MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94
SHA3-384 hash:	5cac678636d7f93679a2bbf215fc5748b908a08b70ac6509e80df951071f4adba0d64c5c44aaf3ee7091b7bc42e602b7
SHA1 hash:	4278f26913b85bfdc4cbf0a5909e2d810ac583f7
MD5 hash:	a06ec6c0adfcc5034586fbf877e35b54
humanhash:	grey-carbon-eighteen-cola
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	650'752 bytes
First seen:	2023-06-12 00:44:33 UTC
Last seen:	2023-06-12 09:39:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3c8dcaebe69607cf65907d4c035ab4d4 (1 x Fabookie)
ssdeep	12288:3quFnYzy3VGiBX5fYwarPZpBqxVyfndmLB:3qOn0ziCPzBqDem9
TLSH	T166D46B05B6A84361E173D17E9AA3C759D6F23C050B30DBCB5251D7BA2E33AE5893A331
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	bc787979e29010cc (3 x Fabookie)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://ji.jahhaega2qq.com/m/p0aw25.exe

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://cobaktesbrow.com/download/File_pass1234.7z

Verdict:

Malicious activity

Analysis date:

2023-06-11 20:59:03 UTC

Tags:

privateloader opendir evasion loader rat redline amadey trojan stealer miner smoke tofsee gcleaner vidar ransomware stop

Link:

https://app.any.run/tasks/236aed95-02c2-4690-89d0-6aa2bd9438bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/397812/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.6514.23252.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90284/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed shell32.dll

Link:

https://www.filescan.io/uploads/64866a8fe1501e56f062ed17/reports/25918b8c-e80c-4d44-bcc5-6f6971b316db/overview

Verdict:

Malicious

Labled as:

HVM:TrojanDownloader/Jeoigaa.a

Link:

https://www.hybrid-analysis.com/sample/9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Fabookie

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f9e173c1-8c71-4259-8955-535533f58b35

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1252647

Signature

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-11 20:27:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tvf7f6rcfqx2qghnon4w6y45oe4nebswc3xbe3byxakfoiywjkka._file

Result

Malware family:

fabookie

Score:

10/10

Tags:

family:fabookie spyware stealer

Link:

https://tria.ge/reports/230612-a33gjaah7y/

Behaviour

Reads user/profile data of web browsers

Detect Fabookie payload

Fabookie

Unpacked files

SH256 hash:

9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94

MD5 hash:

a06ec6c0adfcc5034586fbf877e35b54

SHA1 hash:

4278f26913b85bfdc4cbf0a5909e2d810ac583f7

Link:

https://www.unpac.me/results/3fd055dd-f7ef-4a10-a729-dc81256e5585/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/397812/

URLhaus

https://urlhaus.abuse.ch/url/2644855/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample