fabookie

General

Target

9c5189de10d6653f34267d07ed20627613b45bc07b17c79d2282c8b3a2bfed9d
Size

239KB
Sample

230924-anyvsscg59
MD5

ec441134185c227cc280e8255f4a2f91
SHA1

363c4abed968382f41c8e0028594a861105a1717
SHA256

9c5189de10d6653f34267d07ed20627613b45bc07b17c79d2282c8b3a2bfed9d
SHA512

9486a32c844c526215664a0cf3791c5df404475a5857f7c0a416f8c01c0751f748232aed201a7de4f8d5d30ac4719015a7b09152b595a2319576630007ae9a7c
SSDEEP

6144:2k46fuYXChoQTjlFgLuCY1dRuAOgcrwv+Xzkw8y0:2tYzXChdTbv1bulfXAw8y

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

fabookie

C2

http://app.nnnaajjjgc.com/check/safe

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  9c5189de10d6653f34267d07ed20627613b45bc07b17c79d2282c8b3a2bfed9d
- Size
  
  239KB
- MD5
  
  ec441134185c227cc280e8255f4a2f91
- SHA1
  
  363c4abed968382f41c8e0028594a861105a1717
- SHA256
  
  9c5189de10d6653f34267d07ed20627613b45bc07b17c79d2282c8b3a2bfed9d
- SHA512
  
  9486a32c844c526215664a0cf3791c5df404475a5857f7c0a416f8c01c0751f748232aed201a7de4f8d5d30ac4719015a7b09152b595a2319576630007ae9a7c
- SSDEEP
  
  6144:2k46fuYXChoQTjlFgLuCY1dRuAOgcrwv+Xzkw8y0:2tYzXChdTbv1bulfXAw8y
Score

10^/10

fabookie glupteba phobos redline rhadamanthys smokeloader xmrig up3 backdoor collection discovery dropper infostealer loader miner ransomware spyware stealer trojan
- Detect Fabookie payload
- Detect rhadamanthys stealer shellcode
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Phobos
  Phobos ransomware appeared at the beginning of 2019.
  ransomware phobos
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1