fabookie

Sharing

General

Target

JaffaCakes118_1af039b45840346b46a0552781a6fcc4e53262ceb0297e743a331d37ae402434
Size

10.2MB
Sample

241229-11j6aayjc1
MD5

8ae98d71bf3ec91314feb236a97ebf47
SHA1

52f1ef5e81f8ff37717c046716cefddaffde460f
SHA256

1af039b45840346b46a0552781a6fcc4e53262ceb0297e743a331d37ae402434
SHA512

e938723636104b7813a4fde97c32225b6c250d2d7c38882be55ad8ead81e6bf86e53a9cd81a7a8b3ae2f79691be3dae8923cf74d8aa952c194631d98fce1167b
SSDEEP

196608:B/uSml8bv4NhBUSJC/FK1FvgoBgpvidvKr6phW0lFso5M66AWFt8Wn0uoTfgb4A:BWSmlgv2hBUKqK1MpqdW6OeFso5d29+4

Score

10^/10

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

nullmixer

http://623f4ec578a9a.com/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

gcleaner

appwebstat.biz

ads-memory.biz

Extracted

Family

smokeloader

Botnet

pub3

Targets

- Target
  
  7zS8B74BEBB/623f4ec66a5ad_Sat1734f544217.exe
- Size
  
  20KB
- MD5
  
  98c3385d313ae6d4cf1f192830f6b555
- SHA1
  
  31c572430094e9adbf5b7647c3621b2e8dfa7fe8
- SHA256
  
  4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
- SHA512
  
  fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff
- SSDEEP
  
  384:ZHFSmDBYgUHtCmYgg7mcdkLR1Z4xjUOGMAxYr6+A9PfnfL:mmdZUsmY761Z+UOG/xPj3D
Score

6^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral1 behavioral2
- Target
  
  7zS8B74BEBB/623f4ec77fd3f_Sat1772aefb.exe
- Size
  
  151KB
- MD5
  
  b577af6c9338bcbe487d0fe020a3c2f6
- SHA1
  
  8d64719d7e8f9b99a1dc6e72a604d29ee8539f49
- SHA256
  
  5845fc002f43c7fb90f2809c5b8af71c2edef9ccb0e244966ce765868aaaf7d8
- SHA512
  
  b1a48a457c0a4bc9d5e0e5dc68676941d1ecb1e356a7be8100dc1945e146372d300254baa30ec7306cfa1f36dae8f9a467716909a43330b8809562a254d7296c
- SSDEEP
  
  1536:1k/QfYmlz//qf/631jmIeP/hbNk64iH/k/bFA:1k/42yFahbuFW
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  7zS8B74BEBB/623f4ec86395b_Sat173c84b551.exe
- Size
  
  376KB
- MD5
  
  81cf5e614873508b9ecba216112c276b
- SHA1
  
  cb3115f68ffe4f428fc141f113dff477530f17fb
- SHA256
  
  fae5984ff3106551dddee32196332ab4b9cabfe40476b80dd5aa8e1c9fcba413
- SHA512
  
  48fba232d56c6acd0a3e97a64d096a6782000cc4d6d34f7d2379a54e6339bf373c14e95ba966a1fd8ecc05582cfad4e9dea6d61bb5492a570fdc1f637db7d29f
- SSDEEP
  
  6144:fZCOgQkBoO6Znv6wbQPwyilmbnBpUn4iwKnlAMEPh:bki3bQPwyNLQn4iwKnnEPh
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  7zS8B74BEBB/623f4eca3de95_Sat17334d36c.exe
- Size
  
  1.5MB
- MD5
  
  fc85547093253980b33b54219d28d736
- SHA1
  
  da6868bf22cf6d90ed4eac4f999784853a6a6120
- SHA256
  
  baaff6a861982a9eafdc8a4f59f2404e55e589ac509813b3782315aad744baec
- SHA512
  
  370c7276703706b969c5c5061a8ab18dd07a257882a09d674223513875924455466067000e994f326198ae783440967acda9d4c51a105b1991134e3088cd8003
- SSDEEP
  
  24576:84nXu/QSDTV+Bnvu8t+wqKcGKK0YF1I8Po3kJy5pIz0frpuIBpG2OBtSWd6+u:8qeNVCiGJ0YF1I8P7Jop40jpv6gWq
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  7zS8B74BEBB/623f4ecc3aad7_Sat17f86f68979.exe
- Size
  
  228KB
- MD5
  
  a4181bc7ade6657765e2d05c20dfc649
- SHA1
  
  f0c9df96d51c09831796922295bbd2cefa84c37d
- SHA256
  
  b25440fbf446a330127191b658cd59aa87d364052686b5f052014fc0cfc01327
- SHA512
  
  14539e03023c5efccec8a6e52cfcd9db71b49f025d27c6f22e6860b2b06306d03be057eb3c5c0c00e5210d4ba99dd73ff0dac7110511099c6236dd4f52258aa7
- SSDEEP
  
