fabookie

General

Target

JaffaCakes118_e4c99dcc117b45dbd02c49723df0e5da
Size

3.9MB
Sample

250204-qd3c8sylek
MD5

e4c99dcc117b45dbd02c49723df0e5da
SHA1

9b31d81aa541f473360574fdbdd86aca2201033a
SHA256

5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
SHA512

2dc09c62ded7a3ce56b7584b2aeec228f9d7a26a1516b3d31af245c7f3513fcdb7da13cf7e47695390ee2ea02bbe5c5523c8c3f1a8780a3a6834de2e6cd416b5
SSDEEP

98304:Jm5tMCL1IVwr6K1JbcJSAzjznJQP2mHIb5cDXLqA9Nrq:J47X6mcLz/nJZmob5cDJvq

Score

10^/10

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

nullmixer

C2

http://marianu.xyz/

Extracted

Family

redline

Botnet

media21

C2

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

sehrish2

C2

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

ChrisNEW

C2

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Targets

- Target
  
  JaffaCakes118_e4c99dcc117b45dbd02c49723df0e5da
- Size
  
  3.9MB
- MD5
  
  e4c99dcc117b45dbd02c49723df0e5da
- SHA1
  
  9b31d81aa541f473360574fdbdd86aca2201033a
- SHA256
  
  5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
- SHA512
  
  2dc09c62ded7a3ce56b7584b2aeec228f9d7a26a1516b3d31af245c7f3513fcdb7da13cf7e47695390ee2ea02bbe5c5523c8c3f1a8780a3a6834de2e6cd416b5
- SSDEEP
  
  98304:Jm5tMCL1IVwr6K1JbcJSAzjznJQP2mHIb5cDXLqA9Nrq:J47X6mcLz/nJZmob5cDJvq
Score

10^/10

fabookie nullmixer privateloader redline socelars chrisnew media21 sehrish2 aspackv2 discovery dropper execution infostealer loader spyware stealer
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1