File name:	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.zip
Full analysis:	https://app.any.run/tasks/08944d07-920c-4607-aee7-3298d3caf649
Verdict:	Malicious activity
Threats:	Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 22, 2024, 10:05:31
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	fabookie stealer payload loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	FC7CC4028B5BB9C5D5EA4D731803BC87
SHA1:	8E67A7365378B049CA42990B6EFB5AE4560C7750
SHA256:	D705BB73BFA982782031FE88B19F1D1AEBF340A6CF206B2A203B90071169D440
SSDEEP:	6144:KLQM6JPBRaTNYfRhtcn51+0WiChi8pW46yjviHyuh:KkPBATm57y1+ji38s46yjaSuh

ZipRequiredVersion:	51
ZipBitFlag:	0x0009
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:05:22 10:04:46
ZipCRC:	0x94647184
ZipCompressedSize:	176443
ZipUncompressedSize:	333824
ZipFileName:	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin


(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.zip
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6444) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

PID	Process	Filename		Type
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\aaaaaaaa[1].jpg		—
		MD5:—	SHA256:—
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Program Files\Windows Media Player\mpsvc.dll		—
		MD5:—	SHA256:—
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Program Files\Windows Media Player\wmpnetwk.exe		—
		MD5:—	SHA256:—
6820	SearchIndexer.exe	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb		—
		MD5:—	SHA256:—
6444	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6444.15250\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin		executable
		MD5:A59664F37C25EDAA69C39A65490ED3A9	SHA256:3B50FE74F6B83D53EFAB2EE7E197026977DAC17FDD3302C7DF454FAC19ABB12D
7052	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\xxxxxxxx[1].jpg		image
		MD5:3200DC4E4F84ECA82267063AA1055D0C	SHA256:60EB602D492C656CBCC7BDB8A2520BE9815C4A5F1E21D0435CC2B60819970240
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\xxxxxxxx[1].jpg		image
		MD5:3200DC4E4F84ECA82267063AA1055D0C	SHA256:60EB602D492C656CBCC7BDB8A2520BE9815C4A5F1E21D0435CC2B60819970240
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\123[1].456		executable
		MD5:7B207CE9F9D71DFC2EAA2E959634A54D	SHA256:757AF7A540628004B446117BE432342674F7830FA008F97A5F4A1AC386954BC2
1012	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json		—
		MD5:—	SHA256:—
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	C:\kkxqbh.bat		text
		MD5:DA93AB45D66917DED40DC4A6D4EAC550	SHA256:281824120CE3FC3BAD1F7035C2FEEB127B93D7481112A71571F931FC009E387C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	95.100.146.17:443	https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxeIQBhwGKAYEBe369AcABMbABMcMB&or=w	unknown	—	21.3 Kb	—
—	—	GET	200	95.100.146.17:443	https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w	unknown	—	5.88 Kb	—
7052	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	GET	200	103.146.158.221:80	http://sta.alie3ksgee.com/xxxxxxxx.jpg	unknown	—	—	unknown
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	GET	200	103.146.158.221:80	http://sta.alie3ksgee.com/xxxxxxxx.jpg	unknown	—	—	unknown
—	—	GET	200	95.100.146.35:443	https://r.bing.com/rb/3J/ortl,cc,nc/4-xJy3tX6bM2BGl5zKioiEcQ1TU.css?bu=A4gCjAKPAg&or=w	unknown	—	15.5 Kb	—
6236	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	GET	200	103.146.158.221:80	http://sta.alie3ksgee.com/aaaaaaaa.jpg	unknown	—	—	unknown
—	—	GET	200	95.100.146.35:443	https://r.bing.com/rb/6t/cir3,ortl,cc,nc/nKv8Dr5AaiEnGKVhQG5dLl1N7PA.css?bu=MbEKqwq3CqsKmwurCqELqwqpC6sKsAurCrYLqwq8C6sKwgurCskKqwrPCqsKwwqrCqsKkgurCt4KqwrkCqsK2AqrCuoK9Ar3CqsKqwqPC_0KqwqDC4YLqwrsC6sKyAurCpoM&or=w	unknown	—	443 Kb	—
—	—	GET	200	95.100.146.34:443	https://r.bing.com/rb/6t/ortl,cc,nc/JmfAIE20nOCyQ3TY7bnLsgT0ICc.css?bu=CYcMqwqMDKsKkAyrCqsKqwqrCg&or=w	unknown	—	428 Kb	—
—	—	GET	200	95.100.146.18:443	https://r.bing.com/rb/6t/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AasK&or=w	unknown	—	6 b	—
4680	SearchApp.exe	GET	200	95.100.146.8:443	https://r.bing.com/rp/1Sd5265G8OlnRColAI8O_SxSQ1Q.br.js	unknown	text	123 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
1324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	184.86.251.27:443	—	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3396	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4680	SearchApp.exe	184.86.251.9:443	—	Akamai International B.V.	DE	unknown
7052	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	103.146.158.221:80	sta.alie3ksgee.com	YISU CLOUD LTD	HK	unknown
5456	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
sta.alie3ksgee.com	103.146.158.221	unknown
login.live.com	40.126.31.67 20.190.159.68 40.126.31.73 20.190.159.71 20.190.159.4 20.190.159.64 20.190.159.75 40.126.31.71	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	23.211.9.92	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
go.microsoft.com	2.19.246.123	whitelisted
cl.alie3ksgff.com	149.28.212.217	unknown
myxqbh.top	182.108.14.161	unknown

PID	Process	Class	Message
7052	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.exe	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] Suspicious User Agent HTTPREAD
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Win32/Fabookie Jpeg Embeded Payload
—	—	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] Suspicious User Agent HTTPREAD
—	—	A Network Trojan was detected	PAYLOAD [ANY.RUN] Win32/Fabookie Jpeg Embeded Payload
2184	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.bin.zip

FC7CC4028B5BB9C5D5EA4D731803BC87

8E67A7365378B049CA42990B6EFB5AE4560C7750

D705BB73BFA982782031FE88B19F1D1AEBF340A6CF206B2A203B90071169D440

6144:KLQM6JPBRaTNYfRhtcn51+0WiChi8pW46yjviHyuh:KkPBATm57y1+ji38s46yjaSuh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Scans artifacts that could help determine the target

Creates a writable file in the system directory

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Takes ownership (TAKEOWN.EXE)

Uses ICACLS.EXE to modify access control lists

Process drops legitimate windows executable

Executes as Windows Service

Creates file in the systems drive root

Executing commands from a ".bat" file

Starts SC.EXE for service management

Runs PING.EXE to delay simulation

Process requests binary or script from the Internet

INFO

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Manual execution by a user

Checks proxy server information

Creates files or folders in the user directory

Process checks computer location settings

Creates files in the program directory

Executes as Windows Service

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings