fabookie

Sharing

Copy URL

Twitter E-mail

General

Target

file_v3.rar
Size

19.0MB
Sample

240205-btdx9ahdbm
MD5

2907c619308c4994725246f3b335c1eb
SHA1

0192fdeb02cbc07f058efa7873f45554db31d8f2
SHA256

ff2c2ae77e1b00829710601852b7dd95c4db15f332838807605e53bde54692df
SHA512

5ca3a35d6a78ea77afaca931a306c5b3d51a8f96c27294f6112d1d934773b66b03e14435545c18a08afcad1b6cd088eefa18da07b66bc9a437017f4fcc2f51d7
SSDEEP

393216:6QBMC1umf9zyQHvNW0VMLSJg9zWBsoaucPI4Tj9EAqfD6EXFomwSLxvVAl:6g51ugTPNW0+og9zWBsoncPIyEAm6kS5

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Credentials

Protocol: ftp
Host:
centova.euroti.com.br
Port:
21
Username:
[email protected]
Password:
2199:cantador

Extracted

Family

risepro

193.233.132.62:50500

Targets

- Target
  
  res/scripts/client/gui/mods/mod_pmod.pyc
- Size
  
  153B
- MD5
  
  cdd7f869a2fa3595dd67f254432f033b
- SHA1
  
  3b61369c8913f7273496a43949639d1071b5f28f
- SHA256
  
  9fcf95f166cb68c88037c76fbbee732a9768d6c442adacb9161d22d2d271999b
- SHA512
  
  35e013d0935c1191dec370a29b3bd460c7a3441a659d33ceee8b02b98203facf20eb073e6f7a7dafa989cc1bc71a2d13bafaa485c23d4c8ef94d58a48a1dc694
Score

3^/10
behavioral1 behavioral2
- Target
  
  res/scripts/client/gui/pmod/__init__.pyc
- Size
  
  1KB
- MD5
  
  9cafdc23960dd52f8f59ca43dec846ef
- SHA1
  
  20301942f39cf056bdac69fc9bb6bcec6ddcc5d3
- SHA256
  
  98cd1cebaf1246317f6bc465fc32b7a1c3e56b5a2f3edb8f7289376e675e575f
- SHA512
  
  dfabac4eaa505f45155858be2a27379cd1732336f4b20152c50228b3087f421b024db649b07a19b6ce07b1f9d00755343159805708024953730d6c9bd5027bff
Score

3^/10
behavioral3 behavioral4
- Target
  
  res/scripts/client/gui/pmod/_constants.pyc
- Size
  
  1KB
- MD5
  
  ff319c313be8845286aa873624d4f852
- SHA1
  
  ff5282a5e6c1e7ffd623d3100ad549a0fbb74f00
- SHA256
  
  0ebe7d769b037fb948a0cbe2c0c06dc0b273803d8e7f94f2d1bdb054b92b370b
- SHA512
  
  3fedbb36b5fd9bc4ade6085b91d59f1f915662f8cb586e9cd2ded5487017f359c9471a2d83e91d5fe4c07cf460a54e9506938783179ca451c6b48854ceb91337
Score

3^/10
behavioral5 behavioral6
- Target
  
  res/scripts/client/gui/pmod/_legacy.pyc
- Size
  
  442KB
- MD5
  
  63cb6e1d201ffd0e2bf7bd35cd67b720
- SHA1
  
  c9138a3148512cac34e851c15bbaf2184a5983c7
- SHA256
  
  fb279ca0f51a5323371c1fd24ce827979eece4e9618e1e26645cf71bdbf009b7
- SHA512
  
  205f4e7d4fbf1d17717ab4fbf07b2d3ee343cd51dad03ce45d5e79fd5b56b6d0158449d6e94a6ce1dfc58f133aa854e3637ee2520138ff5c95627527adafb6eb
- SSDEEP
  
  12288:Z8Ut7+4ylPxHR3C+Os+Vw6ZlKH+jx3tQDyrY8M6:Z8UpjiKe+V9ldx3tky5M6
Score

3^/10
behavioral7 behavioral8
- Target
  
  res/scripts/client/gui/pmod/controllers/__init__.pyc
- Size
  
  559B
- MD5
  
  99e27818dc03554f49ce0228401505d8
- SHA1
  
  0926f45d1d28b3a81913fb1e628f8a5b5b614454
- SHA256
  
  eee06002d6fa8bc33a11bb88a24a4bc4bfd8ef35de112aef556bb56b5331b4f8
- SHA512
  
  1f0f7ac2c8c77dffbeaad9b228ee4bfc5a07374dd8aa3bb07d3cc02c42d3691bf0fd49eb31b2b2c060cb73ac98e042a63ac712add1e6bc4738ce36600b7b3d0e
Score

3^/10
behavioral10 behavioral9
- Target
  
  res/scripts/client/gui/pmod/data/__init__.pyc
- Size
  
  571B
- MD5
  
  7d59cc40781f0a08c26bbc9cbf50af28
- SHA1
  
  1d83a5775025fc3c84655ef7650722d1ac806e18
- SHA256
  
  508b23c6db4f16e13a86ef6f125126c46ba9dc1d6f4d9587ad51c6dbbd0d50cd
- SHA512
  
  61f430674a9119d96e5977c389772ee9ce56116da2e7db91d7b21b2e35214c8ec8feb6d70156ad196d3cb361898295741b92948eae1b7efcc01033fcbfce2760
Score

3^/10
behavioral11 behavioral12
- Target
  
  res/scripts/client/gui/pmod/data_collector.pyc
- Size
  
  31KB
- MD5
  
  463cd01eb8ae2d2519927d19e3ceb6bc
- SHA1
  
  efaa3c9de5fc68548218c4738825648c59d0f868
- SHA256
  
  ba56371dcb1cfe3971768fc8d188d2b34a1942f3762adc10572ac57547491418
- SHA512
  
  0723d7d66ea805065ba26664804b537f6d6a5dbb16c0b7173deead41ffa95e4938f10a0acc639470c5840f7a6461013eb66b49dadebce51fc8417fe3da543632
- SSDEEP
  
  768:SC/ooXpaTto9+xehW8e8pAHPxTedGbPU9Li8ONpqQAMGR:SCgoXpaW97hW89aoAbPULi8ONpbGR
Score

3^/10
behavioral13 behavioral14
- Target
  
  res/scripts/client/gui/pmod/events.pyc
- Size
  
  896B
- MD5
  
  7fe840bbaf10620dc0c4f31aeca1b93e
- SHA1
  
  bdef78b2568e0e5757df7a15c32e715b78ccdf67
- SHA256
  
  4b23a11135553dac529bbab74029440f32e14d058c7ad7618146b0cb6310f234
- SHA512
  
  19c36ba400cd143a24fa392aaa1bf28f8a9a70ef369005df793baa44852f2e172b49332fbf6a119135f3beb992ac8b74d70784ba907f7ed2660a6253f6fa3282
Score

3^/10
behavioral15 behavioral16
- Target
  
  res/scripts/client/gui/pmod/utils.pyc
- Size
  
  3KB
- MD5
  
  6aee2d3425febb9f1427664b871ad051
- SHA1
  
  4531410a80484f8a6e94c311b8c40d0c4fe36c36
- SHA256
  
  e98995a0eb89de5277364ce3d1b6c26fdbfdb6812caa2e8ed38d3aa849a3fe3e
- SHA512
  
  6e8f29299333be94450a0aba48e8e5894e08cf0473d5f86b8dcca1a2ba8ca4c32461fd801f66cea10bdbff4f0596cd10c345cc19f18778f829838e4b24b3b235
Score

3^/10
behavioral17 behavioral18
- Target
  
  res/scripts/client/gui/pmod/views/__init__.pyc
- Size
  
  2KB
- MD5
  
  ba2d0f59f488fb796affd52cfaa895a0
- SHA1
  
  51283de5abf0791de163db16b37195a219328f8b
- SHA256
  
  bc191d04a62f5bd39735e8d0db8f58bfdba34be030ca2ef4b3f9143ae1f34299
- SHA512
  
  f77548f475c73a87eb10a8b36ce18ce117546a214a4f8933ac564642c0a7cd60faaa87288dfd37977d0516e75e3d63865d2b046054f7948e6c7f8f00179df369
Score

3^/10
behavioral19 behavioral20
- Target
  
  res/scripts/client/gui/pmod/views/battleInjector.pyc
- Size
  
  1KB
- MD5
  
  a508ee96d0fb4135799e2240cb877471
- SHA1
  
  ebb0b355ffd0db8082a8de9e81526e72eed9a181
- SHA256
  
  67970af6c1b53df12b26178f8e446b6e8a91b998cee825491e29420acc1b0a7d
- SHA512
  
  583bec8c836975c8e8ed083499582743690d94e100882d1c3063b583de5cd96d9813d538390b4f241f32bf5be841c645e7cab513760cb85e3a5fedb9ae3f2117
Score

3^/10
behavioral21 behavioral22
- Target
  
  res/scripts/client/gui/pmod/views/battleView.pyc
- Size
  
  12KB
- MD5
  
  365c94ff9ff638a975fc48e5615609d4
- SHA1
  
  9e45f6919c60c67bc4e9418291f734e9d0128d24
- SHA256
  
  bceec7b43a0a1cc6b4160e3b6b2dc8f59acdc5c5fb64ba3b5746abfc220aef15
- SHA512
  
  c5afb2a53bfe23448bd0213446cb5fc59f14df1bee90ca3edb82c0144bff3972e4d99ee8d2dff84a3179d0b1304434186f14d64ff1257babc84df2fc5a5caf9e
- SSDEEP
  
  384:ydw3mAFrSqoLePXEm3A7tk5acw9eV3j288888e:ydw3BroLePXEm3ek5or
Score

3^/10
behavioral23 behavioral24
- Target
  
  res/scripts/client/gui/mods/mod_battle_results_fix.pyc
- Size
  
  4KB
- MD5
  
  214af21069321836edf102922b9574d5
- SHA1
  
  c628d80bb57ec654a9edb905af750b2cc74941d8
- SHA256
  
  d3a5f531e5241c6e84f70afe15baed09c4f9aabceace3bc82a1bd4e6f8f99c3d
- SHA512
  
  c84b1bde6a543f61f5454942db730b4f63e289a4f423666bd15536bd03a094c0bf2c9dfc36999d3f4d2db785ac75a747a1331da188014a42758971fef0f6daf7
- SSDEEP
  
  96:PGCbD7Vhkbbk25qqVajRrXIwGtlFCU4b61+QlhPmn:+gD7Vhkbbk25qq01rXLGrFCU464Zn
Score

3^/10
behavioral25 behavioral26
- Target
  
  res/scripts/client/gui/mods/mod_sights.pyc
- Size
  
  60KB
- MD5
  
  f2dff45ecfc99fd37d55fbc2b299c04d
- SHA1
  
  ddd00dd3d4902d88ff977c3a13289867be85c363
- SHA256
  
  21dd81fe5ef9341a63718290240b6025de2f63a6f5b7e908a1ad436a45cbda4d
- SHA512
  
  4cff232634b1e01e58468f444408ed2aa1810d79ffa09066fd5966da13655879ba83fca894b2505be3afb7ab0280a68572569763ebbc565e02e3c57aeda16b71
- SSDEEP
  
  1536:z5aClb4nAsq2sGlu22HFJSZFz3kAmq2TdWdF1:z5j2hqvM2Hb43TmW1
Score

3^/10
behavioral27 behavioral28
- Target
  
  setup.exe
- Size
  
  700.0MB
- MD5
  
  1d5e1c35b484d738f760eaaf3c64a8ed
- SHA1
  
  d1c11d8aa24c3db39b83e7ae8ed08bfe0712e7c4
- SHA256
  
  956c170af019380821277c5dbe27828cd80c052360d31e068d5fad807661900d
- SHA512
  
  3ab4b5c04d97f98891df8e9fa5558efa1614a2f7a9fa0bd2a31e8984276db034e6e2e21b6688f3580964b9d0cd65ca3fed3cf82d46e6baa1e49a5b180de19ea9
- SSDEEP
  
  98304:APk3sggNakswi0eWu8qcUQ5JPpDTeQ0w333:fXGioM8p/0
Score

10^/10

fabookie smokeloader zgrat pub3 backdoor evasion rat spyware stealer themida trojan risepro discovery persistence
- Detect Fabookie payload
- Detect ZGRat V1
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral29 behavioral30