MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f264683bedd5dd7ace56e8c86084c2e7212251eb10b59108b8c70355ec1b25d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Fabookie

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f264683bedd5dd7ace56e8c86084c2e7212251eb10b59108b8c70355ec1b25d5
SHA3-384 hash:	da979419adeeb425595f6d213ae382c618c20443f63870a0eff9becb91c4a3711fb8ddd1d97fd1f2b1dfbb6b18a22553
SHA1 hash:	8306d4b03670a01e532a37aabeef6715935bab67
MD5 hash:	2b4e0d4daa3ecc8b845e9d5d625da1c5
humanhash:	harry-lima-maryland-cup
File name:	file
Download:	download sample
Signature	Fabookie Create hunting rule
File size:	3'653'632 bytes
First seen:	2022-12-02 06:41:21 UTC
Last seen:	2022-12-04 05:03:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8d939a9f08b2e4af619c3a0048b8a3d2 (4 x Fabookie)
ssdeep	49152:d3v3etbJrCo2P0z+L8f0Rkg9JtX6H832ssGu8+aonkItKVnCuZFQrx41Cas0+gmb:d3vWd2PwQ3i8mszMhEnXNCaw5mbk
Threatray	3'406 similar samples on MalwareBazaar
TLSH	T10D0612E961883B1CC02B84749033ED15F1B6275E0EF5D5A977DBBE90BBBB411E602B09
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	andretavare5
Tags:	exe Fabookie

andretavare5

Sample downloaded from http://aaa.hfaiuegii.com/files/pe/uegg1115.exe

Intelligence

File Origin

# of uploads :

1'052

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-12-02 06:44:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6eef6dec-25ac-4b04-9201-4d5fb5928e4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/341761/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.30062.21606.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63899e3bfa645277f503790a/reports/eb7113cc-4f23-4990-b898-9ac602d1b005/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c1dee838-251f-45c9-8e49-b26d2f3dd158

Result

Threat name:

Fabookie

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1126309

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected VMProtect packer

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Fabookie

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f264683bedd5dd7ace56e8c86084c2e7212251eb10b59108b8c70355ec1b25d5/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-12-02 06:42:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jsgqo7n2xoxvtsw5degbbgc44qseuplcc2zccfyy4bvl3a3exkq._file

Verdict:

suspicious

Fabookie

47700e0d714e9888a6590932c590cb5a419d71be8627f7b36c83be99ce709feb

Fabookie

7b18e05af4305a338b57afa4b7cbfd137f080ea422450807c7d05c74f03b4b35

Fabookie

86890f5d0dc15d61b23cef3a33334a22fd11a729d8831f3eb9d8b54ffb48fa98

Fabookie

adc91b86359875df0149a283a6dbf6c11a9d6e4fd494c1340f20b3324571bdda

Fabookie

b4a097aa4615d71334ebd864b40dda58c72120ff15dde50aaabeb1fd15674779

Fabookie

b9cf0803f96192ddedb108f44970a554985d5bad0577b297da4c7ddae730eff7

Fabookie

c5d12c33011196ad0c414a2abf791b5f3d33c94b7aa1fc68de097ffb77519aff

Fabookie

d3b87ec103a87ec23a322592a754d114500a0863d7536dc4b105d2671ac453be

Fabookie

e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

Fabookie

+ 3'396 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

vmprotect

Link:

https://tria.ge/reports/221202-hgdkaafe4s/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

VMProtect packed file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/acde2520-f0ae-4c0b-b6d0-b1917a347291

Unpacked files

SH256 hash:

f264683bedd5dd7ace56e8c86084c2e7212251eb10b59108b8c70355ec1b25d5

MD5 hash:

2b4e0d4daa3ecc8b845e9d5d625da1c5

SHA1 hash:

8306d4b03670a01e532a37aabeef6715935bab67

Link:

https://www.unpac.me/results/5f533990-b58b-4c01-8794-a4e07a2d8ab4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f264683bedd5dd7ace56e8c86084c2e7212251eb10b59108b8c70355ec1b25d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/341761/

URLhaus

https://urlhaus.abuse.ch/url/2435595/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample