MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8
SHA3-384 hash: 5339e3a0d531e7fe9ff02b42da33b93d1581752e7d4fba6c4b71aef9a143cdf26e121c085466ef5e2ba3807cd6ffe678
SHA1 hash: a2a02cab2a78cfeccd3f784e19a7760ef38e41df
MD5 hash: 65f8ca11d9a18baf3fecf7797b9ba867
humanhash: cup-victor-fish-zebra
File name:65f8ca11d9a18baf3fecf7797b9ba867.exe
Download: download sample
Signature Fabookie
Create hunting rule
File size:390'102 bytes
First seen:2023-04-12 12:47:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCFkm+ksmpk3U9j0I99OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3FP6m6UR0IPlL//plmW9bTXeVhDrE
Threatray 294 similar samples on MalwareBazaar
TLSH T1ED841242F3E14439E073CEB06CA0E962493F79255DBC650836ECAD8F9F3B5825256793
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:85-217-144-143 exe Fabookie

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
65f8ca11d9a18baf3fecf7797b9ba867.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 12:53:21 UTC
Tags:
installer evasion loader
Link:
https://app.any.run/tasks/f1fe106f-a3c9-49d7-86ec-6ea469275ab8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381788/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Searching for synchronization primitives
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77601/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6436a883e90389fc714b3bd1/reports/4f219583-8192-419d-b662-91de019953ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fee0cce1-7b73-49d3-9372-3e8d6163d009
Result
Threat name:
Fabookie, Nymaim, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212545
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 845462 Sample: 8jbh44onUJ.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 85 45.12.253.72 CMCSUS Germany 2->85 87 45.12.253.75 CMCSUS Germany 2->87 89 8 other IPs or domains 2->89 119 Snort IDS alert for network traffic 2->119 121 Multi AV Scanner detection for domain / URL 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 15 other signatures 2->125 12 8jbh44onUJ.exe 2 2->12         started        16 Gishilojebe.exe 15 19 2->16         started        19 Gishilojebe.exe 2->19         started        signatures3 process4 dnsIp5 73 C:\Users\user\AppData\...\8jbh44onUJ.tmp, PE32 12->73 dropped 135 Obfuscated command line found 12->135 21 8jbh44onUJ.tmp 3 19 12->21         started        79 uchiha.s3.pl-waw.scw.cloud 16->79 81 senju.s3.pl-waw.scw.cloud 16->81 83 2 other IPs or domains 16->83 file6 signatures7 process8 dnsIp9 91 eu-central-2.wasabisys.com 154.49.215.100, 49698, 80 NETRIX-ASNetrixFR United States 21->91 93 s3.eu-central-2.wasabisys.com 21->93 57 C:\Users\user\AppData\Local\...\mosaLAh.exe, PE32 21->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->63 dropped 25 mosaLAh.exe 22 17 21->25         started        file10 process11 dnsIp12 99 s3.eu-central-2.wasabisys.com 25->99 101 n8w5.c12.e2-1.dev 25->101 103 7 other IPs or domains 25->103 65 C:\Users\user\AppData\...\Rashunequny.exe, PE32 25->65 dropped 67 C:\Program Files (x86)\...behaviorgraphishilojebe.exe, PE32 25->67 dropped 69 C:\Users\user\...\Rashunequny.exe.config, XML 25->69 dropped 71 C:\...behaviorgraphishilojebe.exe.config, XML 25->71 dropped 133 Multi AV Scanner detection for dropped file 25->133 30 Rashunequny.exe 14 9 25->30         started        file13 signatures14 process15 dnsIp16 105 iplogger.org 148.251.234.83, 443, 49725, 49754 HETZNER-ASDE Germany 30->105 107 google.com 216.58.215.238 GOOGLEUS United States 30->107 109 6 other IPs or domains 30->109 75 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 30->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\ss29.exe, PE32+ 30->77 dropped 111 Antivirus detection for dropped file 30->111 113 Multi AV Scanner detection for dropped file 30->113 115 May check the online IP address of the machine 30->115 117 Machine Learning detection for dropped file 30->117 35 cmd.exe 30->35         started        37 cmd.exe 30->37         started        file17 signatures18 process19 process20 39 gcleaner.exe 35->39         started        43 conhost.exe 35->43         started        45 ss29.exe 37->45         started        47 conhost.exe 37->47         started        dnsIp21 95 45.12.253.56, 49735, 80 CMCSUS Germany 39->95 127 Detected unpacking (changes PE section rights) 39->127 129 Detected unpacking (overwrites its own PE header) 39->129 49 WerFault.exe 39->49         started        51 WerFault.exe 39->51         started        53 WerFault.exe 39->53         started        55 4 other processes 39->55 97 bz.bbbeioaag.com 103.100.211.218, 49733, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 45->97 131 Tries to harvest and steal browser information (history, passwords, etc) 45->131 signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-11 15:23:13 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tuehwmmfdwmatkywy3j3xhvzrhgcnl2akqv5w3pyjwnaooxzhea._file
Verdict:
malicious
Similar samples:
5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661
Fabookie
5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
Fabookie
59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32
Fabookie
5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
Fabookie
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
Fabookie
a5a259c2d8f0eb4dde69a6d7131f86c36df3f5d75989f1c6888881cdf7bb6299
Fabookie
ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
Fabookie
f5302b9e1f7a2c2c69ce10c5975d4ceee06a7cec5a9b834fd63dece231838fe7
Fabookie
+ 284 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:socelars evasion loader persistence spyware stealer
Link:
https://tria.ge/reports/230412-p1slwacd25/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Checks for common network interception software
GCleaner
Socelars
Socelars payload
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/8a293a48-18fa-4a4e-aa3b-3229d751657d/
SH256 hash:
d31d7e457f63b782597c6a674bac3819bc6fae9428a159da417f532195a5f7e5
MD5 hash:
5cc5292a39f04aa339fcb5eb3ade6490
SHA1 hash:
420fd09a221e82d43fa914904796957b5cbe2ddd
Link:
https://www.unpac.me/results/8a293a48-18fa-4a4e-aa3b-3229d751657d/
SH256 hash:
d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8
MD5 hash:
65f8ca11d9a18baf3fecf7797b9ba867
SHA1 hash:
a2a02cab2a78cfeccd3f784e19a7760ef38e41df
Link:
https://www.unpac.me/results/8a293a48-18fa-4a4e-aa3b-3229d751657d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Fabookie

Executable exe d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/381788/
  
URLhaus
https://urlhaus.abuse.ch/url/2608015/
  
Delivery method
Distributed via web download

Comments