MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d
SHA3-384 hash:	170906c5312ad3fd3583ce68e3bbf2311553420659b3d52c34f87c835e71e29d34c4b4390cdc7b71decb73cf913f02e5
SHA1 hash:	0b129f820e3ae2d5d54ea1ec00f10631fb14e3da
MD5 hash:	d11703d3070e6c9a95017bd00357c8b9
humanhash:	tango-bravo-edward-jupiter
File name:	d11703d3070e6c9a95017bd00357c8b9.exe
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	406'528 bytes
First seen:	2023-07-13 07:45:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	96cc98468ed325b3857363887597bc67 (20 x Fabookie)
ssdeep	1536:qyKJMVJCvWuOCWqeyGaOi2K+Sm6uCWqe+aOi2K+Sm6uuCuCWqeyGaOi2K+Sm6uCe:qXJMqeuaXnAYy4AZ6LvcgJFW
Threatray	328 similar samples on MalwareBazaar
TLSH	T14284DD64F0B6ECB3DA126B7039FCF91C91AD71551386868E365AF0B692D330031DDBA9
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e0c6dfa5aeebcbdc (20 x Fabookie, 2 x AsyncRAT)
Reporter	abuse_ch
Tags:	exe Fabookie

Intelligence

File Origin

# of uploads :

# of downloads :

260

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d11703d3070e6c9a95017bd00357c8b9.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 07:50:08 UTC

Tags:

fabookie stealer

Link:

https://app.any.run/tasks/185760ee-6b2f-4247-ba60-54a0527c9f1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/417304/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68138225.12593.5085.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin shell32

Link:

https://www.filescan.io/uploads/64afabbd057bff26cf236681/reports/b2337fdd-70b3-4d0b-bc93-1a358eb4c2ee/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f4a06b51-718b-4e64-8477-1697857cf1d5

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1272272

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to steal Chrome passwords or cookies

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-12 17:00:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ub6hz3fdgdbmi22uz5ylar2qhubnozdv2iwawc5w63zn7roalnoq._file

Verdict:

malicious

Fabookie

274f5d3d6967d77475ceee848a0dff2cfc9993923861de020e3856bd54ba8fc7

Fabookie

29ee51c21a3976410dd563dc4ed017f321ce95fdae61a0166af8a25f3b93f88a

Fabookie

385085d13fce8c2645337c072a9178fa3adc98b1382b9c7c9c29c3c3c1177dd2

Fabookie

5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011

Fabookie

7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad

Fabookie

8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9

Fabookie

cb9b591fb411abb5ba554f6679775eea77df4b035618f679e5bf11cccf215574

Fabookie

cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

Fabookie

+ 318 additional samples on MalwareBazaar

Result

Malware family:

fabookie

Score:

10/10

Tags:

family:fabookie spyware stealer

Link:

https://tria.ge/reports/230713-jl1faagg3z/

Behaviour

Reads user/profile data of web browsers

Detect Fabookie payload

Fabookie

Unpacked files

SH256 hash:

a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d

MD5 hash:

d11703d3070e6c9a95017bd00357c8b9

SHA1 hash:

0b129f820e3ae2d5d54ea1ec00f10631fb14e3da

Link:

https://www.unpac.me/results/381a1cad-525e-4341-bdc3-5da6db0d988b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers