fabookie

General

Target

dd65b3d3254770a4a448222db48773c39bcd730126d6c65a1b9210ab3445020e
Size

9.6MB
Sample

241108-crnkcavrem
MD5

6bb8159211be5fe4079acb4d4c23edaa
SHA1

ec567d6d11faff719850b54fd96e837567cb0f6d
SHA256

dd65b3d3254770a4a448222db48773c39bcd730126d6c65a1b9210ab3445020e
SHA512

d791f7101e75719ca0dce338e36843d40098bc9194f0d0c93cfbb2f7be34b67b5165a952ec0d5af7de11b5e240ef2bc87d27c325360e82cd9d4c32deb20b4ff4
SSDEEP

196608:oJ50Q+ygkDTeaK28dqDN9o/T1fzpuyU6OvEVW+eRfYRiUc0qjRL:od+ygkDTe3pdqDN9o5rpDVW+0fYRiUc/

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://6245c31e064c3.com/

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

C2

appwebstat.biz

ads-memory.biz

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Targets

- Target
  
  06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497
- Size
  
  9.6MB
- MD5
  
  c869a2a9d6adbde8402790f7a884d8c9
- SHA1
  
  d5452604cb3819e95fd5b29361305ef2357079a2
- SHA256
  
  06863cb5bb52bd84799a527045ab9e296882c2f04e462c5c297da8dc3dadd497
- SHA512
  
  81e64fa0b7115c5e296cb2bb3d68142f16b9be5956bb5e3fa7c7264c0160e5b54c92d7c8ec9832cf69d82f7738eca52d756d46cd97fac99faa706db538cef700
- SSDEEP
  
  196608:xouA78MTdWfPVzDVk2YMENpDTnnYyZ7Ww5kK+sBdGZzKnWthSiDSTD:x/A7hTYfPVzBwpPnAw5gmnWtACI
Score

10^/10

fabookie gcleaner nullmixer onlylogger smokeloader socelars pub3 aspackv2 backdoor discovery dropper execution loader spyware stealer trojan vmprotect
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- OnlyLogger payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2