  1536:wJ6uT3/EV+126yHjwtKK5dspuywPhGEYbRfNUv7+WL7VwViMChkxz59HBnrzRC:wJ6y3UBHxP6GEYbRVw9/OVka559hrE
Score

10^/10

smokeloader pub5 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
behavioral10 behavioral9
- Target
  
  7zS8B74BEBB/623f4ecdc319c_Sat17f45527bef2.exe
- Size
  
  1.7MB
- MD5
  
  48a5fe66b801ad59001120e246699500
- SHA1
  
  786d91aa7794168726f59367faa8219602bc8b07
- SHA256
  
  09d03b3e4e47150a76db5e3ff7e1a562190643b2afcbbbabc88b402f7139c510
- SHA512
  
  aced1afaeb821073cb69dade636e4bb419a933a3fb754bdb7ca9c97cff218d8e744453fb5e7ef68fcf493e29e35ed92eef006e45ecb5e5adf92c718549f40a01
- SSDEEP
  
  49152:bRxy/f6sRJOTd3Zvun/73iZlLKFmvL+Cycn:bRA36EJ6dJGLizLacX
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  7zS8B74BEBB/623f4ee48c005_Sat17a6fc071121.exe
- Size
  
  372KB
- MD5
  
  ba0bb9efa33cf4eb238cec78dc15172b
- SHA1
  
  0f49a73c90f4f00428ae9f41c3cc8d8bb3544209
- SHA256
  
  65bf24adac4f57d046f62c773ece38cdd1ac6fe98959daa513acaca060be89f5
- SHA512
  
  2326a681fb14a906bb22b0f6e7646f969b8a0d666c93e6f42c836ac3e40cb082f5f2aa2ea03f7640613329c1959c42528a8c6fdaddbe6c47447bf701fc42607a
- SSDEEP
  
  3072:tXKyEogBJsRga8fdpD4r2eqX0M897Tqcm77A9pAYzBwtz/Dlq84rN27H/C9Mf5sN:tgJemFdpD42X0M89xAKBIrDikTc
Score

10^/10

gcleaner onlylogger discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- OnlyLogger payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral13 behavioral14
- Target
  
  7zS8B74BEBB/623f4ee614d64_Sat17bf153ed.exe
- Size
  
  3.8MB
- MD5
  
  a128f3490a3d62ec1f7c969771c9cb52
- SHA1
  
  73f71a45f68e317222ac704d30319fcbecdb8476
- SHA256
  
  4040769cb6796be3af8bd8b2c9d4be701155760766fddbd015b0bcb2b4fca52a
- SHA512
  
  ccf34b78a577bc12542e774574d21f3673710868705bf2c0ecdf6ce3414406ec63d5f65e3ff125f65e749a54d64e642492ee53d91a04d309228e2a73d7ab0a19
- SSDEEP
  
  98304:6rCZXbwQi67oCEiTCtdHVyfp9WHxjYUiqfb6A3:6exNi678iWrgp9WRjd/P3
Score

10^/10

fabookie spyware stealer vmprotect
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  7zS8B74BEBB/623f4ee7540ef_Sat1772b105d2a.exe
- Size
  
  228KB
- MD5
  
  1d9df64c4ae08e479b6ad3832aef8169
- SHA1
  
  4eb135e19b5731ae9169a3857ae3164cbba18bda
- SHA256
  
  56decc8a1e1898a1b2048f69345d08ae2b754b204056bac1a1567500e9852f47
- SHA512
  
  d4256b9cb1cc926a5ed181c5f5d351974d96fad51095e0caf6a6439d57e83f81a882db2dd737cd0e93beca65830769baf1024c321d3edcba09f0f4ebc04f0be5
- SSDEEP
  
  3072:a06l3jejxc4dJPWBPJbRX5SOn59wwlxV4Fw:f6wfbPwR/DwwlwF
Score

10^/10

smokeloader pub3 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  7zS8B74BEBB/623f4ee864d35_Sat17400b6f.exe
- Size
  
  383KB
- MD5
  
  98362f1952eb1349f17f77bb70a9fbcc
- SHA1
  
  e8a2273215c3cea3100fa40536b0791fea27af8f
- SHA256
  
  9aa8aeb0262bc901878bda3a41b6ac7f727f1c3fe4e7bb9afa0000c371750321
- SHA512
  
  6faceb7a7d6c0b3d7ebd8afbd2e4dcfb95a6407bb4acf1012d50f462713b8f34adf51c2dc7f82281a6b84dfcb8bc0cbea68318f12ad9ad95558b9361500e0679
- SSDEEP
  
