MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4
SHA3-384 hash: 365a3fe599686edacc9062ac707bd6978513f92169fc800241779f8d53b44c3e7577d58507f844ac6c52b440523d2ee5
SHA1 hash: c988cebc96bc58f76fe6d5a93420798f5b27f4bb
MD5 hash: 0b7434ca22cfd570e60beabbc3ab68ad
humanhash: violet-sixteen-purple-oklahoma
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:3'647'488 bytes
First seen:2023-01-16 23:06:54 UTC
Last seen:2023-01-17 01:16:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 245fbb05d3da4d7c6badd5cc3e1f9b98 (38 x Fabookie)
ssdeep 98304:Wxn+PtXyItnnjEeisomlGynq8bQjD8gJQW:Wxn+Fi6nnRisomoynq/JL
Threatray 2 similar samples on MalwareBazaar
TLSH T1B1F502BC6288375CC41BC8745527FD84B2B5561E03FDE5AAF1EB3A807BAB414DA02F46
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter jstrosch
Tags:exe Fabookie X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-01-16 23:12:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53ccd993-3d6b-45d8-927f-b19f5a691232

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353580/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65015938.29545.20245.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c5d8a5afdaca54d438978f/reports/2369a9eb-58e7-491a-806b-e082fa89e907/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ebb8483-7e00-4027-b922-cdb249365f87
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1152670
Signature
Antivirus detection for URL or domain
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-16 09:27:39 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 39 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcz3lzjb6kysnoxnz3y4sgbhk4hp7key4bkk4336efjagrkjkx2a._file
Verdict:
malicious
Similar samples:
86c18ece485bd831afd99d3306c5a7944d34f3b36974458d390a76d7280d416b
Fabookie
d3b87ec103a87ec23a322592a754d114500a0863d7536dc4b105d2671ac453be
Fabookie
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/230116-23z5ysfa59/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
VMProtect packed file
Unpacked files
SH256 hash:
48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4
MD5 hash:
0b7434ca22cfd570e60beabbc3ab68ad
SHA1 hash:
c988cebc96bc58f76fe6d5a93420798f5b27f4bb
Link:
https://www.unpac.me/results/57ac4902-4da3-4661-9b9e-7c3ccc1a6081/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2385449/
  
URLhaus
https://urlhaus.abuse.ch/url/2451148/
Cape
Cape
https://www.capesandbox.com/analysis/353580/

Comments