MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf
SHA3-384 hash:	db363984be2cf285bd74d3576be62ea464f9068e803da563176d7f0955bcc61b3ae0e9550125ad14393dd99dd59a77f5
SHA1 hash:	6577462a3fccfd2fa13a2fec2e67e23c3e873fab
MD5 hash:	3e5ac747639b25a1f1e8972f5a1800c1
humanhash:	sodium-low-virginia-india
File name:	3e5ac747639b25a1f1e8972f5a1800c1.exe
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	406'528 bytes
First seen:	2023-07-25 18:18:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	96cc98468ed325b3857363887597bc67 (20 x Fabookie)
ssdeep	1536:qyK9MjWCNKIuOCWqeyGaOi2K+Sm6uCWqe+aOi2K+Sm6uuCuCWqeyGaOi2K+Sm6uN:qX9MVPuUXnAYy4AZ6LvcgJFW
Threatray	361 similar samples on MalwareBazaar
TLSH	T1F084DD64F0B2ECB3DA126B7039FCF91C91AD71551386869E365AF0B692D330031DDBA9
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e0c6dfa5aeebcbdc (20 x Fabookie, 2 x AsyncRAT)
Reporter	abuse_ch
Tags:	exe Fabookie

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3e5ac747639b25a1f1e8972f5a1800c1.exe

Verdict:

Malicious activity

Analysis date:

2023-07-25 18:28:38 UTC

Tags:

payload fabookie stealer

Link:

https://app.any.run/tasks/47ec0854-0752-4090-8276-28dac57b9db5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/433016/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.60932.14698.31849.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Query of malicious DNS domain

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Win64/GenKryptik.GLUK trojan

Link:

https://www.hybrid-analysis.com/sample/c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bbd0ab36-c987-4795-a645-38ce2cd45595

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1279450

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to steal Chrome passwords or cookies

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-25 16:49:42 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y3y4izb5zrd6z7sjkqd4p337zwxgih2vj7yalsweszuvzgr3nlhq._file

Verdict:

suspicious

Fabookie

42acb4ebe6efba15eb0ed6d1c404335458cb4594493116edf2b0af257fd6e24e

Fabookie

5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011

Fabookie

6b18ec5cae276be9f2cb878aab10cb95d0181d3add903c265907f6a97fe8cda4

Fabookie

7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad

Fabookie

808ff54f7fb199adb18413322e1e530742522cc083d5e1706c872b99a879439d

Fabookie

8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9

Fabookie

a07c7ceca330c2c46b54cf70b047503d02d76475d22c0b0bb6f6f2dfc5c05b5d

Fabookie

cfb5c20ec8d95c35f7edb8743084d4491e43c62c575cf0102b4f6781c50689de

Fabookie

+ 351 additional samples on MalwareBazaar

Result

Malware family:

fabookie

Score:

10/10

Tags:

family:fabookie spyware stealer

Link:

https://tria.ge/reports/230725-wx6snafa32/

Behaviour

Reads user/profile data of web browsers

Detect Fabookie payload

Fabookie

Unpacked files

SH256 hash:

c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf

MD5 hash:

3e5ac747639b25a1f1e8972f5a1800c1

SHA1 hash:

6577462a3fccfd2fa13a2fec2e67e23c3e873fab

Link:

https://www.unpac.me/results/d2e0e426-3e47-4963-8ccc-d5da2d5d2103/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6f1c4643dcc47ecfe495407c7ef7fcdae641f554ff005cac496695c9a3b6acf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers