fabookie

General

Target

226d50ee865fa31dd5780b59955d0cc08de81d9694d855ebf1b8094523cd60ea
Size

239KB
Sample

230923-2k2aasce26
MD5

a5c24e1fbbf0a3307cc4556b91bd3072
SHA1

51502750e32a5f919db4ccb2aeda21674ae1a599
SHA256

226d50ee865fa31dd5780b59955d0cc08de81d9694d855ebf1b8094523cd60ea
SHA512

783d3332c3915d77fb9074be45689857778f9e6250ff3d3d9f070ebde15d2a0a13e5821e9ef150bdac948684f4124d2aeca8f3cd73bcb948485c304d617843de
SSDEEP

6144:3H46fuYXChoQTjlFgLuCY1dRuAOBpHFw8y0:3YYzXChdTbv1bu3w8y

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Targets

- Target
  
  226d50ee865fa31dd5780b59955d0cc08de81d9694d855ebf1b8094523cd60ea
- Size
  
  239KB
- MD5
  
  a5c24e1fbbf0a3307cc4556b91bd3072
- SHA1
  
  51502750e32a5f919db4ccb2aeda21674ae1a599
- SHA256
  
  226d50ee865fa31dd5780b59955d0cc08de81d9694d855ebf1b8094523cd60ea
- SHA512
  
  783d3332c3915d77fb9074be45689857778f9e6250ff3d3d9f070ebde15d2a0a13e5821e9ef150bdac948684f4124d2aeca8f3cd73bcb948485c304d617843de
- SSDEEP
  
  6144:3H46fuYXChoQTjlFgLuCY1dRuAOBpHFw8y0:3YYzXChdTbv1bu3w8y
Score

10^/10

fabookie phobos redline rhadamanthys smokeloader backdoor google collection discovery evasion infostealer persistence phishing ransomware spyware stealer trojan
- Detect Fabookie payload
- Detect rhadamanthys stealer shellcode
- Detected google phishing page
  phishing google
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (89) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1