 79->128 dropped 130 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 79->130 dropped 132 C:\Windows\is-8SOEB.tmp, PE32 82->132 dropped 134 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 82->134 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 16:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2hujrf6t7teo3qadsdgq5vzjfpwvubygwahgzhkp22jsa32u2uq._file
Verdict:
malicious
Similar samples:
3dffd110c1dc6c2a1f579ef50a524678e4ba19e28ed1f0716e218bae9745f93c
Fabookie
7491c60b5a7487852d652840b5ae57de498de7a731421d47b72039f8634d55e6
Fabookie
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240129-vbnjhsfher/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
3957e0e728e8fa64992daa19b89bef33a74e069370f95179775d7b00172075b7
MD5 hash:
51ece7c116fb9adccad641bb5ed2e9db
SHA1 hash:
fdd2040f13688b00532d2eb9c5794d62772fd7fc
Link:
https://www.unpac.me/results/7037c220-917f-4b0d-8dbd-da249d5b5afa/
SH256 hash:
068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9
MD5 hash:
e23d462d0311b34d4a025a7e594e9ed7
SHA1 hash:
be59a4fc4dc769b2ebe64a80de8ca4b435ad16a7
Link:
https://www.unpac.me/results/7037c220-917f-4b0d-8dbd-da249d5b5afa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/068f44c4be9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2753151/
Cape
Cape
https://www.capesandbox.com/analysis/473476/

Comments