Extracted

• • Target

    tmp

  • Size

    6.6MB

  • MD5

    0cac858764ebbec083494171646d8ca0

  • SHA1

    5ac15584853da1168e137564b8011beecd67f113

  • SHA256

    886f06675a3f75b987efb924796ce9f79f06c4b4cd0cd605936d973fb259b1e5

  • SHA512

    dc271bc3bec277fedff4fc31e858e70867bedcb05c123d5043622deb822010036ffa5b47f7dfee4380f94884fba6f998edc733653b8b3f964d99d02d75d9f849

  • SSDEEP

    196608:hAxVkOe3XMLW4/olI3QVlYPedMSa1wftbE/m8/S9h:hi25CAeQV/+0t8/Sb

  Score

  10^/10

  fabookiegluptebastealcdiscoverydropperevasionloaderpersistencespywarestealertrojan

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Windows security bypass

    evasiontrojan

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops file in System32 directory

  behavioral1behavioral2