MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5
SHA3-384 hash: a76c29b7144007e6b30ddb94ce804a977b004255f87bb7801abf480d5515ef2f841e662375af8cea9f3e2accf722ec5f
SHA1 hash: 7d003e441760971831ff06340adb4b29221e6014
MD5 hash: c554cf339e4cae3e012eb66d5682ed19
humanhash: sodium-double-burger-london
File name:file
Download: download sample
Signature Fabookie
Create hunting rule
File size:5'938'912 bytes
First seen:2024-01-16 16:32:45 UTC
Last seen:2024-01-16 18:22:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f878237a44846aff6db0d52e6019597 (1 x Fabookie)
ssdeep 49152:B53ubbE8SmEq4xICTNkiQ9ZD0xsO7EXRZPcgFLIxVr8VySZ7ORC1hmYqhjN9apSn:mYnTEhi8VxAGg9abMSS8+shxK
Threatray 40 similar samples on MalwareBazaar
TLSH T178569E06A7D415E9E06BC732CA6AC733E6F1F85B0732C78B0514D2461E779A24FAB235
TrID 60.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter jstrosch
Tags:exe Fabookie signed X64

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-11T20:21:19Z
Valid to:2025-01-11T20:21:19Z
Serial number: 9a1b885b40b02a05c50aa675fa0813cb
Thumbprint Algorithm:SHA256
Thumbprint: 362d3ce755c416eeb8ceb18554e3d5fccb48ebffe3905b1ab725fd560aea3047
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jstrosch
Found at hxxp://15.204.49[.]148/files/file2.exe by #subcrawl

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471177/
Detection(s):
SecuriteInfo.com.Win64.BackdoorX-gen.8114.21467.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug control hacktool lolbin overlay packed powershell redcap
Link:
https://www.filescan.io/uploads/65a6afd194d1aebfb2a32d95/reports/c2f5cbd0-1233-47f4-a6dc-b71947e2f857/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e33201ba-fe86-4e0d-b947-c8055025e066
Result
Threat name:
HTMLPhisher, Fabookie, GuLoader, Stealc,
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375541
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected BlockedWebSite
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected GuLoader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375541 Sample: file.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 148 Found malware configuration 2->148 150 Antivirus detection for URL or domain 2->150 152 Antivirus detection for dropped file 2->152 154 12 other signatures 2->154 10 file.exe 1 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        process3 signatures4 172 Writes to foreign memory regions 10->172 174 Allocates memory in foreign processes 10->174 176 Adds a directory exclusion to Windows Defender 10->176 178 3 other signatures 10->178 19 jsc.exe 15 502 10->19         started        24 powershell.exe 21 10->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        process5 dnsIp6 132 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 19->132 134 107.167.110.211 OPERASOFTWAREUS United States 19->134 136 17 other IPs or domains 19->136 110 C:\Users\...\zcV3OhUKh4DI4zWP0VKJVP9S.exe, PE32+ 19->110 dropped 112 C:\Users\...\zIU2FUC2bwXYUUiN9b2aTK8c.exe, PE32+ 19->112 dropped 114 C:\Users\...\xjJFFrKBpzcbFYLiIXL3CknJ.exe, PE32 19->114 dropped 116 488 other malicious files 19->116 dropped 166 Drops script or batch files to the startup folder 19->166 168 Creates HTML files with .exe extension (expired dropper behavior) 19->168 170 Writes many files with high entropy 19->170 32 XziP6wrWtMDABTFQHCGFv5jP.exe 19->32         started        36 J58PmoP0uop8mcimJmxdlaoD.exe 19->36         started        39 mhbbzVxGeWJFHJ1BBW1F9VGW.exe 19->39         started        45 22 other processes 19->45 41 conhost.exe 24->41         started        43 WmiPrvSE.exe 24->43         started        file7 signatures8 process9 dnsIp10 118 185.172.128.53 NADYMSS-ASRU Russian Federation 32->118 120 185.172.128.90 NADYMSS-ASRU Russian Federation 32->120 90 C:\Users\user\AppData\Local\...\nswD758.tmp, PE32 32->90 dropped 92 C:\Users\user\AppData\Local\...\INetC.dll, PE32 32->92 dropped 100 2 other malicious files 32->100 dropped 47 nswD758.tmp 32->47         started        52 BroomSetup.exe 32->52         started        122 107.167.110.218 OPERASOFTWAREUS United States 36->122 124 107.167.125.189 OPERASOFTWAREUS United States 36->124 128 7 other IPs or domains 36->128 102 10 other malicious files 36->102 dropped 156 Writes many files with high entropy 36->156 54 J58PmoP0uop8mcimJmxdlaoD.exe 36->54         started        56 J58PmoP0uop8mcimJmxdlaoD.exe 36->56         started        58 J58PmoP0uop8mcimJmxdlaoD.exe 36->58         started        94 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 39->94 dropped 104 12 other malicious files 39->104 dropped 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->158 126 154.92.15.189 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 45->126 130 6 other IPs or domains 45->130 96 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 45->96 dropped 98 C:\Users\user\AppData\Local\...\Checker.dll, PE32 45->98 dropped 106 13 other malicious files 45->106 dropped 160 Query firmware table information (likely to detect VMs) 45->160 162 Creates an undocumented autostart registry key 45->162 164 Tries to harvest and steal browser information (history, passwords, etc) 45->164 60 C1YUDSofcZGTWJHCosRv0goK.exe 45->60         started        file11 signatures12 process13 dnsIp14 138 185.172.128.79 NADYMSS-ASRU Russian Federation 47->138 74 C:\Users\user\AppData\...\softokn3[1].dll, PE32 47->74 dropped 76 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 47->76 dropped 78 C:\Users\user\AppData\...\mozglue[1].dll, PE32 47->78 dropped 88 9 other files (5 malicious) 47->88 dropped 140 Detected unpacking (changes PE section rights) 47->140 142 Detected unpacking (overwrites its own PE header) 47->142 144 Tries to steal Mail credentials (via file / registry access) 47->144 146 4 other signatures 47->146 62 cmd.exe 52->62         started        80 Opera_installer_2401161643048658096.dll, PE32 54->80 dropped 65 J58PmoP0uop8mcimJmxdlaoD.exe 54->65         started        82 Opera_installer_2401161643026886916.dll, PE32 56->82 dropped 84 Opera_installer_2401161643036086432.dll, PE32 58->84 dropped 86 Opera_installer_2401161643129263856.dll, PE32 60->86 dropped file15 signatures16 process17 file18 180 Uses schtasks.exe or at.exe to add and modify task schedules 62->180 68 conhost.exe 62->68         started        70 chcp.com 62->70         started        72 schtasks.exe 62->72         started        108 Opera_installer_2401161643059647332.dll, PE32 65->108 dropped signatures19 process20
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2024-01-13 10:11:49 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
17 of 38 (44.74%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xl4tmnvym3dzothebvtygqsqm3xsfhx6stdtlv36kl7g3fj6vxcq._file
Verdict:
unknown
Similar samples:
337c891ea747e73930dd5b2f27921720a905e3531ab38c89f5f7b0e208b20dae
Fabookie
3d04a3dba672f406e3d4767cda713716bb926acc0a6298ad1bd1d7908ac5c634
Fabookie
4520e200bd01f6ffd786172f0b6d482510e8367055cf7082ab455b61554a0e32
Fabookie
48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11
Fabookie
5a5a5ebdbcaac1a77e3b8aa6f439b37080c17076934930121601bb4e78b6dc8a
Fabookie
71e9af5f139c8743a53390345e7f19199b17892955f0d4607340d7b651ac869d
Fabookie
cdd242949c27e36165097665a7c381247579401853b06e88d2e430b55e115105
Fabookie
fc05a007f7b6a6e4a69f15f1a31822957f3aae14a81e01e7c6eb9ceac0835a3b
Fabookie
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/240116-t3tn6sehaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5
MD5 hash:
c554cf339e4cae3e012eb66d5682ed19
SHA1 hash:
7d003e441760971831ff06340adb4b29221e6014
Link:
https://www.unpac.me/results/8763c2b0-73fe-4e10-9279-4fae715ff569/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471177/

Comments