MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f
SHA3-384 hash:	5e6b9675ec26d98df395ee699eafcc6ce07c0ed9e1212bd526ea3b1fd861ebc21f49a319a94c1db4ca68c45d0c3fa1fd
SHA1 hash:	f1770e8706ecb05a9621442e1e1f9f95d543caf2
MD5 hash:	81ba29ef50c3f6e6ce6fe4df6923dcba
humanhash:	green-monkey-iowa-batman
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	606'208 bytes
First seen:	2023-05-04 22:32:53 UTC
Last seen:	2023-05-06 14:46:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4673ad56625d375f2efee239af061364 (21 x Fabookie)
ssdeep	12288:G72WD3/jvKx8Xr3lRkRc4YFwjsWOfRg6gtPbcTTn7qxerx7:qD3/rgWr3/kRc4l6g6gtPbcHn7q
Threatray	134 similar samples on MalwareBazaar
TLSH	T1D9D4DF80B39196D9C4B88430C593CE71CA317C64DB28569BB6D4BB7F2F32AB1653731A
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	60c8d86aec66d4f0 (24 x Fabookie, 1 x DanaBot)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.ghwiwwff.com/m/oskg25

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-05-04 22:33:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dd1284e2-e92a-4ebc-8908-6b35bb972000

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/386645/

Detection(s):

SecuriteInfo.com.Trojan-Downloader.Win64.Agent.7644.12895.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Launching a process

Sending a custom TCP request

DNS request

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/82556/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

shell32.dll

Link:

https://www.filescan.io/uploads/6454329fd27980254dd476af/reports/3bd22de7-df4c-4a97-bb8b-e5780b238e0b/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bfd43699-a51f-4fcc-9891-c6e4616a0c08

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1226560

Signature

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f/

Threat name:

Win64.Trojan.Privateloader

Status:

Suspicious

First seen:

2023-05-04 21:56:46 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 36 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tvdspsgw5y7wix42o7crfocla5bnoubkcwxp7torkntons2irqpq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230504-2ghc1shc9y/

Behaviour

Uses Task Scheduler COM API

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f

MD5 hash:

81ba29ef50c3f6e6ce6fe4df6923dcba

SHA1 hash:

f1770e8706ecb05a9621442e1e1f9f95d543caf2

Link:

https://www.unpac.me/results/0b0ec7ca-1d31-4cec-b380-ca694810c961/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d4727c8d6ee3f645f9a77c512b84b0742d7502a15aeffcdd15366e6cb488c1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2594534/

Cape

https://www.capesandbox.com/analysis/386645/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample