fabookie

Resubmissions

20-07-2024 17:57

240720-wjqjhsvdlf 10

25-06-2021 00:56

210625-ngg6y1frfn 10

Sharing

Copy URL

Twitter E-mail

General

Target

60d529_NTLite-2117917-.zip
Size

3.1MB
Sample

240720-wjqjhsvdlf
MD5

2713db714527b0d4926d910e682bc6c1
SHA1

e9e84d7c0d45752e15e287cb34f12dfe4673fd32
SHA256

1063b209f72f58d52f4b58346f5777f0d635410a093c4e7ae07d45b2ae8da836
SHA512

cafbb35ba9e87b5b89757aa1662eae4e8346ce213ab760824722036d26f70cae14c575cccca0be625fdbbb7a676ae02ac4adf7d9fb966651b6a4d77d4ad28750
SSDEEP

49152:B+9t69S9F1iEaSajLCe2u3B21WE6+JCjUocyu9xuvoKn836ZeS0ajt4ZI+0:BgqSDDaSavF33B21WXjU99xuvo+XzDRx

Score

10^/10

Malware Config

Extracted

Family

nullmixer

http://motiwa.xyz/

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Targets

- Target
  
  60d529_NTLite-2117917-.zip
- Size
  
  3.1MB
- MD5
  
  2713db714527b0d4926d910e682bc6c1
- SHA1
  
  e9e84d7c0d45752e15e287cb34f12dfe4673fd32
- SHA256
  
  1063b209f72f58d52f4b58346f5777f0d635410a093c4e7ae07d45b2ae8da836
- SHA512
  
  cafbb35ba9e87b5b89757aa1662eae4e8346ce213ab760824722036d26f70cae14c575cccca0be625fdbbb7a676ae02ac4adf7d9fb966651b6a4d77d4ad28750
- SSDEEP
  
  49152:B+9t69S9F1iEaSajLCe2u3B21WE6+JCjUocyu9xuvoKn836ZeS0ajt4ZI+0:BgqSDDaSavF33B21WXjU99xuvo+XzDRx
Score

1^/10
behavioral1 behavioral2
- Target
  
  NTLite-2117917-Crack---License-Key-Free-Download-Latest/60d52994b34a360d-Passw0rd.txt
- Size
  
  3KB
- MD5
  
  548fc467fea07121d98c5a60fe8d14de
- SHA1
  
  7e9d66ad17348fc8bc43e149bf5b9e2cbe225323
- SHA256
  
  a3a6bfab02bb1c95fca8e0487a70bcc5615ca323bc80dc97212a80cac7085822
- SHA512
  
  c46acb92287ea997315c779195cff7624111af6111f96bb7cd0e6251060b6d966e508eef27dd2d3828959a798595e9f77ee6fa822eadf3795fdc408fd4f3cd77
Score

1^/10
behavioral3 behavioral4
- Target
  
  NTLite-2117917-Crack---License-Key-Free-Download-Latest/60d52994b34a360d_setupInstall.zip
- Size
  
  3.1MB
- MD5
  
  edf9a1ab1fb74e2768a2f3881516e80d
- SHA1
  
  73857f114ade663dfb64d8af663ffcdb4f977d40
- SHA256
  
  1a14d26641fab704c6d9e528416f12528224513fa6376dfee5e38b486a25cf0f
- SHA512
  
  ebce1f6e10a0a49f668132339a152a5b2d8d06a64acd4552a80032075c368cb27b94803baf929f94c7adf5154cfd26152c4ae813552ad849420b7513db34bc96
- SSDEEP
  
  49152:UO9109O9hZiI0sOTjukq+RBATWki+nI9woOou9ruvoCnAvS7OSqg934JM+g:Uw8Ob10sO3J1RBATW/9wB9ruvo2zDZN5
Score

1^/10
behavioral5 behavioral6
- Target
  
  setup_x86_x64_install.exe
- Size
  
  3.2MB
- MD5
  
  3ae1c212119919e5fce71247286f8e0e
- SHA1
  
  97c1890ab73c539056f95eafede319df774e9d38
- SHA256
  
  30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
- SHA512
  
  5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558
- SSDEEP
  
  98304:JzW3xr+nE8OUSnhyL/34PVR3dSqJcppIrTF9UqGbmZ1:J6x6YUSnqoLt/cLS59UJmv
Score

10^/10

fabookie nullmixer redline sectoprat vidar 706 servani aspackv2 dropper evasion infostealer rat spyware stealer trojan upx privateloader loader
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  setup_installer.exe
- Size
  
  3.1MB
- MD5
  
  22b4d432a671c3f71aa1e32065f81161
- SHA1
  
  9a18ff96ad8bf0f3133057c8047c10d0d205735e
- SHA256
  
  4c61aeec3fa5cbd6e8cd19272d28a1e07a8ac96e3fd8b2343791ed2521dd3028
- SHA512
  
  c0af739ec9a93978c8c25ad05a2c0826a8320a9ac007bbd36f6846053bc8d434e23a6edf19d1666767fd7ad404532983604fd7774cf18940f7541616700be523
- SSDEEP
  
  98304:x4mtX5BNf3HFKR6VNHuZA5r5OCvLUBsKeSAWqPO:x4mtJBVlKwVNHuZA5tLUCKiU
Score

10^/10

fabookie nullmixer redline sectoprat servani aspackv2 dropper evasion infostealer rat spyware stealer trojan upx vidar 706
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

Modifies Windows Defender Real-time Protection settings

NullMixer

PrivateLoader

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Detected Nirsoft tools

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

Modifies Windows Defender Real-time Protection settings

NullMixer

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Vidar

Detected Nirsoft tools

Vidar Stealer

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10