fabookie | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829.exe
Size

933KB
MD5

6e45986a505bed78232a8867b5860ea6
SHA1

51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256

c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512

d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde
SSDEEP

12288:K72HTp/D0DpEE3M51qvii3mmm6AV5Cqylkg5ZQnXlV5Za5Za5Zj:GA4JM5kRhAVdcpmt44F

Score

10^/10

fabookie spyware stealer

Malware Config

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1116-10-0x0000000002D00000-0x0000000002E31000-memory.dmp	family_fabookie
behavioral1/memory/1116-13-0x0000000002D00000-0x0000000002E31000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3384	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829.exe
"C:\Users\Admin\AppData\Local\Temp\c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829.exe"
1⤵
PID:1116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-0-0x00007FF76DCA0000-0x00007FF76DD8C000-memory.dmp

Filesize
944KB

Download
memory/1116-9-0x0000000002B80000-0x0000000002CF1000-memory.dmp

Filesize
1.4MB

Download
memory/1116-10-0x0000000002D00000-0x0000000002E31000-memory.dmp

Filesize
1.2MB

Download
memory/1116-13-0x0000000002D00000-0x0000000002E31000-memory.dmp

Filesize
1.2MB

Download
memory/3384-14-0x0000028442C40000-0x0000028442C50000-memory.dmp

Filesize
64KB

Download
memory/3384-30-0x0000028442D40000-0x0000028442D50000-memory.dmp

Filesize
64KB

Download
memory/3384-46-0x000002844B040000-0x000002844B041000-memory.dmp

Filesize
4KB

Download
memory/3384-48-0x000002844B070000-0x000002844B071000-memory.dmp

Filesize
4KB

Download
memory/3384-49-0x000002844B070000-0x000002844B071000-memory.dmp

Filesize
4KB

Download
memory/3384-50-0x000002844B180000-0x000002844B181000-memory.dmp

Filesize
4KB

Download