fabookie | 7da786b32ec861208fc6a01b94d4eee4867b26dabfe214b66c9009b2f0222050

Analysis

max time kernel
0s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb545037ab489bdbe428559235a61cee.exe
Size

4.6MB
MD5

fb545037ab489bdbe428559235a61cee
SHA1

74b0dccbaaa27d7acc64427be1dee07269d0c71c
SHA256

7da786b32ec861208fc6a01b94d4eee4867b26dabfe214b66c9009b2f0222050
SHA512

14329cf8f45e65c107356c318aa19c334938863dcbb15df25b4218e6e32461afc0a1d0d9118a483db281824103e681e725820321347cd62c42dede0055c6b76f
SSDEEP

98304:3GA0UBXf1laFPEoSmXMAgpe48eDQZNkMOvr/juAS5i2zNsO:2A1fraU2ueZecTkMOD/juAS/Ns

Score

10^/10

fabookie glupteba dropper evasion loader spyware stealer

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1644-270-0x0000000003BA0000-0x0000000003CD1000-memory.dmp	family_fabookie
behavioral1/memory/1644-275-0x0000000003BA0000-0x0000000003CD1000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral1/memory/2372-22-0x00000000029C0000-0x00000000032AB000-memory.dmp	family_glupteba
behavioral1/memory/2372-23-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2372-39-0x00000000029C0000-0x00000000032AB000-memory.dmp	family_glupteba
behavioral1/memory/2372-36-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1268-171-0x0000000002C20000-0x000000000350B000-memory.dmp	family_glupteba
behavioral1/memory/1268-172-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1268-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/380-186-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/380-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/380-265-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/380-266-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/380-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2860	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	31839b57a4f11171d6abc8bbc4451ee4.exe
1644	rty25.exe

Loads dropped DLL 3 IoCs

pid	Process
2224	fb545037ab489bdbe428559235a61cee.exe
2224	fb545037ab489bdbe428559235a61cee.exe
2224	fb545037ab489bdbe428559235a61cee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2120	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2372	2224	fb545037ab489bdbe428559235a61cee.exe	29
PID 2224 wrote to memory of 2372	2224	fb545037ab489bdbe428559235a61cee.exe	29
PID 2224 wrote to memory of 2372	2224	fb545037ab489bdbe428559235a61cee.exe	29
PID 2224 wrote to memory of 2372	2224	fb545037ab489bdbe428559235a61cee.exe	29
PID 2224 wrote to memory of 1644	2224	fb545037ab489bdbe428559235a61cee.exe	28
PID 2224 wrote to memory of 1644	2224	fb545037ab489bdbe428559235a61cee.exe	28
PID 2224 wrote to memory of 1644	2224	fb545037ab489bdbe428559235a61cee.exe	28
PID 2224 wrote to memory of 1644	2224	fb545037ab489bdbe428559235a61cee.exe	28

C:\Users\Admin\AppData\Local\Temp\fb545037ab489bdbe428559235a61cee.exe
"C:\Users\Admin\AppData\Local\Temp\fb545037ab489bdbe428559235a61cee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\rty25.exe
  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2164
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2860
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:380
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        
        PID:732
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3044
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:2044

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240112132714.log C:\Windows\Logs\CBS\CbsPersist_20240112132714.cab
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
416KB

MD5
ca71676c2cdb68ef178bf28f8d3488d7

SHA1
e7dfe46a2cf882f346b4a9e37c162230de781950

SHA256
a99856cd9fc1a6cb012f8e3b3470e454b11a3d445fb6848c148cab5760c2a0bd

SHA512
83177d1feec8c9abd2abdd2e411f3b1595edf881837ffe7641d90d032cadb6601521c82d13693182efbeee8b67d2d7985b6fabd5c78471cb4d6dc4c85b54dd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
124KB

MD5
8a6d24594b746abb4555ca24baefa705

SHA1
69c6f28fbbb41fb533ea21a0b415fbd5f7588bf3

SHA256
631ac2ec76d965fdb369b9bb4acc414e098b038bb51f03b5b2228ace21b763ee

SHA512
f825ea2a10c1e01d8446ec3d7dd2851f893b2c15f9f5920278adc261126e3ecfccf0c09ced7b857f9be55812ba8de8c3368a1d94fedc0e6bd757073c91a68fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
1.1MB

MD5
9b4ddce8d52d50b3d7495dba5b22d351

SHA1
517148997d9a7eb7df5b490dbb3242dc422f1ee1

SHA256
74978fa2bc396c34cfbccbb323e46d4ceff844220c999f2eaf2e7adc3784b406

SHA512
b459f68308d8d539817822f73cc75010becd7c1e99f43533a8582e1f5b68ecc937fe9f786ac5902f02ce4c667b3db24ac78d53f06eebc32d420739d31df2c5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
381KB

MD5
e0b1a57e4ee4f54d42ec13061d8bc923

SHA1
e7a8bd35c0bdada2b825700e5868f3aea5322270

SHA256
a1d4e57d8ebd968138a8a7dd12501d4cd861a0d7d1a9255995fc2793820e6a8e

SHA512
693783692a68066bf3b0ef618c90c16caef6acec86941616d7dcbfe16dfe44ba8bca191b9b719ba3eda12d875fefb73d9f6aabc1f4433760838da6b8fa286998

Download Submit
C:\Windows\rss\csrss.exe

Filesize
15KB

MD5
5cbffa6ed29f822b381fb7bb5c23123c

SHA1
c5c017f34cad3af7562a165909e4f01d7cab181c

SHA256
6c50bad3c1329f69ba13809ed4156728199bffc232eeee13ba2f5ce307158bc2

SHA512
190043b7cfea02ff7fc5d6ab25e8964e2e8dd41487202ce4a637a8b519c7a1ffe4381e6eebae033eda456ff376c19b55569d8c2c035ea24df7f0911fee28d37c

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
601KB

MD5
89ed5f19e09d77ab37c48d9496b4e694

SHA1
3d4178ed232ce9e928cac58d380a7ac784bd4d8b

SHA256
0222fe98fa774adde524ab0125e04a81401cf64bd7803243f37eb8c637feedcf

SHA512
b7878db3c70f0a9c2eeecbc127bab4d62f1e51ac62c67a490523ee6ae2112442cd2ab1baa793fd97f9515ab3188db4eaa24c082327e2d7fd382c9c025a92ae89

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
681KB

MD5
ce363bea555b16784ab7ab660d38d746

SHA1
45ddf8b6e1774bba4b4b4f112d656caee28fb110

SHA256
490756952ef867f3ab7f83d555cae1cd1f8c5048ebf73025156eaa2f07f8baaf

SHA512
0ff2aa8f0c72d42246d059de697deb341cd694fc4c025552c743e2e9c4529383d7bf2c1b94c3177f1996b394ac7e36b9f0e5012807dca79d3319c2cccf0d9e39

Download Submit
\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
124KB

MD5
6520df86fa8cbbdef3c35e0e4fee8c14

SHA1
0dc588e35a930bcb3241021d97b5fb6df82f7a23

SHA256
10135bef35561c8e038f11fd7e173c7e075c5654a87edfb233b40df222efd296

SHA512
7be687d0c560a396ab9dc3ab84efc3d9df1ae930517115ac68a323fbcef0a4a28115b095af1c5c02b1e5e80f305fc9702e27e2e0a4e6f687d5b5d3ebda62e328

Download Submit
memory/380-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-283-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-278-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-277-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-281-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-264-0x0000000002570000-0x0000000002968000-memory.dmp

Filesize
4.0MB

Download
memory/380-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-186-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/380-181-0x0000000002570000-0x0000000002968000-memory.dmp

Filesize
4.0MB

Download
memory/380-184-0x0000000002570000-0x0000000002968000-memory.dmp

Filesize
4.0MB

Download
memory/380-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/732-196-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/732-206-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1268-183-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/1268-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1268-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1268-171-0x0000000002C20000-0x000000000350B000-memory.dmp

Filesize
8.9MB

Download
memory/1268-170-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/1268-37-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/1644-269-0x0000000002EC0000-0x0000000002FCC000-memory.dmp

Filesize
1.0MB

Download
memory/1644-18-0x000000013F500000-0x000000013F56F000-memory.dmp

Filesize
444KB

Download
memory/1644-270-0x0000000003BA0000-0x0000000003CD1000-memory.dmp

Filesize
1.2MB

Download
memory/1644-275-0x0000000003BA0000-0x0000000003CD1000-memory.dmp

Filesize
1.2MB

Download
memory/2224-0-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2224-1-0x00000000009D0000-0x0000000000E7A000-memory.dmp

Filesize
4.7MB

Download
memory/2224-17-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2372-38-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/2372-23-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2372-22-0x00000000029C0000-0x00000000032AB000-memory.dmp

Filesize
8.9MB

Download
memory/2372-21-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/2372-39-0x00000000029C0000-0x00000000032AB000-memory.dmp

Filesize
8.9MB

Download
memory/2372-12-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/2372-36-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads