MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 4

Intelligence 4 IOCs YARA 8 File information Comments

SHA256 hash:	b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd
SHA3-384 hash:	7d5288656b133cc9a1bf07e2776d15746a824ef5ecf76c373af9c0646d5284fab527d33ac1fa32b1b7c54d6cadeef023
SHA1 hash:	be0e03e85e211a18da3e04236618e65e2711feb6
MD5 hash:	d471887769a6d012118d8cd3be559ffb
humanhash:	black-london-jupiter-diet
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	4'273'168 bytes
First seen:	2023-01-28 15:31:57 UTC
Last seen:	2023-01-29 10:52:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7d439cf7cce4ada1cedf21e9354e3639 (1 x Fabookie)
ssdeep	98304:maYigx63mX23GcvTRF1poCBIIUk6NCuBrwC4QWIyVQ:1YigxhG3rNFPooIIUk6NCux74QWtVQ
TLSH	T1121633DB79E2A060DCA855FE39A1498F4B395CE341A1179604FBF763CBAAF0843F6450
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	cfacabe9e9f1b2dc (1 x RedLineStealer, 1 x Fabookie)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from https://vk.com/doc139074685_655132456?hash=nxosiLiLMRsfEByeA1DCDnIIabEs6tv7eWqGIuxXwzD&dl=GEZTSMBXGQ3DQNI:1674919781:YfEyRPvYefvcFxZNSZt40LRSHSqllZr0m1A5OWDPeND&api=1&no_preview=1#lyla

Intelligence

File Origin

# of uploads :

534

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-01-28 15:32:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dcb960b6-fc2c-4d3a-bb2f-ce6306ee8901

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/357757/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63d53ff41c9cbf7d6253d8d8/reports/f0c81f20-1fe6-45d6-b871-8ae013ec90e9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2b76eb2b-3793-467c-bcfa-3e6e7a325308

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1160804

Signature

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w3glpg2wyz5kuff25go6fhjf7tbcbicbcyoh4gmf3ugpq4dsec6q._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/230128-sylx4afc47/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Themida packer

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd

MD5 hash:

d471887769a6d012118d8cd3be559ffb

SHA1 hash:

be0e03e85e211a18da3e04236618e65e2711feb6

Link:

https://www.unpac.me/results/859d1a34-f0fc-4155-b962-82f5b3b1023c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/b6ccb79b56c67aaa14bae99de29d25fcc220a041161c7e1985dd0cf8707220bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_PDB_Path_Keywords Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious PDB paths
Reference:	https://twitter.com/stvemillertime/status/1179832666285326337?s=20

Rule name:	SUSP_PDB_Path_Keywords_RID2F34 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious PDB paths
Reference:	https://twitter.com/stvemillertime/status/1179832666285326337?s=20

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/357757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample