fabookie

General

Target

e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5N.exe
Size

7.5MB
Sample

241129-p1bcla1jhm
MD5

7e95861bfb9a3eae5a1c0365297ec490
SHA1

458f1b294b7a1ebc5a29030fd066d7124970b251
SHA256

e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5
SHA512

78066b7275328d403e99def49700d34635ad68c190baacf6652509e9403d53035e89f213ceff72ca76fa29673ccb9894ac5c321a18e0508060718432b447573a
SSDEEP

196608:xqwVbwdkjjHPyoXYqMkV3xH6OP5hHnYtmj643Rd:xtBwdG7PDIqtVBHkS

Score

10^/10

Malware Config

Extracted

Family

nullmixer

C2

http://hornygl.xyz/

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

redline

Botnet

media25pqs

C2

65.108.69.168:13293

Attributes

auth_value
e792d0d7a03fceb57d0e07caa26bb34f

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes

profile_id
915

Targets

- Target
  
  e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5N.exe
- Size
  
  7.5MB
- MD5
  
  7e95861bfb9a3eae5a1c0365297ec490
- SHA1
  
  458f1b294b7a1ebc5a29030fd066d7124970b251
- SHA256
  
  e0cab8a5482851e6f5803e7733f7fbbf0e50fc3b0427b6386c3c4fd99a8d73d5
- SHA512
  
  78066b7275328d403e99def49700d34635ad68c190baacf6652509e9403d53035e89f213ceff72ca76fa29673ccb9894ac5c321a18e0508060718432b447573a
- SSDEEP
  
  196608:xqwVbwdkjjHPyoXYqMkV3xH6OP5hHnYtmj643Rd:xtBwdG7PDIqtVBHkS
Score

10^/10

fabookie nullmixer redline socelars vidar 915 media25pqs aspackv2 discovery dropper execution infostealer spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2