Extracted

Extracted

Extracted

Extracted

• • Target

    604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f

  • Size

    11.2MB

  • MD5

    92200895f616ac16910f886856792c61

  • SHA1

    e1945d00fd44540dccddddc9ee7e32fcd5c2ecf4

  • SHA256

    604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f

  • SHA512

    44f0b4984d3c0236a38ff84fc1e769f416a451ad9ee589026df8bc3bff4ce59d12397100852d72ce167a71a2d7fcc3cd87b35deaf5649096d56af4c202879753

  • SSDEEP

    196608:J/ggbPTlLv0aitw5r0kPh2Tq9D4pvOGzw7EVVevc7kzquoB3AI:JXTiaim5r082T28BOGIUVx7qxott

  Score

  10^/10

  fabookiegluptebametasploitnullmixerprivateloaderredlinesocelarsmedia24nuser01newaspackv2backdoordefense_evasiondiscoverydropperevasionexecutioninfostealerloaderpersistenceprivilege_escalationrootkitspywarestealertrojan

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Nullmixer family

    nullmixer

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Privateloader family

    privateloader

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • System Binary Proxy Execution: Odbcconf

    Abuse Odbcconf to proxy execution of malicious code.

    defense_evasion

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    setup_installer.exe

  • Size

    11.1MB

  • MD5

    532d84cb3e0928c7bedc0a89611837da

  • SHA1

    b7dec859275a299e9c95833be01b055b2f9b91d7

  • SHA256

    9aca2b6f263e24f8161def69b0e8a3a8dbc60bf46ee75714531e7ca09e4e9616

  • SHA512

    c80f46401569b3c20eeeb7225f688e99dc94a70a8caf7200141069c3b43c8df7d4b9846174a22e05a50bd775ebe7342f1f0774b3cf1213f3535ee936e7d85366

  • SSDEEP

    196608:xuLUCgv53pvKiW5+uVS9iCvZ5orwTwLo5N6JPnNdMFxRafcNGm:xWdgvdRlW5+uw9i8Z5orw95QJeRakNGm

  Score

  10^/10

  fabookiegluptebametasploitnullmixerprivateloaderredlinesocelarsmedia24nuser01newaspackv2backdoordefense_evasiondiscoverydropperevasionexecutioninfostealerloaderpersistenceprivilege_escalationrootkitspywarestealertrojan

  • Detect Fabookie payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba family

    glupteba

  • Glupteba payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Nullmixer family

    nullmixer

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Privateloader family

    privateloader

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars

  • Socelars family

    socelars

  • Socelars payload

  • Windows security bypass

    evasiontrojan

  • Modifies boot configuration data using bcdedit

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • System Binary Proxy Execution: Odbcconf

    Abuse Odbcconf to proxy execution of malicious code.

    defense_evasion

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Manipulates WinMon driver.

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Suspicious use of SetThreadContext

  behavioral3behavioral4