fabookie

General

Target

8112256287.zip
Size

6.9MB
Sample

221006-vcmnlsacbn
MD5

3958270b83df031e0f613706aa4e47a3
SHA1

231ee45dc43aeb485bb98b31b9ab6ec11e0e3048
SHA256

9edfef6c1ed7118ef956b76ff3f0aceb5c02a09426a5021c081b28006cf41483
SHA512

93c92231dfa3ed007d7f3e27a5eb13cb53e8a9b5451f52a3c3867d70f503a85441067ba2286157bbe8011008c89f554b37a7cc220ad98399d0c849b55944afaf
SSDEEP

196608:hU9Lpd4xQ58ZRM5566k0MvwblXv6Jt6rhEb1VCi:G5uMv6R4bFv66rKt

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://6200bfed86779.com/

Extracted

Family

socelars

C2

http://www.tpyyf.com/

Extracted

Family

redline

Botnet

media456

C2

92.255.57.154:11841

Attributes

auth_value
906873f675bba110beff1a1b9e7e63ea

Targets

- Target
  
  000799dea0cea46bda4614657a800408dd3448056800e03c9ff9c5aeb8797ea2
- Size
  
  6.9MB
- MD5
  
  6d024fe9cc04a9ba49ae7be9f2b2c556
- SHA1
  
  77538e5b08b0af662e65a9b5292e53a50681a768
- SHA256
  
  000799dea0cea46bda4614657a800408dd3448056800e03c9ff9c5aeb8797ea2
- SHA512
  
  08dafd126306a6682cda2afbc0240c901f9bf15b9b891fed0ddf9b0b07b9a05e26968aea4a0f382b2f3ec8a21c237bcd1b77c97074705182d1c7a9bda664637e
- SSDEEP
  
  196608:J+5wkZ9vmoHJTJGI7hu5V3DcXOTAFI9CE:J8yoH9MVTsz4CE
Score

10^/10

fabookie nullmixer onlylogger redline smokeloader socelars media456 aspackv2 backdoor discovery dropper infostealer loader persistence spyware stealer trojan upx
- Detect Fabookie payload
- Detects Smokeloader packer
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- OnlyLogger payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2