MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53
SHA3-384 hash: e801e2af9addc23fa16785cca17209b7fb8b19cb747520ed761f5998c50b44075803a1d1807adc15067df9685e911465
SHA1 hash: e0af09b8a78b112ef2b87cf56cde164a4cf661a0
MD5 hash: 9f4a440dd7787b0da1e3d5a17ba2defe
humanhash: may-comet-solar-august
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:431'104 bytes
First seen:2023-06-24 07:45:19 UTC
Last seen:2023-06-24 11:00:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d1884757532ce7b0014241f40262c929 (16 x Fabookie)
ssdeep 6144:ul073J3XYf1K4tit9rVDWso3T+cbJ5JIJAbW0we3:z3JnYNKP7x5oCIJ5MZ0w
Threatray 251 similar samples on MalwareBazaar
TLSH T11F949EE1E35040E5D477C2B982734B63E7F27C285B214ADF4659B6292F337D28936A0B
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70646666fab4b064 (18 x Fabookie, 5 x GuLoader)
Reporter andretavare5
Tags:exe Fabookie


Avatar
andretavare5
Sample downloaded from http://ji.jahhaega2qq.com/m/p0aw25.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-24 07:48:33 UTC
Tags:
fabookie
Link:
https://app.any.run/tasks/f4508a1d-47ff-4ae4-981c-a1ee4478f58c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402315/
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.5070.32230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Creating a window
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin shell32.dll
Link:
https://www.filescan.io/uploads/64969f3ba85ef0b719515673/reports/becb265a-2051-4986-ba55-1b5a542a9517/overview
Verdict:
Suspicious
Labled as:
Win64/TrojanDownloader.Agent.AER
Link:
https://www.hybrid-analysis.com/sample/9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/246b58a7-fd5d-4753-937f-7ea81ba9bd8d
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1260849
Signature
Antivirus detection for URL or domain
Contains functionality to steal Chrome passwords or cookies
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-24 04:23:55 UTC
File Type:
PE+ (Exe)
Extracted files:
50
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txcypskppndogneyqktgva3yglh2xc6rekumnpgpbezsgimuhvjq._file
Verdict:
suspicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
Fabookie
17e82209518cce274c965110945fb6d4641ba0e950ebcea59d3c1d809a4a817e
Fabookie
3995ed61d4b3901bfacb5a8d36500664c1145c6287f8eba5f0077ef1b780355c
Fabookie
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
Fabookie
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad
Fabookie
85b2316619510cb5e482c62b27714f9e8f83bdd8d73ea530d29e48bfafb509f7
Fabookie
8dc7d4261b9ea7463ae129a04c13beb905d7a5722b03c90ea57e0a81c04f0880
Fabookie
9d4bf2fa222c2fa818ed73796f639d7138d2065616ee126c38b8145723164a94
Fabookie
bcaff58e4efc3c80c7a401686a5e9acbd13d265ace38bef195e7ee6380ffbf23
Fabookie
cf4c10732e1ed55669890820b459236dc32f8df82c3246be778a327c0192b349
Fabookie
+ 241 additional samples on MalwareBazaar
Result
Malware family:
fabookie
Create hunting rule
Score:
  10/10
Tags:
family:fabookie spyware stealer
Link:
https://tria.ge/reports/230624-jlyxfsbe6t/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Detect Fabookie payload
Fabookie
Unpacked files
SH256 hash:
9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53
MD5 hash:
9f4a440dd7787b0da1e3d5a17ba2defe
SHA1 hash:
e0af09b8a78b112ef2b87cf56cde164a4cf661a0
Link:
https://www.unpac.me/results/4bc9b035-21e3-40ea-a573-ca3ec49428d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dc587c94f7b46e3349882a66a837832cfab8bd122a8c6bccf09332321943d53

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2644855/
Cape
Cape
https://www.capesandbox.com/analysis/402315/

Comments