Malware Analysis Report

2025-01-02 08:37

Sample ID 231005-bxyf3ahh83
Target 5136979ad908c1b6e82a04b2f5faa81b.bin
SHA256 4f3cbe4c3ce4e122ef17e7eda360bdd95197b82b01806bd5166bebf81dfdb04e
Tags
fabookie
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f3cbe4c3ce4e122ef17e7eda360bdd95197b82b01806bd5166bebf81dfdb04e

Threat Level: Known bad

The file 5136979ad908c1b6e82a04b2f5faa81b.bin was found to be: Known bad.

Malicious Activity Summary

fabookie

Fabookie family

Detect Fabookie payload

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-05 01:32

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie family

fabookie

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 01:32

Reported

2023-10-05 01:34

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5136979ad908c1b6e82a04b2f5faa81b.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5136979ad908c1b6e82a04b2f5faa81b.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 01:32

Reported

2023-10-05 01:34

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5136979ad908c1b6e82a04b2f5faa81b.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2960 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2560 wrote to memory of 2960 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2560 wrote to memory of 2960 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5136979ad908c1b6e82a04b2f5faa81b.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2560 -s 56

Network

N/A

Files

N/A