fabookie

General

Target

04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839.zip
Size

13.4MB
Sample

230223-reh7eshh41
MD5

35dc42a422a763d61cdf19cee9b5f48a
SHA1

b2f51efcd7dc3f8a10d0362890c392757596222a
SHA256

10690042b3461639b7006aeac45cda45c4461ad5b4e0edc890821e7e26f6f803
SHA512

0870d6c281b1e8f32f86e47515a923a0e40ef2504e5feb756c8b1d9d69f6b2045395225d1fc9629f88e464352f8d4770de19d91cbc420a44913f625bf85db976
SSDEEP

393216:Sm7B/v/9sSMftFD0dzOmiZbfwOx+gyOiuUB5:S8/v/yLaOmi1LypuUT

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://nassarplastic.com/wp-content/config_20.ps1

Extracted

Family

redline

Botnet

bharat

C2

77.73.134.15:43250

Attributes

auth_value
c5ff30d03db4d68f2e19663887b8c4cb

Targets

- Target
  
  04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839
- Size
  
  13.6MB
- MD5
  
  0b1677efbd5bce8a2f526817d47db0d0
- SHA1
  
  b2c894a6326de4e936041fd91297290ba418e80b
- SHA256
  
  04c1b9ea5b950307f032219d9713b44f915dff07548c14059b66993eba761839
- SHA512
  
  a9424d510e3404e74c324689eedf10bdf3eac4faf995d58ecb12bd3240d5dfc2bdf384219211853494e029021786228a0bdc3d692c9d316edbbadf7444a7f1db
- SSDEEP
  
  196608:l3y+7MIsF/TG94kw++haZt65oEsmQs7pktIaAxaWy+vMpfCfG5TkAld96eSGQ685:ZvmFlk14aZtcpdtvMgu5TkqSGQE9Rc
Score

10^/10

fabookie glupteba pseudomanuscrypt redline bharat dropper evasion infostealer loader spyware stealer vmprotect discovery persistence rootkit
- Detect Fabookie payload
- Detects PseudoManuscrypt payload
  loader
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Modifies boot configuration data using bcdedit
- Blocklisted process makes network request
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2