MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510
SHA3-384 hash: 587988a74d0f6fc7f864403ce9c88076b9740c0d16a07e9e82d5036b39ca3de4f0e3cc75285e34067168825d3a272de4
SHA1 hash: 13440890588d96a8368f38a3a3c7443fe0fd469e
MD5 hash: 3dcc72414d99aa5ceabda8a5b40fe399
humanhash: item-finch-shade-gee
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:3'646'976 bytes
First seen:2023-01-27 13:19:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 245fbb05d3da4d7c6badd5cc3e1f9b98 (38 x Fabookie)
ssdeep 98304:HLFOidULVjcU+qOMI7wlJO9en30WfR+k1:HxOtJjckvI7KkA3L+k1
Threatray 68 similar samples on MalwareBazaar
TLSH T1E1F512FD228C371CC01FC8B49533EE0565B5AA2E06E5A57EB9DBBAD0779F414D602B02
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter jstrosch
Tags:exe Fabookie X64

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-27 10:44:02 UTC
Tags:
trojan ransomware stop loader stealer vidar smoke
Link:
https://app.any.run/tasks/ea6157d8-aecd-4c4e-a7a6-082eb88de241

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357398/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d3cf8789bd67c10fdabebf/reports/d79dcd08-1b92-4949-8219-802038b16c06/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/62bd5ed6-196b-45af-a8e8-2a9304728989
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1160218
Signature
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-27 13:20:09 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f73wxrg2tgk4tuyo3u5vj2by7jptyvpvuevikcoyfmxeqn5vkuia._file
Verdict:
unknown
Similar samples:
237dfa3dc48e011134c0f69943c0e9e8f416f4fbe13ce4d9bd985bfca140a04b
Fabookie
27f8336ed33e60ace8c457bbb709e1028d97e95ad47eacee060910fd3fd22707
Fabookie
3bc5aeaef207360662cdca63b437207215a5e57e95366b2cd0aabaeed3d69d47
Fabookie
770f5dd12ebd181ae5f0d4b07c99f6fff3ac5becc2ea827869c40d2138ef0dd3
Fabookie
9869984c762f83d237d05082a6bcaaf680e388a7c9af167e3e28085145996526
Fabookie
c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310
Fabookie
cbff9eff60b3fba4e8cbf0f85385ea9fb65e09836326aee1cd77ae502d0d2011
Fabookie
d4ff6cb5b9e63e70c0289d4ccea66e6bacef58615b647295bb371a85980e38c3
Fabookie
fdc49fe7399295c60c73482ab79076648716a91300aab604fb251916c2bac250
Fabookie
+ 58 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/230127-qk384sbc63/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
VMProtect packed file
Unpacked files
SH256 hash:
2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510
MD5 hash:
3dcc72414d99aa5ceabda8a5b40fe399
SHA1 hash:
13440890588d96a8368f38a3a3c7443fe0fd469e
Link:
https://www.unpac.me/results/f6c72814-689b-42b7-bb9b-d5a66ec3db30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 2ff76bc4da9995c9d30edd3b54e838fa5f3c55f5a12a8509d82b2e4837b55510

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357398/
  
URLhaus
https://urlhaus.abuse.ch/url/2489067/

Comments