fabookie

General

Target

99a5a29c95597fef93d118f82cc445b3.bin
Size

3.2MB
Sample

230123-sk2fmadh24
MD5

227e7d2e263b479cfcb6b01482024321
SHA1

96907cedafb5faa53ae0d8a74b060926f32dfcbe
SHA256

eb3ef143c3bd7e1a853f20e97c5bed051ad1ee328114d135385116e2bf7340e3
SHA512

4a317d5c981f4d06fc1005c4b10ae42f83d5b92e2658f6d50141515e60780f19e40b595fed832048f8789ae983d2b21e64f455a61c0f52986cacef2a85f2f00a
SSDEEP

98304:SUIbGRV09/aE/03PjvSYX5n9JJ5NF7hJJ6cmtc:h30CPjvSY71Fkc

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://sokiran.xyz/

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Targets

- Target
  
  20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020.exe
- Size
  
  3.2MB
- MD5
  
  99a5a29c95597fef93d118f82cc445b3
- SHA1
  
  5824b137ecf83e2bcf517dbdbbfa1574f706babe
- SHA256
  
  20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
- SHA512
  
  65bd2f2f882916d3358d276dcb325215a7df0512bd77d7637d35800ff80f1f403d29b9ee31f2784c7a75ccf51045fb265f0540d67e755aa1c12c65084e8878c2
- SSDEEP
  
  98304:JpZ8EIo0stDjwrDZfmOuqNmdv2fOtvKqee6kFoaD:JpPDttDM3Znuq6veCvmQ
Score

10^/10

fabookie nullmixer privateloader smokeloader vidar 933 aspackv2 backdoor dropper evasion loader persistence spyware stealer trojan upx
- Detect Fabookie payload
- Detects Smokeloader packer
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Nirsoft
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2