MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646
SHA3-384 hash: f3b3c831ab8ae2050b1cbec761fa2e006d5a0ec4db2f769c594514ebf333aca32f95183e7f9f3aa7944a34ead496e4cf
SHA1 hash: a1517882a31a326ad1c78677cb80ba7c234d2d96
MD5 hash: eedd7ab914b7822fcb3e36b0e9bf9b6f
humanhash: golf-lima-summer-zulu
File name:09563599.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:297'984 bytes
First seen:2023-05-27 09:04:14 UTC
Last seen:2023-05-27 09:50:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 697c6731df2df92c82c75859d21c5f77 (4 x Glupteba, 4 x Stop, 2 x Smoke Loader)
ssdeep 3072:Grz2YThTaDYG4d5kik/R0/WsZ4cT3EQpACMciVVeKCup/UniUm5Qk9A:kz2YMDYG48Rgv423EQuCMc6kKCA/Ck
Threatray 2'013 similar samples on MalwareBazaar
TLSH T1FC543A0392E17DD4F9264A739E1ECAE8379DF6548F49376A22586AEF04F01B2D173381
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 80a8a09480808c00 (1 x Fabookie)
Reporter Neiki
Tags:Fabookie

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
09563599.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 09:07:35 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/6654a722-0fca-4a0f-ba74-57046c164d1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392474/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a window
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6471c7c05ccc03061926669a/reports/52a75e3d-46f3-436c-96ad-78b4ba691259/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/250cab00-302e-4adf-af05-d538d8a7f2cb
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243750
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876755 Sample: 09563599.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 130 zexeq.com 2->130 132 t.me 2->132 134 5 other IPs or domains 2->134 152 Snort IDS alert for network traffic 2->152 154 Multi AV Scanner detection for domain / URL 2->154 156 Found malware configuration 2->156 158 18 other signatures 2->158 14 09563599.exe 2->14         started        17 fhhbvrs 2->17         started        19 3CD9.exe 2->19         started        signatures3 process4 signatures5 214 Detected unpacking (changes PE section rights) 14->214 216 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->216 218 Maps a DLL or memory area into another process 14->218 21 explorer.exe 10 56 14->21 injected 220 Checks if the current machine is a virtual machine (disk enumeration) 17->220 222 Creates a thread in another existing process (thread injection) 17->222 224 Detected unpacking (overwrites its own PE header) 19->224 226 Machine Learning detection for dropped file 19->226 228 Injects a PE file into a foreign processes 19->228 26 3CD9.exe 12 19->26         started        process6 dnsIp7 136 toobussy.com 21->136 138 2.180.10.7 TCIIR Iran (ISLAMIC Republic Of) 21->138 142 15 other IPs or domains 21->142 100 C:\Users\user\AppData\Roaming\ufhbvrs, PE32 21->100 dropped 102 C:\Users\user\AppData\Roaming\fhhbvrs, PE32 21->102 dropped 104 C:\Users\user\AppData\Local\Temp\FEE9.exe, PE32 21->104 dropped 106 20 other malicious files 21->106 dropped 162 System process connects to network (likely due to code injection or exploit) 21->162 164 Benign windows process drops PE files 21->164 166 Deletes itself after installation 21->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->168 28 3CD9.exe 21->28         started        31 AFA4.exe 5 21->31         started        34 7F7F.exe 21->34         started        36 7 other processes 21->36 140 api.2ip.ua 26->140 file8 signatures9 process10 file11 192 Detected unpacking (changes PE section rights) 28->192 194 Detected unpacking (overwrites its own PE header) 28->194 196 Machine Learning detection for dropped file 28->196 198 Writes a notice file (html or txt) to demand a ransom 28->198 38 3CD9.exe 1 15 28->38         started        118 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 31->118 dropped 120 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 31->120 dropped 122 C:\Users\user\AppData\Local\...122ewPlayer.exe, PE32 31->122 dropped 200 Antivirus detection for dropped file 31->200 42 NewPlayer.exe 31->42         started        45 aafg31.exe 31->45         started        47 XandETC.exe 31->47         started        202 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->202 204 Maps a DLL or memory area into another process 34->204 206 Checks if the current machine is a virtual machine (disk enumeration) 34->206 208 Creates a thread in another existing process (thread injection) 34->208 210 Sample uses process hollowing technique 36->210 212 Injects a PE file into a foreign processes 36->212 49 1B5A.exe 36->49         started        51 6CED.exe 36->51         started        53 5C21.exe 36->53         started        55 2 other processes 36->55 signatures12 process13 dnsIp14 144 api.2ip.ua 162.0.217.254, 443, 49701, 49707 ACPCA Canada 38->144 108 C:\Users\user\AppData\Local\...\3CD9.exe, PE32 38->108 dropped 57 3CD9.exe 38->57         started        60 icacls.exe 38->60         started        110 C:\Users\user\AppData\Local\...\mnolyk.exe, PE32 42->110 dropped 180 Antivirus detection for dropped file 42->180 182 Machine Learning detection for dropped file 42->182 62 mnolyk.exe 42->62         started        146 jp.imgjeoighw.com 103.100.211.218, 49706, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 45->146 148 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 45->148 150 5 other IPs or domains 45->150 184 Tries to harvest and steal browser information (history, passwords, etc) 45->184 file15 signatures16 process17 file18 170 Injects a PE file into a foreign processes 57->170 65 3CD9.exe 57->65         started        114 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 62->114 dropped 116 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 62->116 dropped 172 Antivirus detection for dropped file 62->172 174 Creates an undocumented autostart registry key 62->174 176 Machine Learning detection for dropped file 62->176 178 Uses schtasks.exe or at.exe to add and modify task schedules 62->178 70 cmd.exe 62->70         started        72 schtasks.exe 62->72         started        signatures19 process20 dnsIp21 124 zexeq.com 95.107.163.44, 49710, 80 ASC-AL-ASAL Albania 65->124 126 colisumy.com 65->126 128 api.2ip.ua 65->128 92 C:\Users\user\AppData\Local\...\build3.exe, PE32 65->92 dropped 94 C:\Users\user\AppData\Local\...\build2.exe, PE32 65->94 dropped 96 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 65->96 dropped 98 8 other malicious files 65->98 dropped 160 Modifies existing user documents (likely ransomware behavior) 65->160 74 build2.exe 65->74         started        77 build3.exe 65->77         started        80 conhost.exe 70->80         started        82 cmd.exe 70->82         started        84 cacls.exe 70->84         started        86 conhost.exe 72->86         started        file22 signatures23 process24 file25 186 Machine Learning detection for dropped file 74->186 188 Sample uses process hollowing technique 74->188 190 Injects a PE file into a foreign processes 74->190 112 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 77->112 dropped 88 schtasks.exe 77->88         started        signatures26 process27 process28 90 conhost.exe 88->90         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-27 09:05:07 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfu3i24pvclaw237skks3gqqzvr3cf27hfrt2k6fzkeqiobvgzda._file
Verdict:
malicious
Similar samples:
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Fabookie
0cc7060ce4d11da31e6de65632d1e78d2f6c9022393f1fa49b0bf845108ca3b1
Fabookie
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
Fabookie
314b7a6d969a0f4654bb6b3a80a58087dac25c26c5777270b0f53056ec5645c0
Fabookie
3ea8f457387940d5a64458d38284ed785a9e04e245cf28e03bfc38d5e9188599
Fabookie
62d622e4c6581c0dd50e5623a3328cf60ffa7e87dea131c294883a2b610f80f4
Fabookie
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Fabookie
74e17b7264117df362eb097195ec2f45be5b98594953426f81a861299dbc6958
Fabookie
c9fde93529396b5fa4d49f8932ff113dcb813a30462c32312ff1ef259ab1989d
Fabookie
f93b85ca07f0392ab1516a34b157e175936e45b31773d1dce409b7e4872a8946
Fabookie
+ 2'003 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:pub1 backdoor discovery ransomware stealer trojan
Link:
https://tria.ge/reports/230527-k17ctabd65/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5969b46b8fa8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 5969b46b8fa8960b6b7f92952d9a10cd63b1175f39633d2bc5ca890438353646

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/392474/
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
  
Delivery method
Distributed via web download

Comments