fabookie

General

Target

a702ea4d44b0cd2e341503175f84b0d2
Size

4.7MB
Sample

240226-wvhytadb61
MD5

a702ea4d44b0cd2e341503175f84b0d2
SHA1

d150c401bec51556ccce1cbd3ec286a3cd529e62
SHA256

3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393
SHA512

93ae58177375ac4e8fc06e8435fd3174eff6c67fab1ad3ea0e51fdcd35db2368ba69cd2a6e12c90c7f62a790ffb324b8af4215de7661f4f4feec22e0aaa623a6
SSDEEP

98304:xDCvLUBsgh8CP7qLdpIyyFPLvnRpzrtR7v7+LliHHtJA9vqI0:x4LUCgK/LHIyyRLnv5BylUA930

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://sornx.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

gcleaner

C2

194.145.227.161

Targets

- Target
  
  a702ea4d44b0cd2e341503175f84b0d2
- Size
  
  4.7MB
- MD5
  
  a702ea4d44b0cd2e341503175f84b0d2
- SHA1
  
  d150c401bec51556ccce1cbd3ec286a3cd529e62
- SHA256
  
  3549672c8de23efbeec55aeef7925d4bf778b4683252084e04c7ceb6a50b9393
- SHA512
  
  93ae58177375ac4e8fc06e8435fd3174eff6c67fab1ad3ea0e51fdcd35db2368ba69cd2a6e12c90c7f62a790ffb324b8af4215de7661f4f4feec22e0aaa623a6
- SSDEEP
  
  98304:xDCvLUBsgh8CP7qLdpIyyFPLvnRpzrtR7v7+LliHHtJA9vqI0:x4LUCgK/LHIyyRLnv5BylUA930
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader smokeloader vidar 706 aspackv2 backdoor dropper loader spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2