MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac
SHA3-384 hash: 8a2fc3c0f64c1704ded905ddebfd95c35b65f88d5bebc83a226143910ebe14f4ecca47cc89680b64d0b73a151b49b1a2
SHA1 hash: 42175615718cfc0694ec54a3c6a5a1215750d2fb
MD5 hash: 18c731f78ffad5975be6fa22e25399f2
humanhash: leopard-music-social-green
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:429'056 bytes
First seen:2023-06-13 14:18:35 UTC
Last seen:2023-06-14 05:01:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 416ffe7b0605a5e274a0fae7bef800aa (2 x Fabookie)
ssdeep 6144:tl073J3SYx1K4tCO9rInWpg4t0+eoJAbB3T+cbJp:63JiYHKHqkAd0+5cCIJp
Threatray 184 similar samples on MalwareBazaar
TLSH T1A9949ED2E34040E5D477C2B982774B63E7F27C285B214ADF4659B6292F337D28936A0B
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70646666fab4b064 (18 x Fabookie, 5 x GuLoader)
Reporter jstrosch
Tags:exe Fabookie X64

Intelligence

File Origin
# of uploads :
3
# of downloads :
259
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-06-13 14:19:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/004c896e-2b55-415a-be25-1b23b4cd2a08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398412/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.25628.22310.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Sending a custom TCP request
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin shell32.dll
Link:
https://www.filescan.io/uploads/64887adac6414862d206e9f6/reports/1526e9a0-6e51-44c9-ae85-f2dbd2737d9b/overview
Verdict:
Malicious
Labled as:
HVM:TrojanDownloader/Jeoigaa.a
Link:
https://www.hybrid-analysis.com/sample/5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/903e288d-e834-423b-ac10-7eb89a958a7a
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253679
Signature
Antivirus detection for URL or domain
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 14:19:07 UTC
File Type:
PE+ (Exe)
Extracted files:
49
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4xcvesad2turdchzl74rcwm4zxe4zwgyyy76rfdlbm77cslm2wa._file
Verdict:
suspicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
Fabookie
0fe82d10bd3a8156f1953f239d6afb87ede65c2f9b83bc76aed9a7f09ef55f26
Fabookie
107c9c7d4ae2a5116eb395a8a5fc6e4de7b9fe60bf7ccadcbb7c14ae1049cdac
Fabookie
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
Fabookie
33f93086c8ad0c614e01c503d5c299b5fc86c480007597756de02884bccc5e67
Fabookie
64d45bc38d4a4e60a23bb5fa06a2b99ec40bd86c8f0cdd7c68736ab192569e49
Fabookie
a913b2046e7d919cc02f7fe509eb50d674cdf21be7122295fcaf9e5acdcfc3ac
Fabookie
c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
Fabookie
e3d9fe1d6d23c0641c40e3b3eeda4b08f47f6b93e4afad127436fbaf61a7df4a
Fabookie
f1c89c1085ed01fc56fe12cc23d1a98f5c9b0029fe45cb425f5ffb62d8e71176
Fabookie
+ 174 additional samples on MalwareBazaar
Result
Malware family:
fabookie
Create hunting rule
Score:
  10/10
Tags:
family:fabookie spyware stealer
Link:
https://tria.ge/reports/230613-rmt9nage83/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Detect Fabookie payload
Fabookie
Unpacked files
SH256 hash:
5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac
MD5 hash:
18c731f78ffad5975be6fa22e25399f2
SHA1 hash:
42175615718cfc0694ec54a3c6a5a1215750d2fb
Link:
https://www.unpac.me/results/168936a3-def3-4884-ba61-be6a13f31b15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 5f2e2a92401ea7488c47caffc88acce66e4e66c6c631ff44a35859ff8a4b66ac

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2644855/
Cape
Cape
https://www.capesandbox.com/analysis/398412/

Comments