MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5
SHA3-384 hash: f7edc76ba3d5dd65e28d3a43b75e5b41653c63b6ab1bd224a23c21d291c3d77b22f262c2912b6d928a1b0a22f244b75c
SHA1 hash: 5494df6bc862691e85fe43340edc644ccb1276a7
MD5 hash: 952376173fb58a82cf31292f05bd6671
humanhash: september-carolina-black-sink
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:591'355 bytes
First seen:2023-08-16 10:12:28 UTC
Last seen:2023-08-16 14:33:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f7cc0f5167c2e87d5d2573013f2660f (11 x Fabookie)
ssdeep 6144:kXMPxMBUQCE2kWCZ3j9Z0CIBiNmpxyN90vEfjx+yOxRU3RaMDYgJBbrasGi3+EXC:MMPxMoEVBkCIKWy90XnMaEt+i3+dZaU
Threatray 438 similar samples on MalwareBazaar
TLSH T121C4BE12AB15DFB8F0C7C876BD70410218E8B409A758B57E96CDDC700A3BC56ADB5AF2
TrID 31.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.5% (.SCR) Windows screen saver (13097/50/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:exe Fabookie


Avatar
andretavare5
Sample downloaded from http://zzz.fhauiehgha.com/m/okka25.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
279
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://www.evarlic.com/wp-content/uploads/pass1234_setup.7z
Verdict:
Malicious activity
Analysis date:
2023-08-16 09:30:43 UTC
Tags:
privateloader opendir evasion risepro stealer stealc fabookie redline loader smoke trojan payload amadey ransomware stop lgoogloader
Link:
https://app.any.run/tasks/b0e6da43-04a5-4925-81d9-7f20d6cd1a55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442999/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.1705.13346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msiexec overlay packed shell32 swrort
Link:
https://www.filescan.io/uploads/64dca12f9489ac1ead34df88/reports/87888163-abd8-43da-af29-603eb6644787/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/95332dec-10fe-40d8-b23e-f6d28a1b7a2f
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292003
Signature
Antivirus detection for URL or domain
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-16 04:30:36 UTC
File Type:
PE+ (Exe)
Extracted files:
21
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dogbrvfej4svid3gxrtjzivnaey4t3tm4ai76yvbwqpp6lkbrlkq._file
Verdict:
malicious
Similar samples:
0c94b6af18776b468cf320c4404e542cdbe1e8ef3e988b3cf2a6a8ea9c6804c7
Fabookie
23392bff27ee35d1741c5e8ebeeca33695510b025ef71e1eb0131cb82b6b26ed
Fabookie
385085d13fce8c2645337c072a9178fa3adc98b1382b9c7c9c29c3c3c1177dd2
Fabookie
74d559ebeccc73bc9cc42e3725fe0c5fb69357d9a1a4812106cce5bf3c06394f
Fabookie
811b439a6694a4b67e86dfe072473d7b18fe54039840f89c9b9b1e3a1ed69084
Fabookie
a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d
Fabookie
b2a158da052151b4f014ef986411922ab50d8c23e9ba63bb7535709253459666
Fabookie
c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf
Fabookie
cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de
Fabookie
d440158b91d965693007b539131704b3bdd72e864b5adc1c0e230213acd3d97b
Fabookie
+ 428 additional samples on MalwareBazaar
Result
Malware family:
fabookie
Create hunting rule
Score:
  10/10
Tags:
family:fabookie spyware stealer
Link:
https://tria.ge/reports/230816-l83j9sca2s/
Behaviour
Modifies system certificate store
Reads user/profile data of web browsers
Detect Fabookie payload
Fabookie
Unpacked files
SH256 hash:
1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5
MD5 hash:
952376173fb58a82cf31292f05bd6671
SHA1 hash:
5494df6bc862691e85fe43340edc644ccb1276a7
Link:
https://www.unpac.me/results/d70b3976-db8f-4b2f-8e62-9de047400993/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b8c18d4a44f25540f66bc669ca2ad0131c9ee6ce011ff62a1b41eff2d418ad5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2672595/
  
URLhaus
https://urlhaus.abuse.ch/url/2679042/
Cape
Cape
https://www.capesandbox.com/analysis/442999/

Comments