MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
SHA3-384 hash: de52275e000cd182d457b54fd975097efb6182872249f70a977c6bbb2836186633f37d16638463e2b5dce5ef55575659
SHA1 hash: 3dea1b337987177c73c64e89b370d90dc94c64cb
MD5 hash: 69525fa93fd47eb3c533afe3b1baba48
humanhash: thirteen-pennsylvania-november-island
File name:UI721.bin
Download: download sample
Signature Fabookie
Create hunting rule
File size:5'632 bytes
First seen:2023-05-21 18:54:18 UTC
Last seen:2023-07-11 15:13:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt
Threatray 34 similar samples on MalwareBazaar
TLSH T108C1C81AF3C9867BD1768F740C738300233EF6525C27C70D25C516EAAF22778C59AAA2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Neiki
Tags:Fabookie

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
UI721.bin
Verdict:
Malicious activity
Analysis date:
2023-05-21 18:58:57 UTC
Tags:
evasion loader ransomware opendir stealer rat redline lumma gcleaner amadey trojan fabookie arkei vidar lokibot remcos raccoon recordbreaker keylogger
Link:
https://app.any.run/tasks/f6a6cc23-4b97-49de-a580-6d175494a63d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Reading critical registry keys
Creating a window
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a service
Running batch commands
Changing a file
Moving a recently created file
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for the window
Using the Windows Management Instrumentation requests
Moving a file to the %temp% directory
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Encrypting user's files
Gathering data
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/84782522-01d2-4a38-b71c-913ab99fc643
Result
Threat name:
AgentTesla, LockBit ransomware, LummaC S
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1238909
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 20:52:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2ogw4vbs4c6mxlfjakna5ykm7d4jixffek7mek5y5akwjko2suq._file
Verdict:
malicious
Similar samples:
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
Fabookie
57979ca3e646ecfcf45221a35642d69c66d753e9961468e65e66670c4f7513a6
Fabookie
8d2a53bd89b25935e2d8d9195f6982e3dfac315b8d77a856becc7d1aae4f66ab
Fabookie
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
Fabookie
9925d40e552d694f23587880808c8f53cb41ff2ef2fc5112f37aeaab7d1c6241
Fabookie
a5ee311c1782356ae8fd1e5fc6f6a2cdde6dd79ebc5c80a02c36b3327ba3ac7d
Fabookie
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
Fabookie
efe80cf748bd25110797151a16a29b956213cc00a85716dae6e6008d648725dc
Fabookie
+ 24 additional samples on MalwareBazaar
Result
Malware family:
wshrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:lockbit family:redline family:sectoprat family:wshrat botnet:diza collection discovery evasion infostealer keylogger persistence ransomware rat spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/230521-xkts1abg82/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Gathers system information
Modifies registry class
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Uses the VBS compiler for execution
VMProtect packed file
Windows security modification
Downloads MZ/PE file
Modifies extensions of user files
Renames multiple (347) files with added filename extension
AgentTesla
Lockbit
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Rule to detect Lockbit 3.0 ransomware Windows payload
SectopRAT
SectopRAT payload
WSHRAT
WSHRAT payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6225839139:AAHOVxUdRr3_xezeR4e_GlriGQEKuUFBpW0/
185.161.248.37:4138
Unpacked files
SH256 hash:
8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
MD5 hash:
69525fa93fd47eb3c533afe3b1baba48
SHA1 hash:
3dea1b337987177c73c64e89b370d90dc94c64cb
Link:
https://www.unpac.me/results/0e044a6b-07ac-4ce1-9049-b7b40e4017c3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e9c6b72a197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments