Overview

overview

10

Static

static

7

0hS8ndFapM...Jf.exe

windows7-x64

10

0hS8ndFapM...Jf.exe

windows10-2004-x64

10

0rr48RlGuy...xg.exe

windows7-x64

8

0rr48RlGuy...xg.exe

windows10-2004-x64

8

21oenuW1qn...e5.exe

windows7-x64

10

21oenuW1qn...e5.exe

windows10-2004-x64

10

25jZMPTiQq...9r.exe

windows7-x64

10

25jZMPTiQq...9r.exe

windows10-2004-x64

10

28NEs4WOAb...Dx.exe

windows7-x64

9

28NEs4WOAb...Dx.exe

windows10-2004-x64

9

2DWwzYoIDs...wH.exe

windows7-x64

10

2DWwzYoIDs...wH.exe

windows10-2004-x64

10

4sqg3EO3n4...E3.exe

windows7-x64

10

4sqg3EO3n4...E3.exe

windows10-2004-x64

10

6IvhC9RrHt...Qm.exe

windows7-x64

10

6IvhC9RrHt...Qm.exe

windows10-2004-x64

10

6K69WRpYoP...wA.exe

windows7-x64

3

6K69WRpYoP...wA.exe

windows10-2004-x64

7

6RVcR1WSzn...fp.exe

windows7-x64

3

6RVcR1WSzn...fp.exe

windows10-2004-x64

7

7UwyHmKx00...KA.exe

windows7-x64

9

7UwyHmKx00...KA.exe

windows10-2004-x64

9

88wncypnTK...tt.exe

windows7-x64

88wncypnTK...tt.exe

windows10-2004-x64

1

8Jw_RggGj5...71.exe

windows7-x64

7

8Jw_RggGj5...71.exe

windows10-2004-x64

7

A04WVFPeCH...H9.exe

windows7-x64

10

A04WVFPeCH...H9.exe

windows10-2004-x64

10

A5ulgq_bFX...0Z.exe

windows7-x64

10

A5ulgq_bFX...0Z.exe

windows10-2004-x64

10

AU3ie6Mv1v...zZ.exe

windows7-x64

10

AU3ie6Mv1v...zZ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25jZMPTiQqNIVH0Cs2hi6z9r.exe

  • Size

    1.7MB

  • MD5

    6753c0fadc839415e31b170b5df98fc7

  • SHA1

    7adbd92546bc0516013c0f6832ea272cf0606c60

  • SHA256

    01550ee84ac5a220197177182fd2f3f9c9e845b416d06a384384e3cd62ecb569

  • SHA512

    92c0264046f1293b02ccccbb3cb5b80510d2d3a1d1caff23815adb4c715d0aced08e57682c6dcb76fdca70eb46bc819db2a763f050f74de27fbb3946dca504ab

  • SSDEEP

    49152:pAI+r+g7ELp4UtaupKvwS9IBfgUtckcL1YsNP:pAI+CvK88wScgUAL1Ys5

Score
10/10
fabookieffdroiderdiscoveryevasionspywarestealertrojanupx

Malware Config

Signatures

  • Detect Fabookie payload 1 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Fabookie family
    fabookie
  • Ffdroider family
    ffdroider
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe
    "C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Program Files (x86)\Company\NewProduct\customer3.exe
      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
      2⤵
      • Executes dropped EXE
      PID:1652
    • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1252
    • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
      "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4676
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\customer3.exe
    Filesize

    244KB

    MD5

    1daac0c9a48a79976539b0722f9c3d3b

    SHA1

    843218f70a6a7fd676121e447b5b74acb0d87100

    SHA256

    e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

    SHA512

    2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    cf39589839cc43b64970e361f8ca9850

    SHA1

    cb801b646e3842b83a4dcdf801e541fd1acab173

    SHA256

    7c5b0f3f6aa0b63639c8b16902252f4c597610312f5e04ea93a9a0b9b4734639

    SHA512

    e87c5a39e2881609d64523d601623745b538e40031e9f59832d70e6e97b2a5e34702f7ce65f0c8d0f1c0acd73e00419f5b20d0d88e97d9e66061eb520076fcb2

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    de5ce6a718d5d9c4b01010e566c427b4

    SHA1

    532e00f5a92b42edd71c5f3b4ff82bf678e85a33

    SHA256

    0eed2087e41c3a4274c5b0c8d32d392b52a895856d3753fe0cd5f4b99f4dcd10

    SHA512

    05e6c2e30855e208698e4f7eb89761beb771828689cfa1d9b3765fe7a2b6fbe91159d5fe71d16daf48b373c185c6faf317737db33334e92f80a3b4d7d5a21703

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    5f39a5da97ef8425688987f2e54eca99

    SHA1

    8bf79b357cbd1006a0cfef411a564295a79baed4

    SHA256

    4eeb1a6953d6b58d0c45f49b96e9bd070fc4291a627be2a68beb31239f7d4c40

    SHA512

    4ee36934a04925e26c8dc608585d207f1044d8aafb229375df12e22c22e7d5898f323da3ea6e48da2c495782742d75c305caf5f8f74f29cbde3c6a59cfb61bdf

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    8fdbb1d2eba36030aa07f1f4a0fcb753

    SHA1

    5fac7fca3107ef6bf0300bff4395918db339eccb

    SHA256

    4eb27aefbcf5682f4ffdaf77be00bee4b1f8a52f792587a32fbab2275fd604d2

    SHA512

    a4604632d4010dced13452799e9d3bcc6626cecb13c5ec04d05fe991e0bf8d156349dbed04e85f4de7929dd07593df5f873b09f3480f922bdee3b1bc58f32723

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    86a94fba6c691f902f7858df1040f909

    SHA1

    f04e841c686c702db109b905693766ff6a57bea1

    SHA256

    f4d48a46e806eded7fd063deffcf928fde73582e8d06645dc4da1036be2a2847

    SHA512

    e6d35a3b259e7e6f148242dceb8e4665806bc1eaade2bb42c8065bafd201dd3a59a8f590d6750634ee48496a5108d6ed5f710cf62eae27a6a511ed22792dc08d

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    92848d0624a71666aee055daae8d4429

    SHA1

    11f53809b829b02d9db6697a76c993555f31a000

    SHA256

    6bce2f1b791b3a88264d99d6f881de41f5ff4a2e68d7b1d59e9983477e1d92e2

    SHA512

    5bff179a6127ce85a7bef4b8a5ff255b13d49160abfe72d4c4b7b1a8d32c37de77204856e048190b0fa42213033dc817eba9e48b5b0e3f35e63c945958c87917

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    7e7d16180d05bd9eeff57b23c89a415e

    SHA1

    8f5f59d85eebcdac50f1c64b9859b24a6885d5f7

    SHA256

    af6769d7571767d18d1385488a589f9aec0de8a70bdaea67b332e4245a187346

    SHA512

    e417e8b8cf849b848c7266ec99aa13fb262d670241270a6f4432d0e6ddf84b29d7dd8fe37f12f47c45c3e17542906d7ec6bffd9026c086d92ff3c9463e211631

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    f24a8e6fc59249d22a860527c8dac923

    SHA1

    9c827f7be197e4074bd6f70eeea954be768628c0

    SHA256

    0e131e216a94e6ae4f83d141baec45cfb190956c98aa161693930fd6e97c1f4e

    SHA512

    d7d637a8c66d160d91bc820df2e2516b76bc38f0716a8aef052926ef3390116de1dd02183400104c70c33a9ced4702553726f012a513bc64be0dc565e4702715

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    582ceefba89aa75ba482dad15d9118ea

    SHA1

    45eddae3eae938881be7092fde4e416bc7c58203

    SHA256

    7b4be2e88894f61a45e8f059fe8c5c1729a2ae661b57ec5d74689e048ac2229d

    SHA512

    fb07f4346716fd7e3a54519210dc536297a4905aac5f39490bcace982d4fdf4c158c29d820da4a25843f58677dd19f6cbb8a253af33111fe4a7cb3e1ccc89593

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    249dc7e269a7c56b4237778dd8d4f80c

    SHA1

    125fb1a2c5f6c7d5863ca919377bc2b919e7c6bc

    SHA256

    889cb70ee488466fda3e79acc1cdfa4b8743dfe6d42426297408ca82addc8dfb

    SHA512

    7c17a2336e3802f657901ac3f8d992b7a2b960e07cb747c3dacb0df99e791b23f4feb403d249d2ac5bf7f504cd1b389425a81d70aa65da4b10c02e67f8b109e2

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\d.jfm
    Filesize

    16KB

    MD5

    1efd28b1f7deb9b054cb570033bb6b3e

    SHA1

    7c3724cb659fda69e42bd8bb4dd5d58b91c5b81c

    SHA256

    3146f142595ac853f8ef360b4a601aa7ae58f9d6f01a2a2f14fd105a0ce62e91

    SHA512

    a1a5c35ae3431a4953220d874f4e84b2a6f20fc1af3b9cc6c7f8551d0eedaa9eb3a5a5f2ae111099486673b201d05910c96bac9db30188b90df05b1fba6f4b56

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    Filesize

    971KB

    MD5

    aed57d50123897b0012c35ef5dec4184

    SHA1

    568571b12ca44a585df589dc810bf53adf5e8050

    SHA256

    096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

    SHA512

    ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    Filesize

    829KB

    MD5

    ce11de1000560d312bf6ab0b5327e87b

    SHA1

    557f3f780cb0f694887ada330a87ba976cdb168f

    SHA256

    126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a

    SHA512

    655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ecv952B.tmp
    Filesize

    14.0MB

    MD5

    3df95fee3325f7a1166397bf4731fc65

    SHA1

    6b550232d72a4bd6226a47e62a3ce8dd69a7d547

    SHA256

    e79409561e551623f3953c56bcb0b61497359f0a690fe60a78cd8674b0e21f80

    SHA512

    ca35a6bf6f279d3c19079879d94bb1af8c9aa3f1a5e68768711daef6273a8f5997a531c8a601263a4c005ad1de9c9dab9fabf6a829ba195c0697cafb8c0d1937

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    Filesize

    1KB

    MD5

    2b62135740860ef0add77255dd26b6b8

    SHA1

    bdf6ba9fae7427c9d0592e152cf9916ef4c45e35

    SHA256

    324e1e6e3c8c694c5de17f42ce7bcff386741882b58a1d379f90b0d5bf22d861

    SHA512

    f92e8072794f202a3f36dd57100db52f96b685027d0a907cb065d7fd886894c9c060b2416d5786d6b79186bb7464138535455836ceb1f6598e2573e72aeeb112

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    Filesize

    31B

    MD5

    b7161c0845a64ff6d7345b67ff97f3b0

    SHA1

    d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

    SHA256

    fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

    SHA512

    98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    Filesize

    61KB

    MD5

    a6279ec92ff948760ce53bba817d6a77

    SHA1

    5345505e12f9e4c6d569a226d50e71b5a572dce2

    SHA256

    8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    SHA512

    213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    Filesize

    184KB

    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

    Download Submit

  • memory/324-93-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/324-84-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/752-48-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1252-188-0x0000000004160000-0x0000000004168000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-138-0x0000000004630000-0x0000000004638000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-115-0x0000000004500000-0x0000000004508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-117-0x0000000004630000-0x0000000004638000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-42-0x0000000000400000-0x0000000000644000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1252-85-0x0000000004790000-0x0000000004798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-94-0x0000000004500000-0x0000000004508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-193-0x0000000004390000-0x0000000004398000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-140-0x0000000004500000-0x0000000004508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-79-0x00000000043C0000-0x00000000043C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-179-0x00000000040A0000-0x00000000040A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-180-0x00000000040C0000-0x00000000040C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-87-0x0000000004690000-0x0000000004698000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-191-0x0000000004170000-0x0000000004178000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-192-0x00000000042F0000-0x00000000042F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-107-0x00000000041E0000-0x00000000041E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-194-0x00000000043A0000-0x00000000043A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-195-0x0000000004300000-0x0000000004308000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-130-0x00000000041E0000-0x00000000041E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-208-0x00000000040C0000-0x00000000040C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-216-0x0000000004300000-0x0000000004308000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-218-0x0000000004330000-0x0000000004338000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-80-0x00000000043E0000-0x00000000043E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-76-0x0000000004280000-0x0000000004288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-74-0x00000000041E0000-0x00000000041E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-73-0x00000000041C0000-0x00000000041C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1252-61-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1252-67-0x00000000036F0000-0x0000000003700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1252-43-0x00000000001C0000-0x00000000001C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4676-53-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4676-57-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download