fabookie

Sharing

Copy URL

Twitter E-mail

General

Target

26f28bf2dc2b6afc0dd99cb6ea3879b8_JaffaCakes118
Size

3.4MB
Sample

240329-tz5x2acd5v
MD5

26f28bf2dc2b6afc0dd99cb6ea3879b8
SHA1

9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
SHA256

5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
SHA512

5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b
SSDEEP

49152:Egt2s56svyN2jXEBd7L5wr25IUoEI2csF5eLH+wCkBEy882Ffa72hNLr7xup20ns:JuGy4QCqam5eLbCmEy8HFfacLY1ash4

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

gcleaner

ggg-cl.biz

45.9.20.13

Extracted

Family

redline

Botnet

media12

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

smokeloader

Version

2020

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

nullmixer

http://hsiens.xyz/

Targets

- Target
  
  26f28bf2dc2b6afc0dd99cb6ea3879b8_JaffaCakes118
- Size
  
  3.4MB
- MD5
  
  26f28bf2dc2b6afc0dd99cb6ea3879b8
- SHA1
  
  9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
- SHA256
  
  5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
- SHA512
  
  5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b
- SSDEEP
  
  49152:Egt2s56svyN2jXEBd7L5wr25IUoEI2csF5eLH+wCkBEy882Ffa72hNLr7xup20ns:JuGy4QCqam5eLbCmEy8HFfacLY1ash4
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat smokeloader ani media12 pub5 she aspackv2 backdoor dropper infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- OnlyLogger payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  setup_installer.exe
- Size
  
  3.4MB
- MD5
  
  142e9310a455d1fffccf79e72115a389
- SHA1
  
  9661f067ab05bec2cdcf29833e0d03dc91e67d13
- SHA256
  
  b7331f5aa85435a4e4f478603fd399969a99fd46e063352289a400d331fb100b
- SHA512
  
  3d9ee498135fad1b7f492f632bcac63580cac54cc5f9de4e4cfa0fc0aabaf39f8d037aec87d259be177e399139781b95ad23516599486aa3349ef7572a83d4ff
- SSDEEP
  
  49152:xcB6EwJ84vLRaBtIl9mVM/7bKrcgkUv/6Zdn7h5D9wJEmS7BVgEDThnHirtWbo:xcCvLUBsgi6Ig5vS7LD9PFPF6p
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat smokeloader ani media12 pub5 aspackv2 backdoor dropper infostealer loader rat spyware stealer trojan she
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- OnlyLogger payload
- Blocklisted process makes network request
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

GCleaner

NullMixer

OnlyLogger

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

OnlyLogger payload

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

GCleaner

NullMixer

OnlyLogger

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

OnlyLogger payload

Blocklisted process makes network request

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4