fabookie | f63fc658063eeba3ad2b29beffc1cb7c4e2183fd838767459216533263271e30

Analysis

max time kernel
3s
max time network
3s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca92899c290d5bfedefdbeefe901d11.exe
Size

5.2MB
MD5

6ca92899c290d5bfedefdbeefe901d11
SHA1

ffb1a17bf8775ace4f97396a0a22e80a6a9fe409
SHA256

f63fc658063eeba3ad2b29beffc1cb7c4e2183fd838767459216533263271e30
SHA512

25e23d1a656e32504017e68a4de0b991dc7b8b54e85095e46ce0fcc8a93eeb02f0a40e964f71e787298522f8f52b03e6f93a31af0dc9dbeecdaa14364d487d1e
SSDEEP

98304:yYtjpSGv3/TnyVEUKwunZHyHHb0KEKIXR/M7Fg93A8Sl7B00Q7U5uK:yYtNTvUKw4ZSHHQ6IX6Ca8StC02QuK

Score

10^/10

fabookie nullmixer privateloader aspackv2 dropper loader spyware stealer

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023216-78.dat	family_fabookie
behavioral2/files/0x0006000000023216-87.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002320f-62.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6ca92899c290d5bfedefdbeefe901d11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	3412	WerFault.exe	91

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3160	5016	6ca92899c290d5bfedefdbeefe901d11.exe	88
PID 5016 wrote to memory of 3160	5016	6ca92899c290d5bfedefdbeefe901d11.exe	88
PID 5016 wrote to memory of 3160	5016	6ca92899c290d5bfedefdbeefe901d11.exe	88

C:\Users\Admin\AppData\Local\Temp\6ca92899c290d5bfedefdbeefe901d11.exe
"C:\Users\Admin\AppData\Local\Temp\6ca92899c290d5bfedefdbeefe901d11.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\setup_install.exe"
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 564
      4⤵
      Program crash
      PID:4440

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon0230849f536.exe
Mon0230849f536.exe
1⤵
PID:1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon025947de558e.exe
Mon025947de558e.exe
1⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon022fbe36b52bd.exe
Mon022fbe36b52bd.exe
1⤵
PID:3104
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Sfaldavano.xls
  2⤵
  PID:4664

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02c4d42768d7.exe
Mon02c4d42768d7.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02bee09ab5e7cf.exe
Mon02bee09ab5e7cf.exe
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02983a8f4b8e1dbe.exe
Mon02983a8f4b8e1dbe.exe
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02be65150e08b99.exe
Mon02be65150e08b99.exe
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon022fbe36b52bd.exe

Filesize
285KB

MD5
6842cc859e411d98d53656840e746121

SHA1
8e84fffa349f6f27ccab06bb23714cf51dfdc50e

SHA256
1cbfc22471280b0c911fafb5fa5ba27f3012f81eec9ba1c8a5f32dd53e1efd5e

SHA512
08f08ca7fdfeed9b22444051537845a9fa69b4b748b9dc9270aa51caba120c4a59ef1a8b6f082617bbe804c328e69eb17cbccddef6498a9d303bbb95f96e672e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon022fbe36b52bd.exe

Filesize
329KB

MD5
890afadf722f1aef4d82d689b35a207e

SHA1
00f029eb8cc8b8e09a09f13e28c9a05403a505d8

SHA256
43871b4e124459185a5876a0aea3894d1fbce08d31acc0bfccb5811cc2d72ba2

SHA512
25916904af30d0b1753a10c58c75bf075f09ea617680d27e0024ed90da2b7fd7180e96e54d683c22ee58f13901b34bbb58f204fc1a31c1b210c291e480bbc19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon0230849f536.exe

Filesize
204KB

MD5
bab4956b3006de18a6268d27db0d76de

SHA1
416db4765c38133a0b9b1a081bd3f1d3a4d23ff3

SHA256
0b944b4282ecd5f6801b83d1b3dfe8fd43d72faf4c62e0814d3d3f7540ae11b9

SHA512
e02247e42a60e476b4d5bc43402d8ffab96202224a25d5381c181bdc69bea6fbf30ca06dece940f5382fa0a5821a825ce335a82f56044308f9af8f3cdb230e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon025947de558e.exe

Filesize
160KB

MD5
ffcdfa0a5ee797a6dd0d946a40552713

SHA1
994bc9de20577d8d2cf5591d080efb607477bf74

SHA256
a8752bfd0fe5f362f3ac2cdb8544fab9569a8fc779ecd0b11f71320ec91915b0

SHA512
de3b044896d720ee82b0839b3a3272f091f443d69edcaa724c71f9cab8f52032b94ef26bc20a7a815b4e62810337362fb96a09fb927a73040cea3fa7e19c4ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon0260d56d9853.exe

Filesize
33KB

MD5
32fd5d9ada5c90bc6831bfde04716a98

SHA1
6f205305b7b4af0da24ca8fa7a2b003c67797502

SHA256
cbd1464388996b5d4f66756e2aac41d05110e8c46aabca101bf36386c32791a0

SHA512
7f921b7949e461ed957f3df164aafa6689a9aea15f797e7f67cb4f03da6a7a7fa2caed86258651c8ffe5e9e8e8572db4cc00c2ec124696530eb7f5b9fda36824

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02983a8f4b8e1dbe.exe

Filesize
112KB

MD5
649e7d93e6d774eae5a7516977a1e99d

SHA1
f25923a270d57283f2bf82ba889aaa2a7fca9089

SHA256
288058d478a589eac267fb227796c1dfb8e45bf775a5aebc905d520dc491438a

SHA512
4a7614afccae405dc5de410425f40de5589dae6897bf7dc1e9bcbc2179957c25bebcbe7a490ee0f4c648d528d4b34884b2036a2a5e6dd273df250bd0003d8b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02b24a3b9593.exe

Filesize
61KB

MD5
4f8005cdb39659efd532c38d83047ce6

SHA1
54fa2442d8404e1409a19f995b6c3026cfb24352

SHA256
f7a8834cd43372004fd5d28b7668b4ac5d98ce4b5a2de0af1343d7872efabc44

SHA512
9334cb45cc4641d343aa62d6e80c8a34e93afc9c6ae1240a21d775df8faa0150311130cfc94e43f6058669ac7c4127f1d793f9af989ce009a019ab7f7f438765

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02b24a3b9593.exe

Filesize
117KB

MD5
aef6269edb1787c95fcbf2ba97d798b5

SHA1
882a34e29f133b7f2987c61e62a6ed9b340dc15f

SHA256
efe7faa534beadcf6ac71ac4752ad73ac2222e368ab8868c4f6c9a54bee7df97

SHA512
bfb3e72e98ae0f5057ebae966dbda9eafde8ee8f840af94a466cdd0c7f2a896733a7b4e95e97ddd4f25124f97ee60617c435aeb058e9cd6516ea16a413142026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02be65150e08b99.exe

Filesize
8KB

MD5
408f2c9252ad66429a8d5401f1833db3

SHA1
3829d2d03a728ecd59b38cc189525220a60c05db

SHA256
890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664

SHA512
d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02bee09ab5e7cf.exe

Filesize
110KB

MD5
8eadbd9a2d95e4260480b08fe4cda013

SHA1
328159b207a65e2c9dfed5842bed93e616911b58

SHA256
698bd247fcb8effec9a95fed010e0036927ce281de9adb1e6cc2684ffadfa0ef

SHA512
5591698858763423d2164f3b5a68b15a22a170fd06f23b4e56358af05731e1308b3691096fc341937fd1acba6b279363f4d28c04de6193b1f10a79fb3077d7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02c4d42768d7.exe

Filesize
58KB

MD5
88936818f9b10d1baec00f5feae00b9f

SHA1
2182e139e200f18f93efbae87900f9b6cbe06907

SHA256
019b7691925cc9db4103635c082105d5d8e10a57c7240b838fd2e2fd67861930

SHA512
b7e74f590d67f04de63ca4a5308ace0f11d1d4074a1dee0d2c3b387ee6d81c4f9bfe5432684ebd4045a14060600ea801084e4a0df214c6348bf84b20a1161188

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\Mon02c4d42768d7.exe

Filesize
57KB

MD5
4422a384e4e1728dadbf76b3851ac5b4

SHA1
675ea59bf45573e47833fdb59c59b4934997596b

SHA256
3426af5c1a9dcba9dd6e883de6a1d88b2b083fbc813bfb508c12193acba68c67

SHA512
304df540413abf6e36651905149002e65d9717fde0680d4ef665d0d62ed5cffde4ce45a68a6afd9341eaae5dead814c0b06812db7af5a92e995076dcb8708d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\libstdc++-6.dll

Filesize
105KB

MD5
7ef84ae5df5a01b7673cb185621e2e2d

SHA1
36398c29bc68fc4e340fd64bcdf52e0219bdb961

SHA256
1754f44503d9ea5a61b8decd50dd992cf229b5ed4f93f9901e2942d2e1ab3c56

SHA512
dffc466c969c201e03e290212b4d27dd44535cd29ab809ed5970afd1bf40c400587b0339d89334a3848697a2cba9c51ef52ec5db61e943dfaeaf88e6261082da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\setup_install.exe

Filesize
386KB

MD5
b070e3ff88e9163a86e53beac6f86aaf

SHA1
dcc70b7fde48e1fbb87923b96539da500bb3d563

SHA256
7607f9c36ee34ce1b8c686542ed86aae0a9b01a5b936ba019356a6d58916f409

SHA512
db3ebd008705d16d742f51e5199e5cc29326d13da92b751b22dd5ca048f2813006285ff7928886ebe431a63ae6d3ebe203dc8ed31a21972ee06035309397d79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\setup_install.exe

Filesize
290KB

MD5
874ad8f28ce9611f887da4720d4f9ce9

SHA1
da522667ac0987db55bafebf4fcf9c2e28286506

SHA256
3e45e721be747f8265cd7ea6e6d3db0413747b0012848f54d038dbc775414323

SHA512
b24433144c03f87eb80bf6dc103e6c55899120453868625b8ff3ee47ccf437f6772a3f3bee49e0dbe124ca913751f6c721b56ca3cb6fdccae14ab69e4a9c0f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS85CF7A67\setup_install.exe

Filesize
101KB

MD5
d99b4331efce8061551cd580ab49d69f

SHA1
6b1e5cecba6178f1b4a6eea3beb6dc6560929ea5

SHA256
99b202e4c1f1f5435f18ff162aba64cf4dc16380a9e4159c93ba88561ee6eed7

SHA512
ef87c01150abcadcf77ce20d19076c4ac0ff4d66e575f0fba4d446c464a386c003a54cd9ede2cd9791bd9afad2bc4a53c1285f99613b1a3c61ee73b8080c94dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1.4MB

MD5
8fca52b985ebf8246bf419c5fb0cc729

SHA1
d6c86de35d36c8d619535c3c4ba148827eb0ed25

SHA256
1ab6a6ca867e693063dc3ed06e4a4e27978dd80dd990bbcdb016c41d1dc7be65

SHA512
542f5b923a1f6b29461346116cf8bc74911082bc51271b76163dfd0620ec375d225138c3ec1197aa2cc2af540028469043b7448710dc8ebf4c6a20982eee9abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
2.5MB

MD5
6292f3630d6c405882882ea653667d0c

SHA1
07b542c8f394bc183e1a92a2dc3cd0e0619748d7

SHA256
9149e42e71384ad2ebda61f9f77a2c8e939ed02fca975791d725032e930b6b94

SHA512
07024fd1be10745d36d06edfc3fd8e804ae9d89c907d0e48e0994d202d83c2835ef40503c66ecce12aa811dd8f8d78b8d125adb211cf49b748845be405201d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1.6MB

MD5
cd0282d003ac62a0de670505672ddcba

SHA1
f4ac6e249bd0d4bccc3753efd8aff54126c07171

SHA256
51838de6099e00ccb74d0193f99049be38619d8f1f833231e8c9cb1d2172a05f

SHA512
29eb037f3ed59abbb4cc86c4fcc38c625a00b88fdd5df11d5c771f7095ee18d7a45f7f703daf65e83432e7d7c5d7a138ee3e6e9d11f6ddc78a31d3d78fe3387c

Download Submit
memory/1264-101-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1264-106-0x00007FFDF6C00000-0x00007FFDF76C1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-95-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2384-115-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

Filesize
64KB

Download
memory/2384-105-0x0000000001260000-0x0000000001282000-memory.dmp

Filesize
136KB

Download
memory/2384-99-0x0000000000A90000-0x0000000000ABC000-memory.dmp

Filesize
176KB

Download
memory/2384-97-0x00007FFDF6C00000-0x00007FFDF76C1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-100-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/2948-102-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/2948-103-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/2948-104-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3412-68-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3412-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3412-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3412-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3412-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3412-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3412-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3412-66-0x0000000000ED0000-0x0000000000F5F000-memory.dmp

Filesize
572KB

Download
memory/3412-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3412-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads