MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0
SHA3-384 hash:	46ed1cae7a8b3c50083ee92f0503a00f3d5099d431f81bb3b16a90069e39d1999b5f08c2718d2cc5d8b0acefda7b6b6b
SHA1 hash:	d1ecc16d3e4946f6e48c7a4b7d83b188e85bc009
MD5 hash:	8ee9fa4e189b78d14c86d1d50fdd90ee
humanhash:	white-chicken-sink-butter
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	322'048 bytes
First seen:	2023-03-27 12:33:01 UTC
Last seen:	2023-03-28 08:07:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a7a19cad0c2c193feb43fc00c1b6b502 (17 x Fabookie)
ssdeep	3072:P8k/TMYQ0qIN6NtVcOXEK5ULtGyUPj09vJqxEm4x1ESuQG+3SeyRS6CSfKVu1xgP:5Mnt3EPRAPj2voxEvTEPp/F
Threatray	71 similar samples on MalwareBazaar
TLSH	T190643B156FB91DB6C016B43F0C6E84524B337827162783F7E496DEAC0EF76E8D466822
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e3b1adeddd75ad92 (15 x Fabookie)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.jhia6gyygcc.com/m/ss25.exe

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-27 12:35:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/252e7ce0-d142-4707-b9e3-2b2351e7774b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/377888/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75206/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

setupapi.dll

Link:

https://www.filescan.io/uploads/64218d0180ca4ca1ff599fab/reports/52c77168-eb7d-4acb-a628-7afde16eb0a2/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/162d581f-655a-4abc-ade8-7e4c561be88c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad.troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1202674

Signature

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0/

Threat name:

Win64.Trojan.Privateloader

Status:

Suspicious

First seen:

2023-03-27 12:33:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sarypkuhsnfdij3w5dubwzzshfl4xha5cauikz6kqbmkiykkgcya._file

Verdict:

suspicious

Fabookie

0c802565c73fd2fd624ecab818162f8873935308ebc95f3b17fa74a6c582db12

Fabookie

342046d08054fc467fc4b38ab64c4135ae712514b141e7cd87e84168eed8a74a

Fabookie

844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9

Fabookie

d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

Fabookie

d9829ccc496851aabeb50d06d26bb6a29f20370efa4e92e054bdf74e85de4664

Fabookie

dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630

Fabookie

ef75e4193acf86589cfcf6b49d61e88073fd65ca866ed4197da7c5e4b22bac6e

Fabookie

+ 61 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230327-pq62hsfe21/

Unpacked files

SH256 hash:

902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0

MD5 hash:

8ee9fa4e189b78d14c86d1d50fdd90ee

SHA1 hash:

d1ecc16d3e4946f6e48c7a4b7d83b188e85bc009

Link:

https://www.unpac.me/results/588ef426-30c8-4224-989a-f714bbb960c2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/902387aa87934a342776e8e81b67323957cb9c1d10288567ca8058a4614a30b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2561770/

Cape

https://www.capesandbox.com/analysis/377888/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample