fabookie

General

Target

00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
Size

4.0MB
Sample

221015-y7a5vagbcl
MD5

4f1cc6351c88f208864d2766ef6728c8
SHA1

6c265fe67fd1a6a3a7352a62ecaa87f3a965f359
SHA256

00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
SHA512

cd78dc775f9125f6ec3284bd41d579cd68a9c7feb845b94cd6675dcdff0a72a79374fef8843d2534039a6edeb5c94df9d28235b5d791ba5ca04fe816b102e5f1
SSDEEP

98304:Ubui1zD6VopUOHzoizE4vXsvk3upL/ekyZ9prWt/:USi96V1S7ooXsvkuL+jxY

Score

10^/10

Malware Config

Extracted

Family

ffdroider

C2

http://101.36.107.74

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

raccoon

Botnet

ce21570f8b07f4e68bfb7f44917635b1

C2

http://135.148.104.11/

http://77.73.133.7/

rc4.plain

Targets

- Target
  
  00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
- Size
  
  4.0MB
- MD5
  
  4f1cc6351c88f208864d2766ef6728c8
- SHA1
  
  6c265fe67fd1a6a3a7352a62ecaa87f3a965f359
- SHA256
  
  00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
- SHA512
  
  cd78dc775f9125f6ec3284bd41d579cd68a9c7feb845b94cd6675dcdff0a72a79374fef8843d2534039a6edeb5c94df9d28235b5d791ba5ca04fe816b102e5f1
- SSDEEP
  
  98304:Ubui1zD6VopUOHzoizE4vXsvk3upL/ekyZ9prWt/:USi96V1S7ooXsvkuL+jxY
Score

10^/10

fabookie ffdroider onlylogger privateloader raccoon smokeloader socelars ce21570f8b07f4e68bfb7f44917635b1 backdoor discovery evasion loader persistence spyware stealer trojan upx vmprotect
- Detect Fabookie payload
- Detects Smokeloader packer
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Nirsoft
- OnlyLogger payload
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2