Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Fabookie

132
Global rank
159 infographic chevron month
Month rank
143 infographic chevron week
Week rank
0
IOCs

Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader.

Stealer
Type
Unknown
Origin
1 October, 2021
First seen
17 May, 2025
Last seen

How to analyze Fabookie with ANY.RUN

Type
Unknown
Origin
1 October, 2021
First seen
17 May, 2025
Last seen

IOCs

IP addresses
95.86.21.52
213.6.54.58
201.119.15.212
109.73.242.14
187.140.86.116
187.134.87.130
95.154.196.56
5.42.78.22
181.230.206.248
189.143.158.99
179.43.155.195
183.100.39.157
190.219.153.101
79.137.205.112
104.47.53.36
193.106.175.148
187.204.8.141
201.124.98.97
60.246.82.1
37.34.248.24
Domains
carrieremaken.com
adriaenclaeys.ta.imgjeoogbb.com
ww.hackacademy.me
nordskills.eu
apps.ecrubox.com
clicktotrust.com
astoriaresidency.com
as.imgjeoigaa.com
9e4491e7-99ad-40dd-9249-b07029fc7dd4.uuid.cdneurops.shop
paraslegal.com
zaoshanghao.sucvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onioncommonpro
580af1f8-4a49-4f1b-b74f-2aa299655155.uuid.zaoshanghao.su
erpibex.com
zaoshanghao.sucvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onion
server5.mastiakele.xyz
fastprivate.me
duniadekho.barduniadekho.barregqueryvalueexwduniadekho.baruuiduuidpgdsepgdse
duniadekho.barvcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniond
duniadekho.barvcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onion
duniadekho.barvcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.onions-1-5-21-
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Fabookie malware?

Fabookie is a malicious software categorized as an information stealer. It primarily targets Facebook Business accounts, aiming to steal sensitive data like login credentials and account information.

This stolen data can then be exploited by attackers for various malicious purposes. Fabookie operates discreetly, running silently in the background without the user's knowledge, making it a significant threat to unsuspecting victims.

Fabookie primarily targets devices running 64-bit operating systems. Security researchers estimate over 100,000 infected machines worldwide, highlighting its widespread reach.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Fabookie malicious software

The primary capabilities of Fabookie include:

  • Credential theft (T1552): Fabookie searches infected machines for saved passwords, browser cookies containing login sessions, and other cached authentication information.
  • System information gathering (T1518): Beyond credentials, Fabookie may gather details about the system it infects. This information, such as installed software and hardware specifications, could be used to further exploit vulnerabilities or tailor future attacks.
  • Facebook Interaction (T1071): Once it acquires credentials, Fabookie interacts with the Facebook API. This allows the malware to extract additional information about the targeted Facebook Business account, including payment methods and account balances.
  • Command-and-Control Communication: The stolen data is then transmitted to a remote server controlled by the attackers.

Similar to other malware families, such as Amadey and RisePro, Fabookie is capable of ensuring persistence on the system by remaining active even after a reboot.

One notable feature of Fabookie is that it exploits .jpeg images to deliver malicious code.

Execution process of Fabookie

Let’s observe the execution process of the Fabookie malware by uploading its sample to ANY.RUN for analysis.

The Fabookie stealer infiltrates systems through various means such as malicious websites or phishing emails. Once installed, it silently collects sensitive information like login credentials and credit card details from the infected device. This data is then transmitted to remote servers controlled by the attackers. To remain undetected, Fabookie employs persistence techniques and may allow remote access for further malicious activities.

In our example, the execution chain of this stealer is straightforward. Once Fabookie initiates its own child process, it proceeds with its malicious activities centered around stealing credentials, cookies, and other valuable information from web browsers. The stealer collects this data and sends it to the C2 (Command and Control) server for remote access and further exploitation.

Overall, the execution chain of the Fabookie stealer is designed to silently compromise systems, steal valuable data, and maintain control for as long as possible without raising suspicion.

Fabookie Suricata rule shown in ANY.RUN Fabookie Suricata rule demonstrated in ANY.RUN

Distribution methods of the Fabookie malware

Attackers employ various ways of distributing Fabookie. One of the most common ones is via special loader malware that first penetrates defense systems of endpoints and delivers Fabookie to them. NullMixer and SmokeLoader are two examples of such loader malware.

Alternatively, Fabookie can be spread through spam emails that are crafted in a way to appear legitimate to users. These emails usually contain phishing links and files which eventually lead to the infection with Fabookie.

Conclusion

Fabookie is just one example of the ever-evolving threat landscape. By understanding its capabilities and implementing these protective measures, you can significantly reduce your risk of falling victim to such attacks and safeguard your sensitive information.

The ANY.RUN sandbox provides a cloud-based environment for analyzing files and links suspected of being malicious. It effectively identifies threats like Fabookie and generates reports summarizing the detected malware's technical characteristics, including TTPs and IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More