MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6
SHA3-384 hash:	3fab792ee9f7e2643033f03f7c1d90c3f7d050fa216b6c78009feddcad59fa36e9d26896e9c3e5b4f2bf09c5276399ec
SHA1 hash:	42c15adf7ceba23fad468cffe2d09e36d7b47b26
MD5 hash:	63398748f1436b50e7a8d89a8f4acb4e
humanhash:	south-tennis-failed-saturn
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	343'552 bytes
First seen:	2023-04-27 19:45:00 UTC
Last seen:	2023-05-04 10:40:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	77e359c59376704055cd15c273e85720 (2 x Fabookie)
ssdeep	6144:xFH8RIT6Fam4StJ3rXDW49wY7SKDuPiaODgKYleQ4HBP:xWdtXDzCStMuP
Threatray	124 similar samples on MalwareBazaar
TLSH	T1F0741981B3DA4028E0B2C679CEB18363EA767C155B3056DF07609E6A6F73BE0D531B25
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	70ccc9b3a9cce070 (19 x Fabookie, 3 x XFilesStealer, 1 x Pony)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.ghwiwwff.com/m/oskg25

Intelligence

File Origin

# of uploads :

14

# of downloads :

257

Origin country :

US

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

file

Verdict:

No threats detected

Analysis date:

2023-04-27 19:47:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a4359291-6b64-4330-8019-56b417d7a502

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/385219/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/81650/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger shell32.dll

Link:

https://www.filescan.io/uploads/644ad0c11facab193c66829d/reports/a6a826e0-9e76-4989-b565-978a0fa06d65/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/86c98dca-b833-4c05-8c25-c0bb5a03dc49

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1222368

Signature

Detected unpacking (creates a PE file in dynamic memory)

Found stalling execution ending in API Sleep call

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f5ddmqhn4k5gkk7e7ow7dafptomssf5ecahhalcrqqc2zhv6hkta._file

Verdict:

malicious

Similar samples:

0dde54786dfb33eb21bceba95d017977c7647a553ef91b1fa1dd7742198b6206

647afe227b07e0b2eee651cf8273b18a225a306c1bfc46119de5d1f6459db409

7bc25b805c7fb261c4ec8ddf78d398e6bbac2f0e066b2469c508b431f44f233e

7e6ba21c2fb7f3f4a422504154c7be3e72380d8770d69fb25eb3a547a6d2ac7e

7ed6f14261acedfbd1154ad17cd277422c532ac159beeb35ee333a14931cd146

857dabcca16bd162b9c3a093fa0e158fd5cba0a47f6331d6a8eb952f67f99c41

902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0

d16aadf4f239573976d6a589be2f956f9e18167b67ec2bbe1ef9d24686051a09

f50a1f6a4a18f16169d39eae603f6300def0c4c8a8f6ad8807686f243e836314

+ 114 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230427-ygdhaabe81/

Behaviour

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6

MD5 hash:

63398748f1436b50e7a8d89a8f4acb4e

SHA1 hash:

42c15adf7ceba23fad468cffe2d09e36d7b47b26

Link:

https://www.unpac.me/results/50bd2934-ecc0-4f53-b123-1273aa5de8b4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f463640ede2ba652be4fbadf180af9b992917a4100e702c518405ac9ebe3aa6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

Cape

https://www.capesandbox.com/analysis/385219/

URLhaus

https://urlhaus.abuse.ch/url/2594534/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample