MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
SHA3-384 hash: 8a478327760d3d1af09ae90cf27daafb7bce4b1bda3fa26ffba322f5faac04a80d554b60458a9606d311e9810607aad0
SHA1 hash: d188e8d274935043436c6cae0c56d24a974f6800
MD5 hash: 4d0f16309f1dfe19ab558a13624df4aa
humanhash: fourteen-muppet-pizza-fish
File name:SecuriteInfo.com.Heur.20230624152739349083246
Download: download sample
Signature Fabookie
Create hunting rule
File size:923'136 bytes
First seen:2023-06-24 15:29:10 UTC
Last seen:2023-06-26 05:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:XhAHI6vOZZU1gJVwHdoI8BV/MUxbO1P8n22:XiZsU+VI+BV/M6bsUn2
Threatray 3'082 similar samples on MalwareBazaar
TLSH T1A015AD65DCBBE6939150DA2F6339FA85807432032B40DDEC19194B9E084B5E98B87FDF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe Fabookie

Intelligence

File Origin
# of uploads :
4
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Heur.20230624152739349083246
Verdict:
Malicious activity
Analysis date:
2023-06-24 15:33:47 UTC
Tags:
amadey trojan fabookie loader smoke
Link:
https://app.any.run/tasks/040e40be-9108-49e7-aeed-8d8c444e4c72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402487/
Detection(s):
SecuriteInfo.com.Heur.20230624152739349083246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Creating a process with a hidden window
Searching for synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/64970c02ee55f1e1b4b520f6/reports/c2489d4a-4ef8-4b19-b2c7-cf8de81adbe7/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b370850e-dece-4bca-aea0-fb85e6d2693b
Result
Threat name:
Amadey, Fabookie, Glupteba, Nymaim, Smok
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260913
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected Nymaim
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 893934 Sample: SecuriteInfo.com.Heur.20230... Startdate: 24/06/2023 Architecture: WINDOWS Score: 100 168 Snort IDS alert for network traffic 2->168 170 Multi AV Scanner detection for domain / URL 2->170 172 Found malware configuration 2->172 174 18 other signatures 2->174 12 SecuriteInfo.com.Heur.20230624152739349083246.exe 5 2->12         started        15 vriwwta 2->15         started        18 svchost.exe 2->18         started        20 2 other processes 2->20 process3 file4 138 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 12->138 dropped 140 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 12->140 dropped 142 C:\Users\user\AppData\Local\...\ec193bd8.exe, PE32 12->142 dropped 144 SecuriteInfo.com.H...39349083246.exe.log, CSV 12->144 dropped 22 newplayer.exe 3 12->22         started        26 ec193bd8.exe 12->26         started        28 ss41.exe 14 12->28         started        31 conhost.exe 12->31         started        230 Detected unpacking (changes PE section rights) 15->230 232 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->232 234 Maps a DLL or memory area into another process 15->234 236 2 other signatures 15->236 33 WerFault.exe 18->33         started        35 WerFault.exe 18->35         started        37 WerFault.exe 18->37         started        39 5 other processes 18->39 signatures5 process6 dnsIp7 116 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 22->116 dropped 192 Multi AV Scanner detection for dropped file 22->192 41 oneetx.exe 22 22->41         started        46 conhost.exe 22->46         started        194 Detected unpacking (changes PE section rights) 26->194 196 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->196 198 Maps a DLL or memory area into another process 26->198 206 2 other signatures 26->206 48 explorer.exe 26->48 injected 162 as.imgjeoigaa.com 28->162 164 us.imgjeoigaa.com 103.100.211.218, 49702, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 28->164 166 2 other IPs or domains 28->166 118 C:\Users\...\19d9a35d8fa7b855ab2e09e28a694519, SQLite 28->118 dropped 200 Contains functionality to steal Chrome passwords or cookies 28->200 202 Tries to harvest and steal browser information (history, passwords, etc) 28->202 50 taskkill.exe 1 28->50         started        52 taskkill.exe 1 28->52         started        file8 204 Performs DNS TXT record lookups 162->204 signatures9 process10 dnsIp11 152 45.9.74.80, 49703, 49705, 49706 FIRST-SERVER-EU-ASRU Russian Federation 41->152 128 C:\...\3eef203fb515bda85f514e168abb5973.exe, PE32 41->128 dropped 130 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 41->130 dropped 132 C:\Users\user\AppData\Local\...\setup.exe, PE32 41->132 dropped 136 3 other malicious files 41->136 dropped 218 Multi AV Scanner detection for dropped file 41->218 220 Creates an undocumented autostart registry key 41->220 222 Uses schtasks.exe or at.exe to add and modify task schedules 41->222 54 3eef203fb515bda85f514e168abb5973.exe 41->54         started        57 setup.exe 41->57         started        60 toolspub2.exe 41->60         started        64 2 other processes 41->64 154 187.209.145.196, 49892, 49913, 80 UninetSAdeCVMX Mexico 48->154 156 124.43.18.250, 49933, 80 SLTINT-AS-APSriLankaTelecomInternetLK Sri Lanka 48->156 158 2 other IPs or domains 48->158 134 C:\Users\user\AppData\Roaming\vriwwta, PE32 48->134 dropped 224 System process connects to network (likely due to code injection or exploit) 48->224 226 Benign windows process drops PE files 48->226 228 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->228 62 csrss.exe 48->62         started        file12 signatures13 process14 dnsIp15 182 Multi AV Scanner detection for dropped file 54->182 184 Detected unpacking (changes PE section rights) 54->184 186 Detected unpacking (overwrites its own PE header) 54->186 190 2 other signatures 54->190 66 3eef203fb515bda85f514e168abb5973.exe 54->66         started        70 powershell.exe 54->70         started        160 45.12.253.56, 80 CMCSUS Germany 57->160 72 WerFault.exe 57->72         started        82 7 other processes 57->82 188 Injects a PE file into a foreign processes 60->188 74 toolspub2.exe 60->74         started        76 conhost.exe 64->76         started        78 conhost.exe 64->78         started        80 cmd.exe 1 64->80         started        84 5 other processes 64->84 signatures16 process17 file18 114 C:\Windows\rss\csrss.exe, PE32 66->114 dropped 176 Drops executables to the windows directory (C:\Windows) and starts them 66->176 178 Creates an autostart registry key pointing to binary in C:\Windows 66->178 86 csrss.exe 66->86         started        91 cmd.exe 66->91         started        93 powershell.exe 66->93         started        97 2 other processes 66->97 95 conhost.exe 70->95         started        signatures19 process20 dnsIp21 146 server6.duniadekho.bar 86->146 148 stun.sipgate.net 217.10.68.145, 3478, 58747 NETZQUADRATGladbacherstr74DE Germany 86->148 150 4 other IPs or domains 86->150 120 C:\Windows\windefender.exe, PE32 86->120 dropped 122 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 86->122 dropped 124 C:\Users\...124tQuerySystemInformationHook.dll, PE32+ 86->124 dropped 126 5 other files (none is malicious) 86->126 dropped 208 Multi AV Scanner detection for dropped file 86->208 210 Detected unpacking (changes PE section rights) 86->210 212 Detected unpacking (overwrites its own PE header) 86->212 99 powershell.exe 86->99         started        214 Uses netsh to modify the Windows network and firewall settings 91->214 101 netsh.exe 91->101         started        104 conhost.exe 91->104         started        106 conhost.exe 93->106         started        108 conhost.exe 97->108         started        110 conhost.exe 97->110         started        file22 216 Uses STUN server to do NAT traversial 146->216 signatures23 process24 signatures25 112 conhost.exe 99->112         started        180 Creates files in the system32 config directory 101->180 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-24 15:30:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwfoiu5fo47rb7o76uqkiuzgwplgl546ob4jr6qobgzibbf7wh4q._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
Fabookie
17e82209518cce274c965110945fb6d4641ba0e950ebcea59d3c1d809a4a817e
Fabookie
3995ed61d4b3901bfacb5a8d36500664c1145c6287f8eba5f0077ef1b780355c
Fabookie
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
Fabookie
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad
Fabookie
85b2316619510cb5e482c62b27714f9e8f83bdd8d73ea530d29e48bfafb509f7
Fabookie
8dc7d4261b9ea7463ae129a04c13beb905d7a5722b03c90ea57e0a81c04f0880
Fabookie
9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94
Fabookie
9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53
Fabookie
bcaff58e4efc3c80c7a401686a5e9acbd13d265ace38bef195e7ee6380ffbf23
Fabookie
+ 3'072 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:fabookie family:gcleaner family:glupteba family:smokeloader botnet:pub5 botnet:up3 backdoor discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230624-sxglzscg31/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Amadey
Detect Fabookie payload
Fabookie
GCleaner
Glupteba
Glupteba payload
SmokeLoader
Windows security bypass
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
MD5 hash:
4d0f16309f1dfe19ab558a13624df4aa
SHA1 hash:
d188e8d274935043436c6cae0c56d24a974f6800
Link:
https://www.unpac.me/results/8c934aed-2c90-40af-b08a-37c3a6e0a514/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d8ae453a577/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe 8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2670855/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/402487/
  
URLhaus
https://urlhaus.abuse.ch/url/2665390/

Comments