MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3
SHA3-384 hash: ec5ebb505925eca71837b983771fd12d364f771e267502433b4af28e51ac51e372aa94c1fc7992fc9f11e3a79bdb4c5b
SHA1 hash: 7670168decc098bfaa6c1f0feee1675609ebb382
MD5 hash: b2efcc4247bfffe4a6a09b4b66b20e33
humanhash: bakerloo-pizza-stream-march
File name:file.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:295'936 bytes
First seen:2023-05-27 02:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ea1866af0e097b7b73a6d1cadb8810b (2 x RedLineStealer, 2 x Fabookie, 1 x ArkeiStealer)
ssdeep 3072:Y1Cpgxl1bmnuCzQhgAeaoOoi+4+8lHNbLRI5zjiznOV0G5or9Zt2N:YKglFFcDRpmh+93Or
Threatray 2'003 similar samples on MalwareBazaar
TLSH T1C654291392E17D94E9268B739E1EC6EC771DF6548F0937692218AAEF04F02B2D173790
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a092486420208000 (1 x Fabookie)
Reporter Chainskilabs
Tags:exe Fabookie

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 02:22:17 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/75d31587-a929-479a-8ddc-870c666c90e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392349/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a window
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6471690faedbf977743b962b/reports/49fe5c35-9e5d-4e01-ab37-0b852d4c4f0c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1b807825-4ba7-4870-ae15-190d57d68657
Result
Threat name:
Amadey, Clipboard Hijacker, Djvu, SmokeL
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243641
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes a notice file (html or txt) to demand a ransom
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876649 Sample: file.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 90 zexeq.com 2->90 92 colisumy.com 2->92 94 2 other IPs or domains 2->94 124 Snort IDS alert for network traffic 2->124 126 Multi AV Scanner detection for domain / URL 2->126 128 Found malware configuration 2->128 130 15 other signatures 2->130 11 file.exe 2->11         started        14 jvguvbi 2->14         started        16 F2F4.exe 2->16         started        signatures3 process4 signatures5 144 Detected unpacking (changes PE section rights) 11->144 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->146 148 Maps a DLL or memory area into another process 11->148 150 Creates a thread in another existing process (thread injection) 11->150 18 explorer.exe 12 48 11->18 injected 23 F2F4.exe 1 15 11->23         started        152 Multi AV Scanner detection for dropped file 14->152 154 Machine Learning detection for dropped file 14->154 156 Checks if the current machine is a virtual machine (disk enumeration) 14->156 158 Detected unpacking (overwrites its own PE header) 16->158 160 Injects a PE file into a foreign processes 16->160 25 F2F4.exe 12 16->25         started        process6 dnsIp7 96 shsplatform.co.uk 80.66.203.53 UKFASTGB United Kingdom 18->96 98 speedlab.com.eg 217.174.148.28, 443, 49720 TELEPOINTBG Bulgaria 18->98 102 9 other IPs or domains 18->102 66 C:\Users\user\AppData\Roaming\jvguvbi, PE32 18->66 dropped 68 C:\Users\user\AppData\Roaming\fcguvbi, PE32 18->68 dropped 70 C:\Users\user\AppData\Local\Temp\FECA.exe, PE32 18->70 dropped 74 16 other malicious files 18->74 dropped 132 System process connects to network (likely due to code injection or exploit) 18->132 134 Benign windows process drops PE files 18->134 136 Deletes itself after installation 18->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->138 27 5F42.exe 18->27         started        30 B142.exe 18->30         started        32 C4CE.exe 18->32         started        38 8 other processes 18->38 100 api.2ip.ua 162.0.217.254, 443, 49715, 49717 ACPCA Canada 23->100 72 C:\Users\user\AppData\Local\...\F2F4.exe, PE32 23->72 dropped 34 F2F4.exe 23->34         started        36 icacls.exe 23->36         started        file8 signatures9 process10 file11 162 Multi AV Scanner detection for dropped file 27->162 164 Detected unpacking (changes PE section rights) 27->164 166 Detected unpacking (overwrites its own PE header) 27->166 168 Writes a notice file (html or txt) to demand a ransom 27->168 41 5F42.exe 27->41         started        170 Machine Learning detection for dropped file 30->170 172 Injects a PE file into a foreign processes 30->172 44 B142.exe 30->44         started        174 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->174 176 Maps a DLL or memory area into another process 32->176 178 Checks if the current machine is a virtual machine (disk enumeration) 32->178 180 Creates a thread in another existing process (thread injection) 32->180 46 F2F4.exe 12 34->46         started        76 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 38->76 dropped 78 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 38->78 dropped 80 C:\Users\user\AppData\Local\...80ewPlayer.exe, PE32 38->80 dropped 182 Antivirus detection for dropped file 38->182 48 9D1A.exe 38->48         started        50 F2F4.exe 38->50         started        52 8902.exe 38->52         started        54 F2F4.exe 38->54         started        signatures12 process13 dnsIp14 104 api.2ip.ua 41->104 56 5F42.exe 41->56         started        106 api.2ip.ua 44->106 59 B142.exe 44->59         started        108 api.2ip.ua 46->108 110 api.2ip.ua 48->110 116 2 other IPs or domains 50->116 112 api.2ip.ua 52->112 114 api.2ip.ua 54->114 process15 signatures16 140 Injects a PE file into a foreign processes 56->140 61 5F42.exe 56->61         started        142 Sample uses process hollowing technique 59->142 process17 dnsIp18 118 zexeq.com 58.235.189.192, 49731, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 61->118 120 colisumy.com 61->120 122 2 other IPs or domains 61->122 82 C:\Users\user\AppData\Local\...\build3.exe, PE32 61->82 dropped 84 C:\Users\user\AppData\Local\...\build2.exe, PE32 61->84 dropped 86 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 61->86 dropped 88 6 other malicious files 61->88 dropped 184 Modifies existing user documents (likely ransomware behavior) 61->184 file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 02:21:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwko5vbwnzkr6vqno2itj4h5guni52ovz3augmlccbsz2akc7gzq._file
Verdict:
malicious
Similar samples:
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Fabookie
0cc7060ce4d11da31e6de65632d1e78d2f6c9022393f1fa49b0bf845108ca3b1
Fabookie
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
Fabookie
314b7a6d969a0f4654bb6b3a80a58087dac25c26c5777270b0f53056ec5645c0
Fabookie
3ea8f457387940d5a64458d38284ed785a9e04e245cf28e03bfc38d5e9188599
Fabookie
62d622e4c6581c0dd50e5623a3328cf60ffa7e87dea131c294883a2b610f80f4
Fabookie
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Fabookie
74e17b7264117df362eb097195ec2f45be5b98594953426f81a861299dbc6958
Fabookie
c9fde93529396b5fa4d49f8932ff113dcb813a30462c32312ff1ef259ab1989d
Fabookie
f93b85ca07f0392ab1516a34b157e175936e45b31773d1dce409b7e4872a8946
Fabookie
+ 1'993 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/230527-cs1lasab95/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
45.9.74.80/0bjdn2Z/index.php
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad94eed4366e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe ad94eed4366e551f560d769134f0fd351a8ee9d5cec143316210659d0142f9b3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2479364/
Cape
Cape
https://www.capesandbox.com/analysis/392349/

Comments