MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9a35f03dee73888b8547d4d49977c53c0384b5273a8440b46e41bb54c25f52a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9a35f03dee73888b8547d4d49977c53c0384b5273a8440b46e41bb54c25f52a
SHA3-384 hash: 6c09d946197ca49f0df8d878db077f7dc15a1724a4c61e9d652fd215816b293016f1919782d2aa4b022a99a1a21d0258
SHA1 hash: b17d50ea72f97bb04877762a5fb3daaee191824a
MD5 hash: 349fd426e767925f14c39fd0ede2594e
humanhash: november-crazy-lake-robert
File name:FbMody.exe
Download: download sample
File size:1'890'857 bytes
First seen:2021-11-02 09:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aaaa8913c89c8aa4a5d93f06853894da (246 x Formbook, 82 x AgentTesla, 74 x RedLineStealer)
ssdeep 49152:33vc74JQrXhy1UJymm/mDlRv/P2d35owq1lh:33vc79Xhy6Umm/4X+95owET
Threatray 439 similar samples on MalwareBazaar
TLSH T1C695F11177D780B1DDDFF9741B2AE33A9B3655190262CCB39BF02E637D21003A63A669
File icon (PE):PE icon
dhash icon 8c8ccceef6e6eec6
Reporter Racco42
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FbMody.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 09:48:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad060d29-b748-43c7-90d7-95ccd951872b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201378/
Detection(s):
SecuriteInfo.com.Win32.HLLW.Steal.33.11938.15143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
DNS request
Deleting a recently created file
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Firewall traversal
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating a special LNK file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware hacktool keylogger overlay packed startpage
Link:
https://www.filescan.io/uploads/618107edbf51178dbe484db6/reports/6896beb0-1a35-4d51-a50b-8d2283939d50/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f9acc7f-d2c4-4878-91b2-2d7c2f59bfc3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/881157
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9a35f03dee73888b8547d4d49977c53c0384b5273a8440b46e41bb54c25f52a/
Threat name:
Win32.Worm.Jenxcus
Create hunting rule
Status:
Malicious
First seen:
2015-10-02 00:27:00 UTC
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369
24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
6c3b8f706293d8462261afe66048575af6798cd0ebaec43f77a742609be0f869
6c72d759129b828faa7ec1928b87e3f7b4379980eebd79ca3d0b3ed721198266
873e3cdc28e17be1027c5b88f5899d2859b40bdbde0c929d32bb26468931c6e3
95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20
+ 429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/211102-lpcjqshbgm/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Enumerates connected drives
Drops startup file
Modifies Windows Firewall
Unpacked files
SH256 hash:
e9a35f03dee73888b8547d4d49977c53c0384b5273a8440b46e41bb54c25f52a
MD5 hash:
349fd426e767925f14c39fd0ede2594e
SHA1 hash:
b17d50ea72f97bb04877762a5fb3daaee191824a
Link:
https://www.unpac.me/results/d6dd36ce-6552-473a-9bf9-216b64bee973/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9a35f03dee73888b8547d4d49977c53c0384b5273a8440b46e41bb54c25f52a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/201378/

Comments