MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
SHA3-384 hash: 49f042b38a8d4aa55a480a3b1f0018f07dad1f2d9681976df85278a0b1c56f8eff83e9b4952caf968706a9bc41075a65
SHA1 hash: 4ba7cab7aafd77a37a2352abe7216e8f30c588a5
MD5 hash: 4179238c49a009468a87403bc51a3d48
humanhash: mike-avocado-apart-grey
File name:1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:4'423'680 bytes
First seen:2023-06-08 02:56:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:295Xve/N7hR1j+Y5+5qBONF+Slju5IhZza8GzAZ2DIv9zMA4q3pGUOW3slcPcYJJ:+5XvOLl+Y5i4OuKjW4BJZVhMA4q3pGUP
Threatray 59 similar samples on MalwareBazaar
TLSH T1A026EF76ACAB84C2D0F334A9ECF5F81C17AE133C3D5AA9D06A3595CC61372962241D7B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Fabookie


Avatar
abuse_ch
Fabookie C2:
http://5.42.65.80/8bmeVwqx/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
8ada0d8273fab2340bdec6e6309dcd2c.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 18:57:51 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar amadey gcleaner rat redline miner
Link:
https://app.any.run/tasks/985978f5-538c-4a98-80a8-345fd8f52c61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396774/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.18043.15754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a process with a hidden window
Sending a custom TCP request
DNS request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP POST request
Adding an access-denied ACE
Running batch commands
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/6481437f5598b5cc79e470fa/reports/afc3928f-f6c6-4216-b338-c927b951ddde/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Fabookie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d654b60e-21f8-40bf-8a73-463fbc6e6c49
Result
Threat name:
Amadey, Fabookie, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250808
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 883843 Sample: 1adda3b870c28e6ae33226565b2... Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 15 other signatures 2->92 9 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe 5 2->9         started        12 updater.exe 2->12         started        15 cmd.exe 2->15         started        17 9 other processes 2->17 process3 file4 66 C:\Users\user\AppData\Local\...\oldplayer.exe, PE32 9->66 dropped 68 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 9->68 dropped 70 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 9->70 dropped 72 1adda3b870c28e6ae3...d65adf7a530.exe.log, CSV 9->72 dropped 19 oldplayer.exe 3 9->19         started        23 XandETC.exe 3 9->23         started        25 aafg31.exe 14 9->25         started        74 C:\Windows\Temp\aadgyxmr.tmp, PE32+ 12->74 dropped 76 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 12->76 dropped 116 Writes to foreign memory regions 12->116 118 Modifies the context of a thread in another process (thread injection) 12->118 120 Adds a directory exclusion to Windows Defender 12->120 130 2 other signatures 12->130 28 powershell.exe 12->28         started        122 Uses cmd line tools excessively to alter registry or file data 15->122 124 Uses powercfg.exe to modify the power settings 15->124 126 Modifies power options to not sleep / hibernate 15->126 30 conhost.exe 15->30         started        36 10 other processes 15->36 128 Creates files in the system32 config directory 17->128 32 conhost.exe 17->32         started        34 conhost.exe 17->34         started        38 20 other processes 17->38 signatures5 process6 dnsIp7 60 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 19->60 dropped 94 Antivirus detection for dropped file 19->94 96 Multi AV Scanner detection for dropped file 19->96 98 Machine Learning detection for dropped file 19->98 100 Contains functionality to inject code into remote processes 19->100 40 oneetx.exe 13 19->40         started        62 C:\Program Files62otepad\Chrome\updater.exe, PE32+ 23->62 dropped 102 Adds a directory exclusion to Windows Defender 23->102 80 us.imgjeoigaa.com 154.221.19.146 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 25->80 82 as.imgjeoigaa.com 39.109.117.57 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 25->82 84 8 other IPs or domains 25->84 64 C:\Users\...\54f63c97c6b73aef3905128f3e0c3b26, SQLite 25->64 dropped 104 Tries to harvest and steal browser information (history, passwords, etc) 25->104 106 Creates files in the system32 config directory 28->106 44 conhost.exe 28->44         started        file8 signatures9 process10 dnsIp11 78 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 40->78 108 Antivirus detection for dropped file 40->108 110 Multi AV Scanner detection for dropped file 40->110 112 Creates an undocumented autostart registry key 40->112 114 2 other signatures 40->114 46 cmd.exe 1 40->46         started        48 schtasks.exe 1 40->48         started        signatures12 process13 process14 50 conhost.exe 46->50         started        52 cmd.exe 1 46->52         started        54 cmd.exe 1 46->54         started        58 4 other processes 46->58 56 conhost.exe 48->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 20:09:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlo2hodqykhgvyzsezlfwlzr5p7nmww7pjjqvcbuaqbbcbdri5da._file
Verdict:
malicious
Similar samples:
107c9c7d4ae2a5116eb395a8a5fc6e4de7b9fe60bf7ccadcbb7c14ae1049cdac
Fabookie
64d45bc38d4a4e60a23bb5fa06a2b99ec40bd86c8f0cdd7c68736ab192569e49
Fabookie
8c59cea2a091b26c5425abff05bd9cbd49de05cc852148048f81e86bdd6a3a96
Fabookie
a913b2046e7d919cc02f7fe509eb50d674cdf21be7122295fcaf9e5acdcfc3ac
Fabookie
cdb7f634e8702dfb8789473967567a935b941ec0a3e7f2228d5477782122a47a
Fabookie
d2611672b10dad989a692cd8105c84420c129ec876601c5192c7303fdc5ccc3f
Fabookie
f1c89c1085ed01fc56fe12cc23d1a98f5c9b0029fe45cb425f5ffb62d8e71176
Fabookie
fc6b1d6a4d1aa5b2532dad1011db9a0bbf549e56e168061f56c5b5d755bd0ed4
Fabookie
+ 49 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:gcleaner family:glupteba family:smokeloader family:xmrig botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230608-dfk6hsbg6z/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Detect Fabookie payload
Fabookie
GCleaner
Glupteba
Glupteba payload
Modifies security service
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
MD5 hash:
4179238c49a009468a87403bc51a3d48
SHA1 hash:
4ba7cab7aafd77a37a2352abe7216e8f30c588a5
Link:
https://www.unpac.me/results/762e5f6f-501b-4e52-a0dd-ca95bae7b5d8/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1adda3b870c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2647221/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/396774/

Comments