MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac
SHA3-384 hash:	5e040882d41140ae0d2d000f32da77e5156bb475ad8138afda6d5150207ebb986bf86aeb587f0accf021ca7a17179741
SHA1 hash:	f9c3e0ab05ab86ed37dc13317adaa56550dfa339
MD5 hash:	e61232c458a31d10cda9bb4bec57c44e
humanhash:	summer-snake-lion-ceiling
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	340'992 bytes
First seen:	2023-06-17 10:23:46 UTC
Last seen:	2023-06-17 21:32:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e80f9d537b01e2bcba0fde7f5238b2d3 (1 x Fabookie)
ssdeep	6144:6F18RIT6Ram4StJ3rXDW49KJ7SkD4DiaODgKYleQ4hPP:6wdpXDzo3DMWP
TLSH	T143742981F3DA4028E072C679CEB18363EA767C155B3096DF07609E6A6E73BE0D535B21
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	70ccc9b3a9cce070 (19 x Fabookie, 3 x XFilesStealer, 1 x Pony)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.jahhaega2qq.com/m/p0aw25.exe

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-06-17 10:26:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8384912f-f3b2-4947-8167-44b3fa011a57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/399775/

Detection(s):

SecuriteInfo.com.Trojan-Downloader.Win64.Agent.13891.26366.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Sending a custom TCP request

Query of malicious DNS domain

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/91133/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware keylogger lolbin shell32.dll

Link:

https://www.filescan.io/uploads/648d89c3e4167cbeabd4bcd3/reports/799d9335-8e92-4f6b-a07b-6ac9e5ef4c5f/overview

Verdict:

Malicious

Labled as:

HVM:TrojanDownloader/Jeoigaa.a

Link:

https://www.hybrid-analysis.com/sample/8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Fabookie

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2ca476ea-b301-4c7e-aafb-b42a6f5cd337

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1256465

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to steal Chrome passwords or cookies

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-17 10:24:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rbsnr57rjddgv7i5pfe2xqcbgegyxcbxesnic7cx65fgr2odecwa._file

Result

Malware family:

fabookie

Score:

10/10

Tags:

family:fabookie spyware stealer

Link:

https://tria.ge/reports/230617-mfczksbd55/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

Detect Fabookie payload

Fabookie

Unpacked files

SH256 hash:

8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac

MD5 hash:

e61232c458a31d10cda9bb4bec57c44e

SHA1 hash:

f9c3e0ab05ab86ed37dc13317adaa56550dfa339

Link:

https://www.unpac.me/results/165e282f-4d9e-4875-9ed4-949d9e1c4538/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8864d8f7f148c66afd1d7949abc041310d8b8837249a817c57f74a68e9c320ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2644855/

Cape

https://www.capesandbox.com/analysis/399775/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample