Overview

overview

10

Static

static

10

0400b38bff...69.exe

windows7-x64

7

0400b38bff...69.exe

windows10-2004-x64

7

08577362fd...77.exe

windows7-x64

7

08577362fd...77.exe

windows10-2004-x64

7

0b0f1d67f6...b0.exe

windows7-x64

7

0b0f1d67f6...b0.exe

windows10-2004-x64

7

12fc2e604c...40.exe

windows7-x64

7

12fc2e604c...40.exe

windows10-2004-x64

7

1df5732dfa...d3.exe

windows7-x64

7

1df5732dfa...d3.exe

windows10-2004-x64

7

21babdc975...43.exe

windows7-x64

10

21babdc975...43.exe

windows10-2004-x64

10

2b802f4d27...ab.exe

windows7-x64

7

2b802f4d27...ab.exe

windows10-2004-x64

7

38d5cf2bdc...08.exe

windows7-x64

7

38d5cf2bdc...08.exe

windows10-2004-x64

7

3c59836d51...eb.exe

windows7-x64

7

3c59836d51...eb.exe

windows10-2004-x64

7

498ef9748d...7a.exe

windows7-x64

7

498ef9748d...7a.exe

windows10-2004-x64

7

666cdaf066...f8.exe

windows7-x64

7

666cdaf066...f8.exe

windows10-2004-x64

7

6a426d2bbc...1a.exe

windows7-x64

7

6a426d2bbc...1a.exe

windows10-2004-x64

7

72606a3ad1...98.exe

windows7-x64

7

72606a3ad1...98.exe

windows10-2004-x64

7

72afc3f26c...60.exe

windows7-x64

10

72afc3f26c...60.exe

windows10-2004-x64

10

743f0e2d18...a9.exe

windows7-x64

7

743f0e2d18...a9.exe

windows10-2004-x64

7

7ac9ad7a4a...90.exe

windows7-x64

7

7ac9ad7a4a...90.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

  • Size

    25.1MB

  • Sample

    241223-zqgrqs1mbl

  • MD5

    5b63fca9fbb0bcda4badfc4a6e279320

  • SHA1

    9d1929b69f7979e25cd0442920205e69d0ca7b95

  • SHA256

    52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

  • SHA512

    62ded3130f67a24125af4c6f17def7bed7113858d93d7b638206e6e743d0f64f27c2d497354a39d06067c99ea280f8a73772788315d945c362c9afe00f9ac57a

  • SSDEEP

    393216:1OWoxUoEk06LJgXm2h/3t3hkZeiF51cFT1luXxdjkHJZ7JjuaQdYXVxWkNvnuiKy:oZuutgxhPXgF5QARS5NuvdQUFow+Cfwh

Score
10/10
fabookieprivateloaderdiscoveryloaderspywarestealer

Malware Config

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://212.193.30.29/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

212.193.30.21
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Targets

    • Target

      0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69

    • Size

      1.3MB

    • MD5

      563e2effa75ec32e724d935dd158da1c

    • SHA1

      3160e721f09618f03a1caf7b5864ca67f49d5602

    • SHA256

      0400b38bff44e2b0ba89f392af3ec1febbe980255086e3d21ca375f8742b0a69

    • SHA512

      e1d99dd4b9471d2010a9a2e4b41aee5faa3a2da725e9a41f25dadf95fd2949e4a405ed77bfc922fcfca5e00e9a52eb74ca89a55098015f5ae1037628fa2308d1

    • SSDEEP

      24576:pXDK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:pGLNiXicJFFRGNzj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477

    • Size

      1.3MB

    • MD5

      b946a6b2d9d4e788b463f98a696b52f8

    • SHA1

      233b6bd380abe1e04f7db1a6585f3593a94040db

    • SHA256

      08577362fde99723e8821dda6871a3ea10d41ff7e7840b89458ca6813db84477

    • SHA512

      577b31191976840f339ae76492c502614d23a369ad9b0a5db1ec982dc5b17c6724183e13095b6c5647bbb43723fd8cc52a9868200ff06b62ded1a00db8bba3dd

    • SSDEEP

      12288:rXOiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:T4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0

    • Size

      1.3MB

    • MD5

      501e276d8b78aae316630f118fc794c1

    • SHA1

      b4c77f49d5021dfc59a845ab9b0d50d05649748e

    • SHA256

      0b0f1d67f69a4c98db74330aced27c3de03745796ab86fc1edfc79cc6d6d79b0

    • SHA512

      1f95ddb6685c21851548a1a999605d9e17020237f9e9359373ca05dae628b35baa20ab6c5fedca3682a52179bce8cd8084617068284c3785d03a3b2fc56a3241

    • SSDEEP

      12288:BBniJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:XT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      12fc2e604cb1785f16d728b8e74ef1a2405891bd94202aaa0c87d87638edd840

    • Size

      1.2MB

    • MD5

      762a56d0ece593b756e330372b969904

    • SHA1

      9daa0637bcdc95e172a13d4a06e90676ac3ae3c7

    • SHA256

      12fc2e604cb1785f16d728b8e74ef1a2405891bd94202aaa0c87d87638edd840

    • SHA512

      9cfbe176cafcfe5723b3e1daa9f2d37ce0cec7dbdcf75615ef497095d9b671c779d8949b790fcc660a86479641c21a225f2f44c22d0fe8d2b4076c8035a9e08b

    • SSDEEP

      12288:F5EXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:rEsqjnhMgeiCl7G0nehbGZpbD

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3

    • Size

      1.6MB

    • MD5

      8a94c8155c324d52442d6d6164691175

    • SHA1

      ae67f239d02b506b03da027f873abdf6b58707be

    • SHA256

      1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3

    • SHA512

      e88b8ead2c5762476824026ecd934432eb9c0233e368fb22072fc9ffae30e4dee20c52040035ef3f0c84b11dd4016f480de4fc424375de0c12ddaf97c88fe641

    • SSDEEP

      24576:bbAZEOK4aS70yJi/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:fAZEbppyoLNiXicJFFRGNzj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43

    • Size

      2.6MB

    • MD5

      ac61bf11750f832e0bdfad0586636219

    • SHA1

      503e037dc47f53c8f8d670548013c81f69a51707

    • SHA256

      21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43

    • SHA512

      2a1ea73fa22efd35c2a17dd5a6f3e7724103c9d7ff4e0c41a1bb973ff55ba63f4d3ea52283a495ea68848495be29a165a8517b7d6c9cfdf8779650f795beecdf

    • SSDEEP

      49152:hrEOLD0xg+aJVXfxu3Eosp/qw7RV+uY/bLNiXicJFFRGNzj3:C2lJtosp/qw7ybb7wRGpj3

    Score
    10/10
    fabookiediscoveryspywarestealer

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab

    • Size

      1.3MB

    • MD5

      8cc353c3520837897bd84e5b12172cb9

    • SHA1

      41424ee8bcdb2cafe9914cd2a6df29a9a7fa8feb

    • SHA256

      2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab

    • SHA512

      9288c0c8a8924bac30748c6c3e436b46b93d42292745ed5ce667aeab7bc49c156706421b51823d50e48b9e84aa712fa46edb940ca5e8d27a36c34c30f0683106

    • SSDEEP

      12288:CFeiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:C6/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508

    • Size

      1.6MB

    • MD5

      868bfdf4196d2b563cda87412e5f1c7a

    • SHA1

      73068ee0a0ca192c1d3a7b48fddd5418a2879c98

    • SHA256

      38d5cf2bdcab25afb95cda0fd3abc7911469a4c4442966b941e930947099f508

    • SHA512

      0371555c5df19464b8c182165831efa60cbd8300cffd612bda7fa905e1d2331fa59bb59acd878ce977ec44ae032134ee9c24a9b29c5cf95d3b27a583d2af01a0

    • SSDEEP

      24576:Wxozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:a5LNiXicJFFRGNzj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb

    • Size

      1.6MB

    • MD5

      134f063d7cd47ec9ca2af5739d0822ba

    • SHA1

      5ef164a30fc13d7681b809a999f202ce8b4ee411

    • SHA256

      3c59836d51379ebb763312245230900e181afa69064f6c8c999f1bf0d7672feb

    • SHA512

      3bd1092da887c23ed2e663cd211a915b19a974ef4b17c368cf90ef781795345ff0827bd7abfeae111a6ffc00d34b7bee5a65d535131b083e855d3c9737618ffc

    • SSDEEP

      24576:6xozmm5K5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e5LNiXicJFFRGNzj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral17behavioral18

    • Target

      498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a

    • Size

      1.7MB

    • MD5

      2402ac523f9a0d195ebff1d49b320747

    • SHA1

      478adb9d6c0b62999841420f6bbb14cac74cbdf2

    • SHA256

      498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a

    • SHA512

      54f6a81e0f5a9fe190d4a902b32fa21dde5f4e86d1585e755bebb944facb21dfce44a6432d1c01158a6d29b2ba248707d66236ade3b777541e500b0b6cee917e

    • SSDEEP

      49152:9vGC97fBQX1DP0ZkjeZRULNiXicJFFRGNzj3:tGCRfBC70ZkjH7wRGpj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral19behavioral20

    • Target

      666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8

    • Size

      1.1MB

    • MD5

      83d50ee2af5a65dbef525712ec933ddf

    • SHA1

      302aee694fe15fd34ad6a66cd505d4596fe7445b

    • SHA256

      666cdaf066bdff233bc4dc1673a8580d8dfc2d1ba893d8bb78f6b8cd511f33f8

    • SHA512

      4bcda9b9a1357ff4aefd642698a090b7f670fc1013bb5579f74d7df81adae8ea521c2277d1bfdb3da8c5aa7931ea20855ecf82caf90ae03040dfc2031353469c

    • SSDEEP

      24576:WkXAeB8AeBWsqjnhMgeiCl7G0nehbGZpbD:rRB8RBaDmg27RnWGj

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a

    • Size

      1.5MB

    • MD5

      0ea25a7a4350da5801c283d765825f2b

    • SHA1

      c0716d04af43cd08390e718338eeb97aba2be554

    • SHA256

      6a426d2bbc5b6c93082546d8098bbee627b97595ddefd07f06f7c94da0e14a1a

    • SHA512

      57701024086251b20f682fc60440ddd780bada4a4bf74d4ab0fde75165a5bee1ab43d977f5102644e77ffc77c781c6fd1c79e169fd2b8e0d7bcd9aa7b51f2ced

    • SSDEEP

      49152:DAOCsqoYbErLkxejJT/+EGq4xWhivPdOOq:HYbEPjJbYEhK

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698

    • Size

      1.6MB

    • MD5

      5a11fb5b1629953f5596afa597206766

    • SHA1

      cec4013f6f92da0be219016190b2929015a7b913

    • SHA256

      72606a3ad198f24ee496d3f483c193121f4d9b895ac6880dda8e6406e8d16698

    • SHA512

      c3f3e32bf8e3c5965af914c5119561bab58cd06464fc84ad4e42aed1d1d6df591b5fbfec9517f30c0c1212ebaae866ef07c31f19d495dcb02849c5c2d5a86a6e

    • SSDEEP

      49152:3eGRE7Oseh/izLHkJErZI79LNiXicJFFRGNzj3:vWOs8MD3C7wRGpj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral25behavioral26

    • Target

      72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60

    • Size

      1.6MB

    • MD5

      74c528d588767e6c126c440d3b8373a9

    • SHA1

      1ba260756607900e70d6d7d0c45cb3b72d7c1e19

    • SHA256

      72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60

    • SHA512

      2989be602deacd4ee7d19295404118f33b8400ed57a3d9682bec805ab689f9ffc53f1d530fb2b08aee3603fdaf3ddc7735b39633b361797fa3739a2a152a887d

    • SSDEEP

      24576:S7ww87NKA/lu60S/wOBlka+MsWQF6BGqc281DWheBvPMGjOOl:iwtNf9/0SJBlkU/+EGq4xWhivPdOOl

    Score
    10/10
    privateloaderdiscoveryloaderspywarestealer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Privateloader family

      privateloader

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9

    • Size

      3.1MB

    • MD5

      099e791b966de283d228c2a69b1e6297

    • SHA1

      6773f5d3c1af4641de7221aa3089e4d0c36932c5

    • SHA256

      743f0e2d18f4945d7e58bc594c448fd1540e31ffcf07fbb85b90e15d5593a8a9

    • SHA512

      6cfad4c213b0f2c126475601cbd6d514c292a987a4d912064b04aed4d9ff2dcf67758d31a610553c95b8f6c7021001ec05f0cefff95a0c16edd2a000b890300d

    • SSDEEP

      49152:IXd0uVs7O9REWcUzEmJ4KlZehXuABiFCQf8LnzaKqv9imFvzzEuDLNiXicJFFRGN:Im22Y0uxf8LnzaBZFvMa7wRGpj3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90

    • Size

      1.2MB

    • MD5

      71b625de639825efa82e6e30d5e23bcc

    • SHA1

      5f9605a7535173a804faf070f7a4de15dab9f50a

    • SHA256

      7ac9ad7a4af22b95852904323573d0774aa8b5d66f3a8b76ce9614e4fd965e90

    • SHA512

      13f3089f3c9e490711d87d792769cdd862ec0cdc8888248df33628482ad381f61a150d4338ebd928fa204221cff242e985689b945fc3c41ddd90d4556ccab835

    • SSDEEP

      12288:2iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:A/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

loaderfabookieprivateloader
Score
10/10

behavioral1

discoveryspywarestealer
Score
7/10

behavioral2

discoveryspywarestealer
Score
7/10

behavioral3

discoveryspywarestealer
Score
7/10

behavioral4

discoveryspywarestealer
Score
7/10

behavioral5

discoveryspywarestealer
Score
7/10

behavioral6

discoveryspywarestealer
Score
7/10

behavioral7

discoveryspywarestealer
Score
7/10

behavioral8

discoveryspywarestealer
Score
7/10

behavioral9

discoveryspywarestealer
Score
7/10

behavioral10

discoveryspywarestealer
Score
7/10

behavioral11

fabookiediscoveryspywarestealer
Score
10/10

behavioral12

fabookiediscoveryspywarestealer
Score
10/10

behavioral13

discoveryspywarestealer
Score
7/10

behavioral14

discoveryspywarestealer
Score
7/10

behavioral15

discoveryspywarestealer
Score
7/10

behavioral16

discoveryspywarestealer
Score
7/10

behavioral17

discoveryspywarestealer
Score
7/10

behavioral18

discoveryspywarestealer
Score
7/10

behavioral19

discovery
Score
7/10

behavioral20

discoveryspywarestealer
Score
7/10

behavioral21

discoveryspywarestealer
Score
7/10

behavioral22

discoveryspywarestealer
Score
7/10

behavioral23

discoveryspywarestealer
Score
7/10

behavioral24

discoveryspywarestealer
Score
7/10

behavioral25

discoveryspywarestealer
Score
7/10

behavioral26

discoveryspywarestealer
Score
7/10

behavioral27

privateloaderdiscoveryloaderspywarestealer
Score
10/10

behavioral28

privateloaderdiscoveryloaderspywarestealer
Score
10/10

behavioral29

discoveryspywarestealer
Score
7/10

behavioral30

discoveryspywarestealer
Score
7/10

behavioral31

discoveryspywarestealer
Score
7/10

behavioral32

discoveryspywarestealer
Score
7/10