MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab
SHA3-384 hash:	09a80674e8a311ce1a7274fac05044f81d52b49112165bc89e5fefed6bb49ce6e127a56506aa8f0d3d34463ec96dcfb9
SHA1 hash:	9874cb500f6e1e718a525e344ffad3019209b1c1
MD5 hash:	e98e61d49f05cbb04bb8e84367d54d94
humanhash:	romeo-minnesota-venus-failed
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	807'936 bytes
First seen:	2023-03-14 04:21:26 UTC
Last seen:	2023-03-14 10:11:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e5dbb857e69e565f329fc44778c12405 (1 x Fabookie)
ssdeep	12288:qAtKU+KR7yx6+X/P6+X/6YCoPsk7vFIlv:ZuUywg/yg/6YCUsk7vFG
TLSH	T19F059E219122C95BC310343CC885A5F5EA9CBC64C759CBE3BA55BC2E7E369A94D3C0F9
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	4c2c600236767221 (6 x Fabookie, 2 x Cosmu)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.jhia6gyygcc.com/m/ss25.exe

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374121/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.65912755.13664.24217.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Searching for the window

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/73021/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated shell32.dll

Link:

https://www.filescan.io/uploads/640ff66be746e0a329daaddf/reports/da6f38b7-13ce-454a-82d7-f923ed39e8f8/overview

Verdict:

Malicious

Labled as:

Win64/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/283be531-e3b7-4cd9-b62d-721cf87172ce

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1193008

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-13 22:56:27 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

10 of 39 (25.64%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qnccyzgiehzssjbgcftzihnb27srvjwtlzl4jla4336sgwgyo2vq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230314-ey8vzadc48/

Behaviour

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab

MD5 hash:

e98e61d49f05cbb04bb8e84367d54d94

SHA1 hash:

9874cb500f6e1e718a525e344ffad3019209b1c1

Link:

https://www.unpac.me/results/27520f32-65ab-43f2-835a-ff9e009ef84e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83442c64c821f32924261167941da1d7e51aa6d35e57c4ac1cdefd2358d876ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2561770/

Cape

https://www.capesandbox.com/analysis/374121/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample