General
-
Target
FB4252931D238ACD353BE695360F6B6C1A2CC1289B730.exe
-
Size
13.9MB
-
Sample
221018-vxj38agee4
-
MD5
72a01582db3154bd8f955754c3629cce
-
SHA1
b46112b47da52af0d239eef19bf0562b99616563
-
SHA256
fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605
-
SHA512
4784578a0256b703c176035284b0271f067f82ed8445f96a4f3d4b64fc93b5558fa331136fdabecf44b0072133b04b9e0c77b37aa09b00cee84109499945ba3c
-
SSDEEP
393216:am+hQgUbPbhmblpwD3yjgxJwZt3w8p4XMeJQ:am+hubWlKyjgxGr3w8p48eJQ
Static task
static1
Behavioral task
behavioral1
Sample
FB4252931D238ACD353BE695360F6B6C1A2CC1289B730.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FB4252931D238ACD353BE695360F6B6C1A2CC1289B730.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
socelars
https://dhner.s3.ap-southeast-2.amazonaws.com/eyxjet/
Extracted
ffdroider
http://186.2.171.17
Targets
-
-
Target
FB4252931D238ACD353BE695360F6B6C1A2CC1289B730.exe
-
Size
13.9MB
-
MD5
72a01582db3154bd8f955754c3629cce
-
SHA1
b46112b47da52af0d239eef19bf0562b99616563
-
SHA256
fb4252931d238acd353be695360f6b6c1a2cc1289b730230842749e06d1d6605
-
SHA512
4784578a0256b703c176035284b0271f067f82ed8445f96a4f3d4b64fc93b5558fa331136fdabecf44b0072133b04b9e0c77b37aa09b00cee84109499945ba3c
-
SSDEEP
393216:am+hQgUbPbhmblpwD3yjgxJwZt3w8p4XMeJQ:am+hubWlKyjgxGr3w8p48eJQ
-
Detect Fabookie payload
-
Detects LgoogLoader payload
-
FFDroider payload
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Modifies security service
-
Socelars payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
OnlyLogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-