MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4
SHA3-384 hash: d14b145b52184f50c0d06598f8c554957d5007f2d59eb0b108333aeff2c131f9900500cc44d3b27e461f42d9418be7c6
SHA1 hash: d3905dc52626c191219f9a3ef2d5c1d9ea588da5
MD5 hash: 6ab6cddc3e46f5ca8e5d22764cd8c0fe
humanhash: paris-mike-foxtrot-mockingbird
File name:6ab6cddc3e46f5ca8e5d22764cd8c0fe.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:3'654'144 bytes
First seen:2023-01-16 09:38:16 UTC
Last seen:2023-01-16 11:41:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 245fbb05d3da4d7c6badd5cc3e1f9b98 (38 x Fabookie)
ssdeep 49152:D381G9Zu/5TapCNjj00JFFtvl2tkrtyML7ml3kDda8xrtwCIxFa00HEDLqJyTT:D3X9YxTWwFFPhX+5txd0
Threatray 240 similar samples on MalwareBazaar
TLSH T17A0601E86248375CC41E89B49537FD07B1B5461E4EF9D9BA76CB3B807BEB050EA02B05
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe Fabookie

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ab6cddc3e46f5ca8e5d22764cd8c0fe.exe
Verdict:
No threats detected
Analysis date:
2023-01-16 09:51:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/085130a8-9ec5-4b2f-85cb-416431e25895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353362/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.20258.16742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c51b35acfeda6ef9c38746/reports/1c7f3f27-3053-4cfc-b016-9930a146faaf/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e35068b9-26bd-490b-92bc-8e0014906079
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1152259
Signature
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-16 09:28:44 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3yjhsvx7xzbxlmvzxgzfgqex24kpclpo3k33kiphakcjngmjosa._file
Verdict:
unknown
Similar samples:
1b67efa690ee66657a7d2a1e7438bdf7e74e64f4fdfa85e4aefceed1e0e1040d
Fabookie
30f5564e58d11d68bb6f8f01c745a9e60f2dd5362534c7c959868d9d554e86e5
Fabookie
40b86a2b5291abf9b82a49d4be4a86af674dd4dc91e73e9c864262d6b8ea7fe6
Fabookie
448637f85947f720db81c35d5eda815266f3fd15bcc8389376266cca995c2d9e
Fabookie
517b37b47dc15abc5ae733109d178dde2e34a6f0cc3d9f93b1869c3c576b3d76
Fabookie
51e0e7e4fe62c83990f3f6d6e276f8bed4fd4a0cb8c50eb69fff6d57368e7d11
Fabookie
8861820dc8db5498970674297b20d08f8ed1f18289341183c0d325001eefc0e7
Fabookie
a9f400b739db381fa4d0ee9dbda0829407400033b2d5a541b528a6577492f07b
Fabookie
adc91b86359875df0149a283a6dbf6c11a9d6e4fd494c1340f20b3324571bdda
Fabookie
c26a178b9957a5f6b66b0da22dc1071f0635c7d31864cb1db45083ec9ed26310
Fabookie
+ 230 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/230116-lml1dsgh7y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
VMProtect packed file
Unpacked files
SH256 hash:
a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4
MD5 hash:
6ab6cddc3e46f5ca8e5d22764cd8c0fe
SHA1 hash:
d3905dc52626c191219f9a3ef2d5c1d9ea588da5
Link:
https://www.unpac.me/results/4c8e62e2-2803-425b-85de-62d0c3a69597/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe a6f093cab7fdf21bad95cdcd929a04beb8a7896f76d5bda90f381424b4cc4ba4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2490910/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/353362/

Comments