MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844
SHA3-384 hash: 3cd8136a3576d20dc2055984a47e042c0693231acf07d7a3a5ee698e3ef27031b1194115b00e86205a7bc2084e440ed1
SHA1 hash: 3f7238201d9fc4a97faded1e765f022a90657884
MD5 hash: f5da35f30b7f43779e799bc37fe77dc7
humanhash: queen-red-alpha-robert
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:3'658'240 bytes
First seen:2023-01-13 13:51:44 UTC
Last seen:2023-01-13 15:37:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 245fbb05d3da4d7c6badd5cc3e1f9b98 (38 x Fabookie)
ssdeep 98304:X0UgfF85N7FfIlqyz2tA7TPL0ayyH08N1hoV:X0Ug+N5fcz2te0nAFVoV
Threatray 29 similar samples on MalwareBazaar
TLSH T1D90612FE6158335CC42ACC749123BD1AB2F5011E0BF996AA71CF7AD07BA7524DA12F06
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter jstrosch
Tags:exe Fabookie X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://www.fitnessunplugged.co.za/wp-content/download/File.zip?cbf=file.zip
Verdict:
Malicious activity
Analysis date:
2023-01-12 12:52:24 UTC
Tags:
opendir evasion loader trojan amadey rat redline stealer vidar gcleaner
Link:
https://app.any.run/tasks/7ff6d2ea-6e9e-498d-b5dd-19ca9b533f95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352609/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64889868.1448.26116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c16212c4d55062311268ac/reports/de2d5d5e-b7e5-4b32-8963-671f7fd91bc8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9442df83-243a-431d-b9a4-9ee102702b15
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1151136
Signature
Antivirus detection for URL or domain
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-10 09:38:16 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 39 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2hnbbamfh5b2w3iy2fswsvaa642sievgvwdltoxaj2w73melbca._file
Verdict:
malicious
Similar samples:
4ec69d6a18974df6344363827ce77bb9e5eee5bf5082f71698f134c91c9a6138
Fabookie
52697c1d25cb64b2939de7e887832f30927fc597074cc93f274daec609ff08e3
Fabookie
8e9e044de1b05067e1ee4cfd8e533ddce98a98423a2d701e198fc80640f032a4
Fabookie
8fb50a574fd1aa8828c17c9aee81ba2b08a435290eca3f2830e5a41d65199b52
Fabookie
9f20dcac19fb7fe1b341d073280ccd40ecb48b2abe2853c63e6caa0b332ed59a
Fabookie
af8890c3a9430938483b741df88f6806b25f6723713f978aaefb4a8989d6aca9
Fabookie
d6cde7214122a3c08f0a0c66673ae8c70188740d780cde1b5eb1f839d412a17f
Fabookie
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/230113-q6esmshd26/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
VMProtect packed file
Unpacked files
SH256 hash:
ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844
MD5 hash:
f5da35f30b7f43779e799bc37fe77dc7
SHA1 hash:
3f7238201d9fc4a97faded1e765f022a90657884
Link:
https://www.unpac.me/results/0164cefe-8816-4bfc-93bd-8eb101cf5b7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe ae8ed0840c29fa1d5b68c68b2b4aa007b9a92095356c35cdd702756fed845844

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2490910/
Cape
Cape
https://www.capesandbox.com/analysis/352609/

Comments