Analysis
-
max time kernel
175s -
max time network
275s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2023 08:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ss29.exe
Resource
win7-20230831-en
4 signatures
300 seconds
General
-
Target
ss29.exe
-
Size
416KB
-
MD5
b72c1dbf8fec4961378a5a369cfa7ee4
-
SHA1
47193a3fc3cc9c24c603fa25aa92ca19f1e29a4e
-
SHA256
f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28
-
SHA512
b8f63bd1deb9cbe7d47b3130575792e03d53b7d31fa65c99fdf640f786226d1747d3a556a1f30df03a7973331277e221206c65a22c9d2d4d49ee34dfda1a5f10
-
SSDEEP
6144:syUa7AQnwciHMc4oiT4MKBz3I8JWGxerEhgVIXFM:sf4wcAQVrKi61erLIX
Malware Config
Extracted
Family
fabookie
C2
http://app.nnnaajjjgc.com/check/safe
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/memory/4696-10-0x0000000003240000-0x0000000003371000-memory.dmp family_fabookie behavioral2/memory/4696-13-0x0000000003240000-0x0000000003371000-memory.dmp family_fabookie -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 2032 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ss29.exe"C:\Users\Admin\AppData\Local\Temp\ss29.exe"1⤵PID:4696
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032