MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3
SHA3-384 hash:	1c2ac4332116feda8fb1641ed2739415e8552c13a9e8a3143867e44e2b2b907005acc27d4fa43f1c17c542e6813c3ad1
SHA1 hash:	c3dafc1edb048a9b1901c28a38521d0c3a1019a9
MD5 hash:	3fbd744372d53f4fe9f34e8173c6c21d
humanhash:	maryland-twenty-eight-double
File name:	3fbd744372d53f4fe9f34e8173c6c21d
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	690'176 bytes
First seen:	2023-05-27 08:31:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	415314d0031f15135fbc02f2ca18bb2f (2 x Fabookie)
ssdeep	6144:KvY7uKa7GjX7jpbERxpp521t+6eslnCUGwfxIRLtxIRLuovZ3H3AdKy9HGeofJgG:3/04rlwppx6eDaooojmN
Threatray	1 similar samples on MalwareBazaar
TLSH	T120E4F600E5410452CC9F5F7A8A639A35A7733D62BF07979B3208B6763A336D16B71B83
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	38c886ac89e0e260 (2 x Fabookie)
Reporter	zbetcheckin
Tags:	64 exe Fabookie

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

79d2468bdd8dbdb75619d753c0007b14.exe

Verdict:

Malicious activity

Analysis date:

2023-05-27 06:51:38 UTC

Tags:

opendir loader gcleaner stealer vidar trojan arkei rat redline smoke evasion

Link:

https://app.any.run/tasks/ce4b27fa-c428-4936-86e5-8db68df52bf1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/392415/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.4436.19710.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88167/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm hacktool keylogger

Link:

https://www.filescan.io/uploads/6471c003ce72cac205743962/reports/339354dd-869c-43ed-9928-4e20094901f1/overview

Verdict:

Malicious

Labled as:

Win64/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Fabookie

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9251915-be78-4392-b710-21f05a0129e7

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1243723

Signature

Antivirus detection for URL or domain

Found stalling execution ending in API Sleep call

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-05-27 08:03:33 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o66omj4mut7vqyzibrgozrj47xjqs6xgp5qx2htcyzv2xdjrh3jq._file

Verdict:

unknown

Fabookie

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230527-ke97ksbf5x/

Behaviour

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3

MD5 hash:

3fbd744372d53f4fe9f34e8173c6c21d

SHA1 hash:

c3dafc1edb048a9b1901c28a38521d0c3a1019a9

Link:

https://www.unpac.me/results/02ad4ed1-958d-4e6e-a699-a6197dc30f5a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/77bce6278ca4ff5863280c4cecc53cfdd3097ae67f617d1e62c66bab8d313ed3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers