fabookie

General

Target

7605052bbfa914b26d5cc12427c147b38965a836c8dbe59bf0e032dfb0b57891
Size

4.0MB
Sample

221028-tak7bsgecm
MD5

d2b3d51c1fe8072e70c1067a4856ceed
SHA1

a1e76eaacdedd1806784d5af8e32198717a60ddd
SHA256

7605052bbfa914b26d5cc12427c147b38965a836c8dbe59bf0e032dfb0b57891
SHA512

96a37fb0af3b60033816d24fcbd6330b393ec4b398411fa90437acd256129c0fbdc75afb4fd5b8fd7a8ea5aa8150ae157ca6f0e045c5c7fac20913ce426bf727
SSDEEP

98304:xjXxj+HYnb8BZ1jMwu3lMz2dU3YNTAf5HgCvLUBsK05:xjXxj+HYQBZ1jMwQs26YY59LUCK0

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://razino.xyz/

Extracted

Family

redline

Botnet

DomAni

C2

ergerr3.top:80

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  7605052bbfa914b26d5cc12427c147b38965a836c8dbe59bf0e032dfb0b57891
- Size
  
  4.0MB
- MD5
  
  d2b3d51c1fe8072e70c1067a4856ceed
- SHA1
  
  a1e76eaacdedd1806784d5af8e32198717a60ddd
- SHA256
  
  7605052bbfa914b26d5cc12427c147b38965a836c8dbe59bf0e032dfb0b57891
- SHA512
  
  96a37fb0af3b60033816d24fcbd6330b393ec4b398411fa90437acd256129c0fbdc75afb4fd5b8fd7a8ea5aa8150ae157ca6f0e045c5c7fac20913ce426bf727
- SSDEEP
  
  98304:xjXxj+HYnb8BZ1jMwu3lMz2dU3YNTAf5HgCvLUBsK05:xjXxj+HYQBZ1jMwQs26YY59LUCK0
Score

10^/10

fabookie nullmixer privateloader redline tofsee domani aspackv2 dropper evasion infostealer loader persistence spyware stealer trojan upx
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Nirsoft
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2