Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    5ec5b50b93521f0c90686ef036fff786

  • Size

    8.5MB

  • MD5

    5ec5b50b93521f0c90686ef036fff786

  • SHA1

    58b33e93e8108f43ed4dbd19a7720733203b0c86

  • SHA256

    41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff

  • SHA512

    59a16486ae58373746f903f14d27d7ef3cf9539915ca6af7c3de4eb2eccf8ac4897f890f0bb99f3b1dfeaf8964d9b51cb585d87f5808a893b2a86af0bf46524f

  • SSDEEP

    196608:U7E5dNysFxHZHFIuTrBdWcOzujcSYv2hFqi4Yx8ny/fXyNLSaT:YE5TpXl1T90csuZTHB4e4yKdT

  Score

  10^/10

  fabookieffdroidergluptebametasploitprivateloaderriseprosmokeloadersocelarspub2backdoordiscoverydropperevasionloaderpersistencespywarestealertrojanupxvmprotect

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Nirsoft

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2