MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e
SHA3-384 hash:	936f5a645dd02fab81405274a9ddd6d7e2c1772193ce45f4dfd3dbac665ee13015fe5d7928b7257b074b5a1cc51468a1
SHA1 hash:	6c2b8f642ebe6f53968039a2439d80f29c26bafa
MD5 hash:	dc8188815184653ab1c86290f53a480f
humanhash:	illinois-fruit-lemon-harry
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	747'008 bytes
First seen:	2023-06-15 14:37:13 UTC
Last seen:	2023-06-16 11:55:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	76cce652828bca31fae1154b72515990 (1 x Fabookie)
ssdeep	12288:LfNAarI+FXPYumd9gri3HBLhvMasIvd++e2:L1prICPYz9grqBLhvdX
Threatray	194 similar samples on MalwareBazaar
TLSH	T109F42A68FE784161D0A2C47FD6A3D759F27274821B708FC70222476A1E379E59B3A732
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.jahhaega2qq.com/m/p0aw25.exe

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-06-15 14:40:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/40eb0d51-32ef-40fb-85a7-2d032c75ab97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399229/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.21306.18467.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Query of malicious DNS domain

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90872/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin

Link:

https://www.filescan.io/uploads/648b224a75c8c21ebfc9004a/reports/e949c5ec-22dd-4588-a3d3-6d80241b5391/overview

Verdict:

Malicious

Labled as:

HVM:TrojanDownloader/Jeoigaa.a

Link:

https://www.hybrid-analysis.com/sample/0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a35a1d62-1ccc-4260-82d5-d3b9b7d2f804

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1255375

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to steal Chrome passwords or cookies

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-15 14:38:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b4hkltgketybiuvs665nukvzwwizohkq4k2soter5kigmbdftaxa._file

Verdict:

suspicious

Result

Malware family:

fabookie

Score:

10/10

Tags:

family:fabookie spyware stealer

Link:

https://tria.ge/reports/230615-rzpvpshh57/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

Detect Fabookie payload

Fabookie

Unpacked files

SH256 hash:

0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e

MD5 hash:

dc8188815184653ab1c86290f53a480f

SHA1 hash:

6c2b8f642ebe6f53968039a2439d80f29c26bafa

Link:

https://www.unpac.me/results/7b5ff3f6-99c5-4b5e-875d-bf1950aee98f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f0ea5ccca24f01452b2f7bada2ab9b591971d50e2b5274c91ea90660465982e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2644855/

Cape

https://www.capesandbox.com/analysis/399229/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample