MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b
SHA3-384 hash: 6cd862425506829f9939d0d4ea5c4d3f975e73a2f19408bb23caa878ac75fea7ee1197d45d67096677c396d3b028bf21
SHA1 hash: 033811b6730b25052c147a1959a9f12f3c32604a
MD5 hash: 88178f41186eed26ac22a28fcc3bbdd0
humanhash: fanta-sink-artist-echo
File name:88178f41186eed26ac22a28fcc3bbdd0.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:1'368'576 bytes
First seen:2023-10-02 18:03:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pRj6D6FKo9+betsmgOd3eWApsmuIfCQmgXAQRlmiKHpbThpK2NGkAA/kY07:pRQjo8CGbOdipsmuCC3JHpb1DG9
TLSH T1B5550255F2F4A549D9E20A75DD3072E892B1A2137202F794DCA8E2D93C6C7D78BC03A7
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe Fabookie

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
http://185.225.74.144/files/
Verdict:
Malicious activity
Analysis date:
2023-10-03 16:06:22 UTC
Tags:
opendir loader gcleaner fabookie stealer smoke onlylogger danabot amadey botnet trojan danabot-unpacked privateloader evasion g0njxa
Link:
https://app.any.run/tasks/a825ab9e-3bba-4498-89ad-43191797ee83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452743/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% subdirectories
Blocking the User Account Control
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook
Link:
https://www.filescan.io/uploads/651b0613be42b2ac8e5857c8/reports/27e3072e-ad94-4726-8f47-bfae23ff18c0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ae69f9c-7bed-47b1-af09-2ba606749837
Result
Threat name:
Fabookie, Glupteba, LummaC Stealer, Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.adwa
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318210
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318210 Sample: yQEJKg0s78.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 Antivirus detection for URL or domain 2->167 169 18 other signatures 2->169 10 yQEJKg0s78.exe 2 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 207 Writes to foreign memory regions 10->207 209 Allocates memory in foreign processes 10->209 211 Adds a directory exclusion to Windows Defender 10->211 213 2 other signatures 10->213 20 csc.exe 15 36 10->20         started        25 powershell.exe 21 10->25         started        27 ComSvcConfig.exe 10->27         started        37 3 other processes 10->37 29 9ir1rC7dXFc6p7Tt4Ewky07I.exe 13->29         started        31 conhost.exe 13->31         started        39 3 other processes 15->39 139 3.98.215.151 AMAZON-02US United States 17->139 141 35.182.67.195 AMAZON-02US United States 17->141 33 conhost.exe 17->33         started        35 conhost.exe 17->35         started        signatures5 process6 dnsIp7 149 85.217.144.143 WS171-ASRU Bulgaria 20->149 151 107.167.110.216 OPERASOFTWAREUS United States 20->151 153 14 other IPs or domains 20->153 99 C:\Users\...\wZ97KPY9Mv7BNVMiqwpu8ztG.exe, PE32 20->99 dropped 101 C:\Users\...\ltKLqLp5xwmQ70vSN59VwcKn.exe, PE32 20->101 dropped 103 C:\Users\...\dlsLUjdfqqc5nql8Obe3oBae.exe, PE32 20->103 dropped 105 28 other malicious files 20->105 dropped 179 Drops script or batch files to the startup folder 20->179 41 0agkzkSLZMWHRqmf4oqZOmCx.exe 20->41         started        45 G1mc6vGZv20lD3czKMEKrpuL.exe 2 20->45         started        47 VrLGktJIKaDww97bFHPRftDU.exe 20->47         started        51 7 other processes 20->51 49 conhost.exe 25->49         started        181 Detected unpacking (changes PE section rights) 29->181 183 Detected unpacking (overwrites its own PE header) 29->183 185 Machine Learning detection for dropped file 29->185 file8 signatures9 process10 dnsIp11 125 C:\Users\user\AppData\...\nearchapterpro.exe, PE32+ 41->125 dropped 127 C:\Users\user\AppData\...\keyexpertise.exe, PE32 41->127 dropped 215 Multi AV Scanner detection for dropped file 41->215 217 Creates multiple autostart registry keys 41->217 54 nearchapterpro.exe 41->54         started        129 C:\Users\...behaviorgraph1mc6vGZv20lD3czKMEKrpuL.tmp, PE32 45->129 dropped 58 G1mc6vGZv20lD3czKMEKrpuL.tmp 45->58         started        219 Detected unpacking (changes PE section rights) 47->219 60 VrLGktJIKaDww97bFHPRftDU.exe 47->60         started        143 107.167.110.211 OPERASOFTWAREUS United States 51->143 145 107.167.110.217 OPERASOFTWAREUS United States 51->145 147 8 other IPs or domains 51->147 131 Opera_installer_2310021829011735224.dll, PE32 51->131 dropped 133 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->133 dropped 135 C:\Users\user\AppData\Local\...\opera_package, PE32 51->135 dropped 137 5 other malicious files 51->137 dropped 221 Detected unpacking (overwrites its own PE header) 51->221 223 Found Tor onion address 51->223 225 Contains functionality to steal Chrome passwords or cookies 51->225 227 4 other signatures 51->227 62 dlsLUjdfqqc5nql8Obe3oBae.exe 51->62         started        64 dlsLUjdfqqc5nql8Obe3oBae.exe 51->64         started        66 dlsLUjdfqqc5nql8Obe3oBae.exe 51->66         started        file12 signatures13 process14 file15 107 C:\Users\user\AppData\...\nearchaptter.exe, PE32+ 54->107 dropped 109 C:\Users\user\AppData\...\nearchapter.exe, PE32 54->109 dropped 191 Multi AV Scanner detection for dropped file 54->191 193 Machine Learning detection for dropped file 54->193 195 Creates multiple autostart registry keys 54->195 68 nearchapter.exe 54->68         started        111 C:\Users\user\AppData\...\unins000.exe (copy), PE32 58->111 dropped 113 C:\Users\user\AppData\...\is-ADO2R.tmp, PE32+ 58->113 dropped 115 C:\Users\user\AppData\...\is-2H3OR.tmp, PE32 58->115 dropped 123 4 other files (3 malicious) 58->123 dropped 197 Uses schtasks.exe or at.exe to add and modify task schedules 58->197 72 _setup64.tmp 58->72         started        74 schtasks.exe 58->74         started        76 schtasks.exe 58->76         started        78 DigitalPulseService.exe 58->78         started        199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 60->199 201 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 60->201 203 Maps a DLL or memory area into another process 60->203 205 2 other signatures 60->205 117 Opera_installer_2310021829050447868.dll, PE32 62->117 dropped 80 dlsLUjdfqqc5nql8Obe3oBae.exe 62->80         started        83 Conhost.exe 62->83         started        119 Opera_installer_2310021829018454832.dll, PE32 64->119 dropped 121 Opera_installer_2310021829026927712.dll, PE32 66->121 dropped signatures16 process17 dnsIp18 155 167.88.160.150 PONYNETUS United States 68->155 171 Multi AV Scanner detection for dropped file 68->171 173 Machine Learning detection for dropped file 68->173 175 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 68->175 177 Injects a PE file into a foreign processes 68->177 85 nearchapter.exe 68->85         started        89 nearchapter.exe 68->89         started        91 conhost.exe 72->91         started        93 conhost.exe 74->93         started        95 conhost.exe 76->95         started        157 3.98.219.138 AMAZON-02US United States 78->157 97 Opera_installer_2310021829056005456.dll, PE32 80->97 dropped file19 signatures20 process21 dnsIp22 159 104.21.31.117 CLOUDFLARENETUS United States 85->159 161 172.67.176.124 CLOUDFLARENETUS United States 85->161 187 Query firmware table information (likely to detect VMs) 85->187 189 Tries to harvest and steal browser information (history, passwords, etc) 85->189 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 10:58:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7d2mogarhtyvkqls7zzpenivqzwt6ac3lewrunfgahkxj7h2knq._file
Verdict:
malicious
Result
Malware family:
fabookie
Create hunting rule
Score:
  10/10
Tags:
family:fabookie evasion spyware stealer trojan upx
Link:
https://tria.ge/reports/231002-wnlq5ade3s/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
UPX packed file
Windows security modification
Downloads MZ/PE file
Stops running service(s)
Detect Fabookie payload
Fabookie
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://app.nnnaajjjgc.com/check/safe
Unpacked files
SH256 hash:
ffb08a41717bcf0a555c5bedaa5048f3c73a0c74c73a982abda29af5425a90b4
MD5 hash:
bfa1b8cda9a30c187e184331a9ac32dd
SHA1 hash:
e875a2938fb0da32f4b1f6189d51a16efbff11eb
Link:
https://www.unpac.me/results/fb3bc22a-6b33-4244-9688-7fe3546be8db/
SH256 hash:
3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b
MD5 hash:
88178f41186eed26ac22a28fcc3bbdd0
SHA1 hash:
033811b6730b25052c147a1959a9f12f3c32604a
Link:
https://www.unpac.me/results/fb3bc22a-6b33-4244-9688-7fe3546be8db/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3fc7a638c089/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 3fc7a638c089e78aaa0b97f39791a8ac3369f802dac968d1a5300eaba7e7d29b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715390/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715114/
Cape
Cape
https://www.capesandbox.com/analysis/452743/

Comments