fabookie

General

Target

3aa3919af2e858ed404c963bb19ed248
Size

8.6MB
Sample

231231-v3nnladhb6
MD5

3aa3919af2e858ed404c963bb19ed248
SHA1

f7751ed5bbbbf0805cb97f1b0f8736d531741ad9
SHA256

b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
SHA512

a80d6c09b9afae8141d6df82e4b60cdffc94f251af93a934abe55ae78ac1b38be8410b31e941f8423480d90735a0962c6fbccc7fcecae210392606291ec3b7dc
SSDEEP

196608:UdE5aRW4cuxHd/Q51nOAlfkvXhseFMYUOx4ELSLe:aE5anz/QuAlq6DVM8e

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Targets

- Target
  
  3aa3919af2e858ed404c963bb19ed248
- Size
  
  8.6MB
- MD5
  
  3aa3919af2e858ed404c963bb19ed248
- SHA1
  
  f7751ed5bbbbf0805cb97f1b0f8736d531741ad9
- SHA256
  
  b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
- SHA512
  
  a80d6c09b9afae8141d6df82e4b60cdffc94f251af93a934abe55ae78ac1b38be8410b31e941f8423480d90735a0962c6fbccc7fcecae210392606291ec3b7dc
- SSDEEP
  
  196608:UdE5aRW4cuxHd/Q51nOAlfkvXhseFMYUOx4ELSLe:aE5anz/QuAlq6DVM8e
Score

10^/10

fabookie ffdroider privateloader risepro smokeloader socelars pub2 backdoor evasion loader persistence spyware stealer trojan upx vmprotect
- Detect Fabookie payload
- FFDroider
  Stealer targeting social media platform users first seen in April 2022.
  stealer ffdroider
- FFDroider payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Modifies boot configuration data using bcdedit
- Nirsoft
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2