Extracted

• • Target

    Install.exe

  • Size

    497KB

  • MD5

    41a5f4fd1ea7cac4aa94a87aebccfef0

  • SHA1

    0d0abf079413a4c773754bf4fda338dc5b9a8ddc

  • SHA256

    97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

  • SHA512

    5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

  • SSDEEP

    12288:RQi3u03X6m6UR0IAQduaatBEL9QJq4Vj5ZT3IGm9CXZ:RQi+KKHIAQk/eL4q4Vth3IN9CXZ

  Score

  7^/10

  discovery

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral1behavioral2

• • Target

    keygen-step-4.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

  • SSDEEP

    98304:H6Rles9UGuxV53gdsl7s1+IXKe3Z1bZaO4qFqAooEeGmRxl36Z1/B:H+lZ9UGuni+2R73Z1bZn4uKoEeGmRz6N

  Score

  10^/10

  fabookieffdroiderdiscoveryevasionpersistencespywarestealertrojanupx

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Ffdroider family

    ffdroider

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral3behavioral4