BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Fabookie

76
Global rank
86 infographic chevron month
Month rank
85
Week rank
478
IOCs

Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader.

Stealer
Type
Unknown
Origin
1 October, 2021
First seen
20 March, 2024
Last seen

How to analyze Fabookie with ANY.RUN

Type
Unknown
Origin
1 October, 2021
First seen
20 March, 2024
Last seen

IOCs

IP addresses
38.55.144.23
95.86.21.52
213.6.54.58
201.119.15.212
109.73.242.14
187.140.86.116
187.134.87.130
95.154.196.56
5.42.78.22
181.230.206.248
189.143.158.99
183.100.39.157
179.43.155.195
190.219.153.101
79.137.205.112
193.106.175.148
104.47.53.36
201.124.98.97
187.204.8.141
60.246.82.1
Hashes
4a8b6a3e837ed8d977973cc385a5cda8ef78157994323d152e157eea714d05ad
03a9fa20e85e7be7e3e2920e671dff3630756c594a0823d83426c2dde7775639
b490ef6fbe56b282b90cff8ac0a696a36e3da41399dbc98417abf3ddf4d78bbb
ab6de16c8b725a28c0bb84d4d88daa9a287715c6f42fb1f9949eff2d12f7ddb9
830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
1a5b2d2f557d0233cd3c40eda8d8d2885f2f8ce10947c1507bc644a8a4f4e987
137126a2e955988044abc30c660489a571eb25516b382d8eea0fc208c4145381
e3815234522ee1f479c736d60bc4459b34b64b77bb1f5e13938d8541675fad99
ac4620769b15f5a7ccbeda9891ab788e46fe418e8129b2d54a64452467ac9eb0
9eeb840d780f7288ca7d197cd514a54fbdddc79478c1377d8797277a6192d116
4f2f8e8f530beb89c23e7a43a6a82498bd44739688e273f3ea4e4dde4aea38ed
0dc83df593b8ec9698909683e09059767e7c141a9c3585ea6eafac7f24981a25
d90d6cebf66957466dadc5dd6dc904bfba0fbd48b716c63e41e05f4904ff66b2
714e481ef4e025b0a87867fa9d00a37f3381e9dcda14653d60b8a8fd4aad750f
9370fc68010b3118ac5087385752b63da2cb68554cc465eca0171f4a10cb73f5
73d579e0cd3111f41f834165405d43b14b2a3b4c23f9f30e7d024fa383013827
fdca3a9eff84349214459acb7530451c244a66e5e3347ac8366e22c2bee4a0fd
cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
55b9813d1377b90813fee3e75da65c9e66666b48aa0b73676ff9af7b0b87474a
4448d33ea04d326031db5fc3b9738cc7b72dd27e1c1633fd297d9792827cee83
Domains
ffdownload.online
carrieremaken.com
adriaenclaeys.ta.imgjeoogbb.com
ww.hackacademy.me
nordskills.eu
admxlogs25.xyz
apps.ecrubox.com
clicktotrust.com
astoriaresidency.com
as.imgjeoigaa.com
server10.cdneurops.shop
9e4491e7-99ad-40dd-9249-b07029fc7dd4.uuid.cdneurops.shop
paraslegal.com
fastprivate.me
zaoshanghao.sucvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onioncommonpro
zaoshanghao.sucvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onion
erpibex.com
580af1f8-4a49-4f1b-b74f-2aa299655155.uuid.zaoshanghao.su
server5.mastiakele.xyz
duniadekho.barduniadekho.barregqueryvalueexwduniadekho.baruuiduuidpgdsepgdse
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Fabookie malware?

Fabookie is a malicious software categorized as an information stealer. It primarily targets Facebook Business accounts, aiming to steal sensitive data like login credentials and account information.

This stolen data can then be exploited by attackers for various malicious purposes. Fabookie operates discreetly, running silently in the background without the user's knowledge, making it a significant threat to unsuspecting victims.

Fabookie primarily targets devices running 64-bit operating systems. Security researchers estimate over 100,000 infected machines worldwide, highlighting its widespread reach.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Fabookie malicious software

The primary capabilities of Fabookie include:

  • Credential theft (T1552): Fabookie searches infected machines for saved passwords, browser cookies containing login sessions, and other cached authentication information.
  • System information gathering (T1518): Beyond credentials, Fabookie may gather details about the system it infects. This information, such as installed software and hardware specifications, could be used to further exploit vulnerabilities or tailor future attacks.
  • Facebook Interaction (T1071): Once it acquires credentials, Fabookie interacts with the Facebook API. This allows the malware to extract additional information about the targeted Facebook Business account, including payment methods and account balances.
  • Command-and-Control Communication: The stolen data is then transmitted to a remote server controlled by the attackers.

Similar to other malware families, such as Amadey and RisePro, Fabookie is capable of ensuring persistence on the system by remaining active even after a reboot.

One notable feature of Fabookie is that it exploits .jpeg images to deliver malicious code.

Execution process of Fabookie

Let’s observe the execution process of the Fabookie malware by uploading its sample to ANY.RUN for analysis.

The Fabookie stealer infiltrates systems through various means such as malicious websites or phishing emails. Once installed, it silently collects sensitive information like login credentials and credit card details from the infected device. This data is then transmitted to remote servers controlled by the attackers. To remain undetected, Fabookie employs persistence techniques and may allow remote access for further malicious activities.

In our example, the execution chain of this stealer is straightforward. Once Fabookie initiates its own child process, it proceeds with its malicious activities centered around stealing credentials, cookies, and other valuable information from web browsers. The stealer collects this data and sends it to the C2 (Command and Control) server for remote access and further exploitation.

Overall, the execution chain of the Fabookie stealer is designed to silently compromise systems, steal valuable data, and maintain control for as long as possible without raising suspicion.

Fabookie Suricata rule shown in ANY.RUN Fabookie Suricata rule demonstrated in ANY.RUN

Distribution methods of the Fabookie malware

Attackers employ various ways of distributing Fabookie. One of the most common ones is via special loader malware that first penetrates defense systems of endpoints and delivers Fabookie to them. NullMixer and SmokeLoader are two examples of such loader malware.

Alternatively, Fabookie can be spread through spam emails that are crafted in a way to appear legitimate to users. These emails usually contain phishing links and files which eventually lead to the infection with Fabookie.

Conclusion

Fabookie is just one example of the ever-evolving threat landscape. By understanding its capabilities and implementing these protective measures, you can significantly reduce your risk of falling victim to such attacks and safeguard your sensitive information.

The ANY.RUN sandbox provides a cloud-based environment for analyzing files and links suspected of being malicious. It effectively identifies threats like Fabookie and generates reports summarizing the detected malware's technical characteristics, including TTPs and IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy