fabookie

General

Target

setup_x86_x64_install.exe
Size

4.3MB
Sample

250516-el9azawygt
MD5

b4d92f12abd7267cbb53babc853730cc
SHA1

b76c22897084f372f00dad47b9c23cc091c3c9ac
SHA256

e36a88c774d3877d9ed10c3e2417a09c3c86b74f2f8b4d4f2deb39bdc6676b70
SHA512

b67ed64a9f9499e5fedcf891d3caa2f7d83400c90503e4d69f9569c546eab8dfb3773349834c8d0e5229e893ca101cc8075bfe4cbc4b50e6204119c946511be6
SSDEEP

98304:ypj/SfRr+zqm0gMJr/K2vRPli3ob/kwRN6T:yMRr+zv0gMVKQVli4YwRgT

Score

10^/10

Malware Config

Extracted

Family

privateloader

C2

http://37.0.10.244/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Targets

- Target
  
  setup_x86_x64_install.exe
- Size
  
  4.3MB
- MD5
  
  b4d92f12abd7267cbb53babc853730cc
- SHA1
  
  b76c22897084f372f00dad47b9c23cc091c3c9ac
- SHA256
  
  e36a88c774d3877d9ed10c3e2417a09c3c86b74f2f8b4d4f2deb39bdc6676b70
- SHA512
  
  b67ed64a9f9499e5fedcf891d3caa2f7d83400c90503e4d69f9569c546eab8dfb3773349834c8d0e5229e893ca101cc8075bfe4cbc4b50e6204119c946511be6
- SSDEEP
  
  98304:ypj/SfRr+zqm0gMJr/K2vRPli3ob/kwRN6T:yMRr+zv0gMVKQVli4YwRgT
Score

10^/10

fabookie nullmixer privateloader redline sectoprat socelars ani aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  setup_installer.exe
- Size
  
  4.3MB
- MD5
  
  1e69d0519a346199082187244ff95ac5
- SHA1
  
  66033162018ba39eaf93e9bab5deff7c3c1ffb07
- SHA256
  
  9b4d6efda43d3538fc0eced8cafa966c7334137f4a940f7e346dcc42e531c1ef
- SHA512
  
  d31ec0cf5aea27dc2040dc5c541e27ca2ea34960b7fbb3571963f379a061a41cf6ced5a620256e5c1bf5660fa78d8bfad384301808a78fa239bd69a20795a4e6
- SSDEEP
  
  98304:xoCvLUBsg4vNPSNqEgr8f6KpuEyC8qcQFnKkbi0253bXRxalQi9Tj:x1LUCgKNJjq6iuEyfX98QM
Score

10^/10

fabookie nullmixer privateloader redline sectoprat socelars ani aspackv2 discovery dropper execution infostealer loader rat spyware stealer trojan
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Fabookie family
  fabookie
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Detect Fabookie payload

Fabookie family

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Socelars

Socelars family

Socelars payload

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Detect Fabookie payload

Fabookie

Fabookie family

NullMixer

Nullmixer family

PrivateLoader

Privateloader family

RedLine

RedLine payload

Redline family

SectopRAT

SectopRAT payload

Sectoprat family

Socelars

Socelars family

Socelars payload

Command and Scripting Interpreter: PowerShell

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks

static1

behavioral1

behavioral2