Malware Analysis Report

2025-01-02 09:19

Sample ID 231006-cna5vagf6s
Target mkpub_part_g.zip
SHA256 eb25522b7a2bcab8b44846ec951e80e308d32bb166bf01d06ed05c34b51db68a
Tags
healer dropper evasion trojan redline infostealer fabookie spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb25522b7a2bcab8b44846ec951e80e308d32bb166bf01d06ed05c34b51db68a

Threat Level: Known bad

The file mkpub_part_g.zip was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion trojan redline infostealer fabookie spyware stealer

RedLine

Healer family

Detect Fabookie payload

Fabookie

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 02:12

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer family

healer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win7-20230831-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe

"C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe"

Network

N/A

Files

memory/2404-0-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

memory/2404-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/2404-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/2404-3-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb1a060a2f31ff324b171aa329f0302493bf6d8a573c1142f03b7267fb2a362d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb1a060a2f31ff324b171aa329f0302493bf6d8a573c1142f03b7267fb2a362d.exe

"C:\Users\Admin\AppData\Local\Temp\eb1a060a2f31ff324b171aa329f0302493bf6d8a573c1142f03b7267fb2a362d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 74.121.18.2.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp
MD 176.123.9.142:37637 tcp

Files

memory/4440-1-0x0000000000400000-0x0000000000467000-memory.dmp

memory/4440-0-0x00000000007F0000-0x000000000084A000-memory.dmp

memory/4440-5-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4440-6-0x0000000007080000-0x0000000007624000-memory.dmp

memory/4440-7-0x0000000007630000-0x00000000076C2000-memory.dmp

memory/4440-8-0x0000000007750000-0x0000000007760000-memory.dmp

memory/4440-9-0x0000000007720000-0x000000000772A000-memory.dmp

memory/4440-10-0x0000000007F70000-0x0000000008588000-memory.dmp

memory/4440-11-0x00000000078E0000-0x00000000078F2000-memory.dmp

memory/4440-12-0x0000000007950000-0x0000000007A5A000-memory.dmp

memory/4440-13-0x0000000007900000-0x000000000793C000-memory.dmp

memory/4440-14-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

memory/4440-15-0x0000000000400000-0x0000000000467000-memory.dmp

memory/4440-16-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4440-17-0x0000000007750000-0x0000000007760000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win7-20230831-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6086904aa3c47a04f9651cad2d2d4be3d50ae93b4bbc5b5b7bd63dc86eb2ec6.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6086904aa3c47a04f9651cad2d2d4be3d50ae93b4bbc5b5b7bd63dc86eb2ec6.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6086904aa3c47a04f9651cad2d2d4be3d50ae93b4bbc5b5b7bd63dc86eb2ec6.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6086904aa3c47a04f9651cad2d2d4be3d50ae93b4bbc5b5b7bd63dc86eb2ec6.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe

"C:\Users\Admin\AppData\Local\Temp\e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1240-0-0x00000000002F0000-0x00000000002FA000-memory.dmp

memory/1240-1-0x00007FFE45EB0000-0x00007FFE46971000-memory.dmp

memory/1240-3-0x00007FFE45EB0000-0x00007FFE46971000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:12

Platform

win7-20230831-en

Max time kernel

0s

Max time network

2s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Reads user/profile data of web browsers

spyware stealer

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe

"C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp

Files

memory/2144-0-0x00000000FFF10000-0x00000000FFF7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4A3C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4BB5.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e80ea213b8d07ae1892beaa5a3cdba68
SHA1 a94adba06205d80c7b9481ec60f8ac75fa53117e
SHA256 30647f850d47086dbb0d32dd51651467891d8c0dc06574e5d6c2d6ec1664d352
SHA512 95161f3d1c42738d76ba87eb3678e2f9bab7a3da2308ec36dc64c10dc003bb8109477760314922abbfd81b0ef14f755e64496803164db11ecd17189b51c7e502

memory/2144-81-0x00000000031C0000-0x00000000032F1000-memory.dmp

memory/2144-80-0x0000000003040000-0x00000000031B1000-memory.dmp

memory/2144-84-0x00000000031C0000-0x00000000032F1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-06 02:12

Reported

2023-10-06 02:15

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Reads user/profile data of web browsers

spyware stealer

Processes

C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe

"C:\Users\Admin\AppData\Local\Temp\f6147edac0f3bf98bf8360176358fe4b4eeeca097325a501dcd32916b60fbe28.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4508-0-0x00007FF60F690000-0x00007FF60F6FA000-memory.dmp

memory/4508-9-0x0000000003950000-0x0000000003AC1000-memory.dmp

memory/4508-10-0x0000000003AD0000-0x0000000003C01000-memory.dmp

memory/4508-13-0x0000000003AD0000-0x0000000003C01000-memory.dmp