fabookie

General

Target

427e7b72d31cf76f2f36deb3eb762cc4
Size

7.0MB
Sample

241107-h7m7eaycpl
MD5

427e7b72d31cf76f2f36deb3eb762cc4
SHA1

08be2960808aa7cde50c5806d5d8aafb8363ca8d
SHA256

a6efc4fa4c7dcb4621a256f18feca2ddb4312cc73a08b0779b790a5da2799efb
SHA512

9a5370c8a928f09ba28afe01f7f01587cb734f5ace6225400812ecbed38910f5e67f7e6499a21cee63fa7c1cd158010385ad3a69b18f63c12b75f29ec356d71d
SSDEEP

196608:BQWQxiK1pW2xVaP0MuZB9iZx78Ev2KYgbmY1D6PscFu:Sxt1pNxVaP5z99vEgyaiu

Malware Config

Extracted

Family

nullmixer

C2

http://621f9481e1e2d.com/

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/qwwgh/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Extracted

Family

redline

Botnet

media60603

C2

92.255.57.154:11841

Attributes

auth_value
32ca3353c43f67b3879fce4660e9c65d

Targets

- Target
  
  0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6
- Size
  
  7.1MB
- MD5
  
  1f6e0a406d4d8dbd2c113d3565dbe7a8
- SHA1
  
  dc5a439e7a0e918494c1065fe15d4bbe2b9b33be
- SHA256
  
  0491bc5f72df0546d2a502284cbcfed465ebfdd9768cde51152e53bd24b2d2c6
- SHA512
  
  59310d8756a63d7df6c05a6ae78721d8339913bca4b47e076a60cdc95071bd690648c1e298bd29510fc252d813a0ea3dc05d7cdf07ef243770722d4fe1b8e59c
- SSDEEP
  
  196608:xtgdzQIV48kCWgj0JSk2apV4f0PxHtJvMYOYqF06pamS:xtgdz1V4tC3j08k2apyf0pHtWYkC2amS
Score

10^/10

fabookie gcleaner nullmixer onlylogger redline smokeloader socelars media60603 pub3 aspackv2 backdoor discovery dropper execution infostealer loader spyware stealer trojan upx
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- OnlyLogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2