fabookie

Sharing

Copy URL

Twitter E-mail

General

Target

54dd0b1767570b23927b3959b1b53e2184b604eec29f168ca5f2b644a438309f
Size

49.7MB
Sample

241105-nrxnss1drr
MD5

219ac0109c3e07842f790b412fec94ba
SHA1

4f8ef33c738aff58136f4589dc547fef41656c75
SHA256

54dd0b1767570b23927b3959b1b53e2184b604eec29f168ca5f2b644a438309f
SHA512

df78fb954a8a19797030e016a797fed8622de9f7d0fb106ca91f3149a889b5693f317886b2b3274b254376675a15b3a17beabc1d683761211adc1d5502939cc9
SSDEEP

1572864:uTaKo/R00FboWii87YI3nBDLxotleS7/VYQ:umKo/RxFVii87Y6LxotoS7/VYQ

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

nullmixer

http://mooorni.xyz/

http://hsiens.xyz/

http://wensela.xyz/

http://gazrxlog.xyz/

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

gcl-gb.biz

Extracted

Family

redline

Botnet

media15

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

media20

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

redline

Botnet

media23

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Targets

- Target
  
  01527c7b4dffc0803a58b1eda45308400edc796e707f0bab183e3278c3ec521d
- Size
  
  4.3MB
- MD5
  
  70870cf28b7e34965164f88d013f1427
- SHA1
  
  276d79157888ae8067a342ec8bd9ddf2df388154
- SHA256
  
  01527c7b4dffc0803a58b1eda45308400edc796e707f0bab183e3278c3ec521d
- SHA512
  
  11ff4fc1bc488a550130bac711fbc4d068239b5e9ea14ff93820eb9f064f869046b0bea108541947fb50e0ec0343a1f83526e59b143bf131200752c85e97f1cc
- SSDEEP
  
  98304:SKqy05D3wOg94At1/VjIwPDwyaZHb2GTrbemwgfvJdPlCp4WV3:Sn5Dgt94AtJSw7wyaZRbem/Zc4Wd
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f
- Size
  
  3.4MB
- MD5
  
  b46fae262aee376a381040944af704da
- SHA1
  
  2f0e50db7dc766696260702d00e891a9b467108c
- SHA256
  
  043d28836fc545b0c6daf15ed47be4764ca9ad56d67ba58f84e348a773240b9f
- SHA512
  
  2134c503a7abdb773d02d800e909e1372425a6d46cefa30fed8f54f4164190d836a86584de52e972bf619de06420a00e1c1ebc408d2932651e9a3b1978959d69
- SSDEEP
  
  98304:xUCvLUBsg4fyvKcIpMrvwSlDyW6MfVEl5GQUI4HJ:xJLUCg4fyvjIpMrokGgCl8Q/G
Score

10^/10

fabookie nullmixer privateloader redline sectoprat chris fucker2 media20 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
- Size
  
  4.2MB
- MD5
  
  a6ba5fc790a5f555b8b6f28e7837253c
- SHA1
  
  ea77f8f24c106948eb398d682826afde02c7270d
- SHA256
  
  096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
- SHA512
  
  5f77a237fdeffaaefac2decb9f08fdba7d909709c3796ef3142922559a5e8c25c9c0856088c9ce9f2025dcd91aa25b48f891ae9cb1d1a28275a2ad43f48f8fa2
- SSDEEP
  
  98304:J3KOJtrOPjVShZyRB2o4X0xgkwY9BdqoC:JaOTUVt+X0xgkwSMoC
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline media23 aspackv2 discovery dropper execution infostealer loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  setup_installer.exe
- Size
  
  4.2MB
- MD5
  
  c93901703b1d556d494f7a31ffb04720
- SHA1
  
  d14e2dc239ac85e6020f1fc4c035f7d2ea72d262
- SHA256
  
  0d5b2226f4199a3891ec836c5b54023595b4aa06d4a80e816a8d6545a0bb3631
- SHA512
  
  3e31e881d7b7c74baa5ea0e8d97f86dfc6feb06ec7061f30891b7736477f2888fdb58ccaa4d8ea764249191c89e5897954515b6bfdfe6a45d51640c63c20e900
- SSDEEP
  
  98304:xVCvLUBsg7YyMtiPheSGykvDinvGCy8JoyvdSaXD:xmLUCg77MMP/GyTdy2YaXD
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline media23 aspackv2 discovery dropper execution infostealer loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  22160bff37828b82230aefd166033aad94ba11087c2bcabe744c14304b98724c
- Size
  
  96KB
- MD5
  
  17d00ffe0063ec458371dac451603184
- SHA1
  
  b0b4d2802cd1c42e8e50f37e2bd03b457fd6b9b6
- SHA256
  
  22160bff37828b82230aefd166033aad94ba11087c2bcabe744c14304b98724c
- SHA512
  
  7f6b90e03427635c9ee72c4e4c3a90d19c123950391e24ea5f4f232ffb93507055e6269c0998c0a2760e16b341a034d5f949f9d70c7187b5b97624b748308aa1
- SSDEEP
  
  1536:I+TY2NTQCqdNeTOG/Yyz17QmSYYIKgD3DDO7y8VNCYX/isWcgIcdnws8nBsoHWf+:I+ZTqPatQy57QGYFq3Dy7yKCS6JnN8Wm
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
- Size
  
  89KB
- MD5
  
  03137e005bdf813088f651d5b2b53e5d
- SHA1
  
  0aa1fb7e5fc80bed261c805e15ee4e3709564258
- SHA256
  
  258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
- SHA512
  
  23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
- SSDEEP
  
  1536:4ZxrW2eq7mQeNzn26jO0+7I+LeScuT1Gd5anG7IW1V7hYxamr+s8jcdMTWsM/D:4bEZQC26S0+7NeSrTcTanGEWLh477MTI
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f
- Size
  
  89KB
- MD5
  
  ff3fffe53dee30a1c24bf86d419bd4ac
- SHA1
  
  303348ffa41a6a54784ff9ba7af6c03c7cad4efd
- SHA256
  
  25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f
- SHA512
  
  1c11b106f4e65d31f07e54649b5ee6c2b4e29de24b51749249ff5cfdbf641f3c38946d8204ea02998a6412403cc47a68ef2e8161ec54caec853b7d8d3ced22aa
- SSDEEP
  
  1536:4ZxrW2eq7mQeNzn26jO0+7I+LeScuT1Gd5anG7IW1V7hYxamr+s8jcdMTWgM/D:4bEZQC26S0+7NeSrTcTanGEWLh477MT8
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  2ca08c7f0fe92d9ca63f492b7f8e4b54afba0248cf40dc202a67f381d094cf3f
- Size
  
  96KB
- MD5
  
  df5da21fdc878f323ac00be9432764d7
- SHA1
  
  72df4a6d1e74446a01b34cfad7f1c5a0f6a0ab56
- SHA256
  
  2ca08c7f0fe92d9ca63f492b7f8e4b54afba0248cf40dc202a67f381d094cf3f
- SHA512
  
  3c70dcdc2990304de062f1dd3f1838b9fddb7cc1c36940fdc87413d48d98fff492f61ba888ba14971e9685ae853fcf3b703134a3b33a730ebbd7993891d2abe5
- SSDEEP
  
  1536:2+Td2NTQCqdNeTOG/Yyz17QmSYYIKgD3DDO7y8VNCYX/isWcgIcdnws8nBs0HWfN:2+YTqPatQy57QGYFq3Dy7yKCS6JnNwWF
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644
- Size
  
  3.4MB
- MD5
  
  e635ed70bbc424514a872445893b1574
- SHA1
  
  97b3796c29853ef58955a1e06c5e6b1f02a0dd7e
- SHA256
  
  500e7e5c009d6087e16c49251fe574108267633fa8a0a72b489e07a7056ae644
- SHA512
  
  cded0958181fcb4c36b1aaccff193590eba0c6d92e8c4e0e089d7560cf79947112d6ef64550bdff2eb77ee2e089e8f8b79465dfb4b2f100fe7515209e0b03b0b
- SSDEEP
  
  98304:JrpthAc5DB/9B0jaNOtsDM7V7tkPiHf4SB6moPKIvo:JRJ9LNOuAAPigmovo
Score

10^/10

fabookie nullmixer privateloader redline sectoprat fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  setup_installer.exe
- Size
  
  3.4MB
- MD5
  
  bc10ee7cbbf3ea8b505c94bd655f5e50
- SHA1
  
  4667e7d52e54ba83ee7c264c14171a4db0d1c444
- SHA256
  
  33ea6a4e83204a0798a7a4e6d3361618e171d37342ed1b16d33b504eafb3b111
- SHA512
  
  a1e2349e226e83fa041ca5ade434927c5ca2a7f4c3f322944cce829c7ae5aa47376b7a9825618d3393668751baa3b45be55c749625344764a2532e92a167815f
- SSDEEP
  
  98304:xbCvLUBsgRCBWbLqJb5OD3bdBaSCyxVPAPB:xgLUCgRvZXdo70mPB
Score

10^/10

fabookie nullmixer privateloader redline sectoprat fucker2 media18 aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  5564c4427576aa1ec373cbae8cbeab980b83fa2ce05c5087f8e5c74dcda3fba2
- Size
  
  5.6MB
- MD5
  
  9d60a3a4ce52600847be99f10ba26852
- SHA1
  
  dcff2778f6903561bec30836f082b369ae5baf92
- SHA256
  
  5564c4427576aa1ec373cbae8cbeab980b83fa2ce05c5087f8e5c74dcda3fba2
- SHA512
  
  754775ec4d84e6cd5703d752654ce2aedbc6f3a7adadaa194f6e66965bdee266fe478154eaf1f967b00675f33423c4cbe2ab9c4b2c947840ae50276674825cd5
- SSDEEP
  
  98304:xZCvLUBsgi1Mwden/uqYn5ysAF1fzfKwSIi2bsIcfXC+6ryqI3wlvPldJwqWv:xSLUCgiCwGuh17la+8yf3wDdJhWv
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars vidar ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00
- Size
  
  92KB
- MD5
  
  bc1448e17d086d57f635c7079c1bc773
- SHA1
  
  1db1cb05523982e613b2e7977472f3adda47c1a2
- SHA256
  
  5cb26af89016d92b17fac85ae007d21027b3032174425c2bb6753241d62b2b00
- SHA512
  
  5b9c65f7e766560e2ccbc6a2aeba3dbbc1eeaca77eb57f2511155dcc86149d448d9780c9328562ff353aba8e4f90adc5c84ac9dcce509efe99cde56768c2f867
- SSDEEP
  
  1536:k7MGoViupm7ir2Ooe+JciT1GdeYH2JaGdVtcrYxam5+s8jcdahWfM39P:k7FYZoBPTcYYH2cG6r4J7gWU3d
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4
- Size
  
  5.6MB
- MD5
  
  7e6b1e9e80bb32a34426aecc480c18ac
- SHA1
  
  1b776dd0f22d0395fa9d0f11b244d6dc0a6b3671
- SHA256
  
  775338ae182f692416e822b49ee9450ccf484f7bf179111cff7058c12fe29be4
- SHA512
  
  ba00595038c7a65ab4e811d339e928d7f00a73ce706bcb9b2eaa5af2356199eecc44cd4f35fe7f2e05bbc48d1bab2c877071ac759658a4ff7579d43842d88831
- SSDEEP
  
  98304:x/CvLUBsgfs0K3AdYOQVlDkh6yGxljSh9K5pkj8vhwbTNxxYtXgAAq3Jy7kQR+xq:xMLUCgfxKiqSScW7kj3bTrCtXBAq3O+Q
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars vidar ani she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084
- Size
  
  96KB
- MD5
  
  c202f1103c957930ec4cc01b43dfd472
- SHA1
  
  ffed9fc2e035d31f1b2e098471e8ec70334ff9fc
- SHA256
  
  7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084
- SHA512
  
  569aa632a2677cb9d1b0186f19676161853ceea55cb6ee94cfcc6ad4b558c57a2694ab0d2dc541484e4099530b2aab742b95d08c093150efa6585d98ce6356e4
- SSDEEP
  
  1536:F+Td2NTQCqdNeTOG/Yyz17QmSYYIKgD3DDO7y8VNCYX/isWcgIcdnws8nBsIHWf+:F+ATqPatQy57QGYFq3Dy7yKCS6JnNcWm
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
- Size
  
  6.8MB
- MD5
  
  85fdfaf0375116479cb4d27c7bfd1263
- SHA1
  
  64f6c4fafa6477128a4594435c6160a94c29a269
- SHA256
  
  809ed9e2d09751dad774b865881411b32bd24ad1626e331c0760b507c20eb741
- SHA512
  
  91a50317af88a6f5c33f471f771c04cb56aa5228bceeb94336d10d7934c056fcd682c5f20ad693399ed02be142173c60f28a1884664ead07dbdec312674b4a5b
- SSDEEP
  
  196608:JCMkPYTiqRiVmpPk9ZfNiIW9SCKtXI5aw3cSW:Jn3ifGmtYIW9jKS3cSW
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani media15 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  setup_installer.exe
- Size
  
  6.7MB
- MD5
  
  423734b9d35425578f8946ddf7200de7
- SHA1
  
  77552641130ce235c75408ee9f7ce9b51a964c8d
- SHA256
  
  1cfe7796ddedf25599390e106899634e5baa364a7faa2f43e03666e9ee9889e9
- SHA512
  
  9f6a93e6d5b8a47952b16e01fceaf2eedc2eec2d8cea452d75f7a70e2a54eb0cd495d2acd5e1a0a47b368800f8e9455829949e6a6a56ec0907a185a8eaac9a86
- SSDEEP
  
  196608:xTDwZNLz0ftpsH4uoYx9hsfUs665vjon4W4Qhy:xvw4tpXudx0cs75vc4W4Qhy
Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline sectoprat socelars ani media15 she aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detect Fabookie payload

Fabookie family

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

Fabookie family

GCleaner

Gcleaner family

NullMixer

Nullmixer family

OnlyLogger

Onlylogger family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

OnlyLogger payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

Fabookie family

GCleaner

Gcleaner family

NullMixer

Nullmixer family

OnlyLogger

Onlylogger family

PrivateLoader

Privateloader family

RedLine

RedLine payload