MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Fabookie


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SHA3-384 hash: 9203cad6089114e28318c212eea983ca64980a5361224364bd38bc058e5a81db526f85cca7960f7e94a3110d2a383abe
SHA1 hash: 889ae8ce433d5357f8ea2aff64daaba563dc94e3
MD5 hash: 7837314688b7989de1e8d94f598eb2dd
humanhash: mike-connecticut-eighteen-texas
File name:sotema_1.txt
Download: download sample
Signature Fabookie
Create hunting rule
File size:696'364 bytes
First seen:2023-01-22 23:13:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a044253673528dd98a9dd008f2a6b058 (1 x Fabookie)
ssdeep 12288:Umn1vBXNJl0P3ZbcCAjqH0d5Q+qUH6wyZQMvvdgMiCIT:n1vJNJla39cGH0d+7sOlQCIT
Threatray 630 similar samples on MalwareBazaar
TLSH T174E4120372C3D831E0BA5B3151B0D2B19EBAED504FB4DEA76B585BA91D711C08D3BA63
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe Fabookie

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
277fd76ff56a3a06584c0cc7f2fea9f6c1e6287cc3228cf427a0eb1a10f595ec.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 01:30:48 UTC
Tags:
trojan evasion stealer vidar rat redline ficker phishing
Link:
https://app.any.run/tasks/afacdd67-fcdd-4cb5-9cb4-0b22b1db0531

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355715/
Detection(s):
Win.Dropper.Wacapew-9874576-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
DNS request
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62336/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63cdc33b1c9cbf7d6251715f/reports/16608a6b-eeaf-49ce-9974-c68d3cb7d521/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49b093c2-000f-48fb-9413-126598132d36
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156644
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789376 Sample: sotema_1.txt.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 5 other signatures 2->54 8 sotema_1.txt.exe 5 2->8         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\axhub.dll.lnk, MS 8->34 dropped 11 rundll32.exe 3 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 56 Contains functionality to infect the boot sector 11->56 58 Contains functionality to inject threads in other processes 11->58 60 Contains functionality to inject code into remote processes 11->60 62 5 other signatures 11->62 16 svchost.exe 1 11->16 injected 19 svchost.exe 4 11->19 injected 22 svchost.exe 11->22 injected 24 17 other processes 11->24 process7 dnsIp8 40 System process connects to network (likely due to code injection or exploit) 16->40 42 Contains functionality to inject threads in other processes 16->42 44 Sets debug register (to hijack the execution of another thread) 16->44 46 5 other signatures 16->46 26 svchost.exe 2 16->26         started        36 20.190.159.3 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->36 30 WMIADAP.exe 4 22->30         started        signatures9 process10 dnsIp11 38 email.yg9.me 35.241.7.66 GOOGLEUS United States 26->38 64 Query firmware table information (likely to detect VMs) 26->64 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 19:48:39 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 41 (70.73%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dbi2b6dmwdtwtudglyfp4dc4zps3ugnjvmz7wfrnwbozjopijdq._file
Verdict:
malicious
Similar samples:
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
Fabookie
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
Fabookie
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
Fabookie
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
Fabookie
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
Fabookie
fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
Fabookie
+ 620 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230122-27y4fsca6x/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unexpected DNS network traffic destination
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f25fc786c068e7fb8d328a6d0314d448a455cc40d4bae93b850bd7921a92565a
MD5 hash:
9e5af49adebd237165adc274659a751a
SHA1 hash:
558087e9f632c5b7863f3e88f05fa5dec178915d
Detections:
win_pseudo_manuscrypt_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0fb7a73-6005-45e1-bd25-21f09ca2978a/
Parent samples :
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/e0fb7a73-6005-45e1-bd25-21f09ca2978a/
SH256 hash:
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
MD5 hash:
7837314688b7989de1e8d94f598eb2dd
SHA1 hash:
889ae8ce433d5357f8ea2aff64daaba563dc94e3
Link:
https://www.unpac.me/results/e0fb7a73-6005-45e1-bd25-21f09ca2978a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8c28d07c365/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355715/

Comments