MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6
SHA3-384 hash: 4aca5d76c7dea3238c7d631b640a32bf22d8ad886f9bf6f10a0e440e2f469d23e5601e615e60e92b536f072ea83c0462
SHA1 hash: b9f134e6b6dcff78edd2471b23acb5d816183cea
MD5 hash: 5940bb0bd5efe577f710501ad552e2f7
humanhash: quiet-hot-mike-kitten
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:296'448 bytes
First seen:2023-05-26 22:40:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ea1866af0e097b7b73a6d1cadb8810b (2 x RedLineStealer, 2 x Fabookie, 1 x ArkeiStealer)
ssdeep 3072:s18um8RaA5Yh1VHnx+scfRtrn7njkF2baYqhRl1FVu0gFMMW0G5oD91w7N:sTjRdy7x+j7ngF2Xq1FVu0gVJD
Threatray 109 similar samples on MalwareBazaar
TLSH T15E543B8392E17D94E9264B739E2EC6E8771DF6548F093B55A218AEEF04F8072D173381
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9028204002140220 (1 x Fabookie)
Reporter andretavare5
Tags:exe Fabookie


Avatar
andretavare5
Sample downloaded from http://hugersi.com/dl/6523.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-26 22:43:08 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar arkei
Link:
https://app.any.run/tasks/2db016a6-9815-4b2e-928d-688cf9c68572

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392286/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6471357e3e38acf64c06396a/reports/1592555b-da29-44fb-ad46-68525f4f56de/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c012da4f-d7dc-42a1-a0c6-ae0bc344ebdc
Result
Threat name:
Amadey, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243533
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876542 Sample: file.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 111 api.2ip.ua 2->111 113 zexeq.com 2->113 115 2 other IPs or domains 2->115 149 Snort IDS alert for network traffic 2->149 151 Multi AV Scanner detection for domain / URL 2->151 153 Found malware configuration 2->153 157 20 other signatures 2->157 13 file.exe 2->13         started        16 daffvjg 2->16         started        signatures3 155 System process connects to network (likely due to code injection or exploit) 111->155 process4 signatures5 203 Detected unpacking (changes PE section rights) 13->203 205 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->205 207 Maps a DLL or memory area into another process 13->207 209 Creates a thread in another existing process (thread injection) 13->209 18 explorer.exe 10 43 13->18 injected 211 Multi AV Scanner detection for dropped file 16->211 213 Machine Learning detection for dropped file 16->213 215 Checks if the current machine is a virtual machine (disk enumeration) 16->215 process6 dnsIp7 117 187.209.146.8 UninetSAdeCVMX Mexico 18->117 119 201.124.33.177, 49704, 80 UninetSAdeCVMX Mexico 18->119 121 12 other IPs or domains 18->121 75 C:\Users\user\AppData\Roaming\iwffvjg, PE32 18->75 dropped 77 C:\Users\user\AppData\Roaming\daffvjg, PE32 18->77 dropped 79 C:\Users\user\AppData\Local\Temp\DEF3.exe, PE32 18->79 dropped 81 16 other malicious files 18->81 dropped 159 System process connects to network (likely due to code injection or exploit) 18->159 161 Benign windows process drops PE files 18->161 163 Deletes itself after installation 18->163 165 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->165 23 4B79.exe 18->23         started        26 DEF3.exe 18->26         started        29 B18D.exe 18->29         started        31 8 other processes 18->31 file8 signatures9 process10 file11 179 Multi AV Scanner detection for dropped file 23->179 181 Detected unpacking (changes PE section rights) 23->181 183 Detected unpacking (overwrites its own PE header) 23->183 185 Writes a notice file (html or txt) to demand a ransom 23->185 33 4B79.exe 1 16 23->33         started        83 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 26->83 dropped 85 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 26->85 dropped 87 C:\Users\user\AppData\Local\...87ewPlayer.exe, PE32 26->87 dropped 187 Antivirus detection for dropped file 26->187 189 Machine Learning detection for dropped file 26->189 37 aafg31.exe 26->37         started        191 Injects a PE file into a foreign processes 29->191 40 B18D.exe 29->40         started        193 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->193 195 Maps a DLL or memory area into another process 31->195 197 Sample uses process hollowing technique 31->197 199 2 other signatures 31->199 42 4B79.exe 14 31->42         started        44 8E5D.exe 31->44         started        46 4B79.exe 31->46         started        48 3 other processes 31->48 signatures12 process13 dnsIp14 97 api.2ip.ua 162.0.217.254, 443, 49702, 49705 ACPCA Canada 33->97 73 C:\Users\user\AppData\Local\...\4B79.exe, PE32 33->73 dropped 50 4B79.exe 33->50         started        53 icacls.exe 33->53         started        99 jp.imgjeoighw.com 103.100.211.218 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 37->99 109 7 other IPs or domains 37->109 167 Multi AV Scanner detection for dropped file 37->167 169 Tries to harvest and steal browser information (history, passwords, etc) 37->169 55 B18D.exe 40->55         started        101 211.59.14.90, 49710, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 42->101 103 zexeq.com 42->103 105 192.168.2.1 unknown unknown 42->105 107 api.2ip.ua 48->107 file15 171 System process connects to network (likely due to code injection or exploit) 107->171 signatures16 process17 signatures18 147 Injects a PE file into a foreign processes 50->147 57 4B79.exe 50->57         started        62 B18D.exe 55->62         started        process19 dnsIp20 127 zexeq.com 189.245.63.16, 49707, 49715, 80 UninetSAdeCVMX Mexico 57->127 129 211.119.84.112, 49708, 49719, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 57->129 135 2 other IPs or domains 57->135 89 C:\Users\user\AppData\Local\...\build3.exe, PE32 57->89 dropped 91 C:\Users\user\AppData\Local\...\build2.exe, PE32 57->91 dropped 93 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 57->93 dropped 95 6 other malicious files 57->95 dropped 201 Modifies existing user documents (likely ransomware behavior) 57->201 64 build2.exe 57->64         started        67 build3.exe 57->67         started        131 colisumy.com 62->131 133 api.2ip.ua 62->133 file21 signatures22 process23 signatures24 137 Multi AV Scanner detection for dropped file 64->137 139 Detected unpacking (changes PE section rights) 64->139 141 Detected unpacking (overwrites its own PE header) 64->141 145 2 other signatures 64->145 69 build2.exe 64->69         started        143 Antivirus detection for dropped file 67->143 process25 dnsIp26 123 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 69->123 125 78.47.34.59, 30303, 49723 HETZNER-ASDE Germany 69->125 173 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 69->173 175 Tries to harvest and steal browser information (history, passwords, etc) 69->175 177 Tries to steal Crypto Currency Wallets 69->177 signatures27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 22:41:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vg5ky36gbdsuysehncumneelrqhxgnjxohteij4s2ow2bhcvedla._file
Verdict:
malicious
Similar samples:
366256d8bc860722ec6e477fab7cd6df2fb642516264988c240935b27b1379d4
Fabookie
3a67b0ab2662d759bfcaa276c5f65effbc1030f94f8ec0531ca5ab18e1aa9cbc
Fabookie
3c5aecd6a2e3b0699df8b04e5bc904733af2646f70f14241d7378c86faedbe16
Fabookie
3cb96ac6bb492a4aca87a578b439037b08a099feb4203ec99d5aebfcea6a3f7b
Fabookie
660c744497e3c7a2c24c94ace034bcda802af3a1bbaaa156828380647e058260
Fabookie
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8
Fabookie
a41f46ef947c9ff3b1e5625e6cf5799e776a55e48f54f7fffe19e08e826de99a
Fabookie
dee582a9de9d3898828df531fbaf1ee6d67bee111d5087241716d7af02777777
Fabookie
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630
Fabookie
e5e2ef8cf7f3d9e07325520999ed8dc6b1e1bb97ad78ff9b21156c4ffa8dce4d
Fabookie
+ 99 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230526-2l3vhshd98/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9baac6fc608/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9baac6fc608e54c488768a8c6908b8c0f73353771e6442792d3ada09c5520d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
Cape
Cape
https://www.capesandbox.com/analysis/392286/

Comments