  6144:G/QiQXCIDm+ksmpk3U9jW1U4P9bfibKvjMV5QsWs3YEyeHAZYFYNMJ2ZDpgqXMWA:+Qi3I66m6URA3Ph+Ko5oegWqNMyGqhty
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral19 behavioral20
- Target
  
  7zS8B74BEBB/623f4ee97f2a0_Sat170aca8c6fbd.exe
- Size
  
  1.6MB
- MD5
  
  79c79760259bd18332ca17a05dab283d
- SHA1
  
  b9afed2134363447d014b85c37820c5a44f33722
- SHA256
  
  e6eb127214bbef16c7372fbe85e1ba453f7aceee241398d2a8e0ec115c3625d3
- SHA512
  
  a4270de42d09caa42280b1a7538dc4e0897f17421987927ac8b37fde7e44f77feb9ce1386ffd594fe6262ebb817c2df5a2c20a4adb4b0261eae5d0b6a007aa06
- SSDEEP
  
  49152:s40YkiHnp8AC4JmxXhodeooykAx2vcSfg:s4RkiHnKL4JmxXhoTdoFo
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  7zS8B74BEBB/623f4eeb25e05_Sat1728a2b93.exe
- Size
  
  1.7MB
- MD5
  
  4f5c47181c5db3fa0957b1731c956a8e
- SHA1
  
  d581c3763e9594907b7405ecdb94771fc3ddde01
- SHA256
  
  d68067ed197a8d8b8795ffd242ac5ce777d98d3f539c3f1101e4c9c4c4bcbf50
- SHA512
  
  5b6812f3d414fa1d9635c66f36c95f4e3a6a7f997e45f974ab24e4120ce830732109ca27dbf362086e9d721a0bc279fcbadae1ee4df506d7d2554ec16bb2952e
- SSDEEP
  
  24576:oKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/EJKFY/fwg:mgpG57R8InDPcsJKi/fwg
Score

10^/10

socelars discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
behavioral23 behavioral24
- Target
  
  7zS8B74BEBB/libcurl.dll
- Size
  
  218KB
- MD5
  
  d09be1f47fd6b827c81a4812b4f7296f
- SHA1
  
  028ae3596c0790e6d7f9f2f3c8e9591527d267f7
- SHA256
  
  0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
- SHA512
  
  857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
- SSDEEP
  
  6144:Kk3jgivfCVSRrLV7yAVzKZIjCbanUKWw+ba//PXHUo:30iH0iVPVzKOOunLWf2//0
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  7zS8B74BEBB/libcurlpp.dll
- Size
  
  54KB
- MD5
  
  e6e578373c2e416289a8da55f1dc5e8e
- SHA1
  
  b601a229b66ec3d19c2369b36216c6f6eb1c063e
- SHA256
  
  43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
- SHA512
  
  9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
- SSDEEP
  
  768:W//WT2mbP+7x4Mx5KzVAn/QqvtdZs8LlR67diTNh4joK7qmQhyOl4UuGoxX9j3D:WHIK1R2VA/Qqvtzz67dbn1QhyOl4UuD
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  7zS8B74BEBB/libgcc_s_dw2-1.dll
- Size
  
  113KB
- MD5
  
  9aec524b616618b0d3d00b27b6f51da1
- SHA1
  
  64264300801a353db324d11738ffed876550e1d3
- SHA256
  
  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
- SHA512
  
  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
- SSDEEP
  
  3072:nti6N0WeF35Ro7hAWP6cagLSuf6LG3qSbKE4M:ti6N2F33wGJVuHuE
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  7zS8B74BEBB/libstdc++-6.dll
- Size
  
  647KB
- MD5
  
  5e279950775baae5fea04d2cc4526bcc
- SHA1
  
  8aef1e10031c3629512c43dd8b0b5d9060878453
- SHA256
  
  97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
- SHA512
  
  666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
- SSDEEP
  
  12288:ZGRoW1chMjnv+gvJhb6bmpPSmCnh4o0v4Mc2jTrKoDSwq/3PmkfT4CmwcMcP1uE:uowcmBhKmlC4o0v4k1
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

SmokeLoader

Smokeloader family

Checks computer location settings

Loads dropped DLL

GCleaner

Gcleaner family

OnlyLogger

Onlylogger family

OnlyLogger payload

Checks computer location settings

Deletes itself

Detect Fabookie payload

Fabookie family

Reads user/profile data of web browsers

VMProtect packed file

Looks up external IP address via web service

SmokeLoader

Smokeloader family

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Socelars

Socelars family

Reads user/profile data of web browsers

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32