Pulse Detail — Threat Intelligence

PULSE NAME

Exposing FakeBat loader: distribution methods and adversary infrastructure

WHITE Eugenfest AlienVault 2024-07-02 Modified: 2024-08-01

242

IOCs

HIGH VOLUME

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social engineering schemes on social networks to trick users into downloading the malware. Analysts monitored the FakeBat C2 infrastructure and identified over 130 domain names associated with high confidence to the FakeBat C2 servers since August 2023. The report provides IoCs, YARA rules and tracking heuristics to monitor the FakeBat distribution and C2 infrastructures.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1133 T1192 T1071 T1140 T1195 T1193 T1568 T1064 T1566 T1189

MALWARE FAMILIES

FakeBat EugenLoader PaykLoader

Indicators of Compromise (242)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname YARA

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	4f2e138b6891395a408368a9a5998304	—	2024-07-02
FileHash-MD5	55d614058f3b2f237ad7b9a63e72de0f	—	2024-07-02
FileHash-MD5	55de04d9156a8503c271d076fd4ff122	—	2024-07-02
FileHash-MD5	569d206636b75c33240ba4c1739c04d6	—	2024-07-02
FileHash-MD5	e87d897c4f2f14bf715f432c2a2c1f28	—	2024-07-02
FileHash-SHA1	3c0d1d30ad289a57a315988c747c172f5aabe26e	—	2024-07-02
FileHash-SHA1	5efb3af1460b6a2a5da2ae9b515f830fe1d54287	—	2024-07-02
FileHash-SHA1	e50b4378c32b2d876eb220cfa0307afae97359b7	—	2024-07-02
FileHash-SHA256	00e7e8a0e8495189bb7feca21864fbd6c61a5aa680462186504de02536e0c2f9	—	2024-07-02
FileHash-SHA256	00ea5d43f2779a705856a824a3f8133cb100101e043cb670e49b163534b0c525	—	2024-07-02
FileHash-SHA256	020cd2e4ec27185550bf736b490d8ace0d244fe09315f9f7e18362de659bc7ad	—	2024-07-02
FileHash-SHA256	07a0986ab43f717e181a32d6742b11f788403ce582ad5fcbb9d20d0bd40d410b	—	2024-07-02
FileHash-SHA256	088ed84658a7c3bef4401601ef67a6953492fb0200a3b580bfabb21cd3ac8236	—	2024-07-02
FileHash-SHA256	0c4cef985c90ed764f041c2ccab6820fdbe38edaaddebe01a5b8d31d93204b88	—	2024-07-02
FileHash-SHA256	12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15	—	2024-07-02
FileHash-SHA256	175fcb7495c0814a5c18afa6244d467f0daeb0f02ad93c0ab4d3af8cbbacb537	—	2024-07-02
FileHash-SHA256	1bb51d62457f606e947a4e7ce86198e9956ae1fe4e51e4e945370cc25fe6bfff	—	2024-07-02
FileHash-SHA256	1c5cadde01f10a730cd8f55633c967c3a7259f4906f961477b7e095e7db326b7	—	2024-07-02
FileHash-SHA256	1d5d671bf680d739ded1e25e78970b38d00e8182816171a7c6a186504a79eeee	—	2024-07-02
FileHash-SHA256	2b033fc28ad12cb57c7c691bd40911ca47dd2a8e495a2d253557d2c6bcd40c5e	—	2024-07-02
FileHash-SHA256	2e8a82f07de254848615f81272f08e0cf9af474d1c20f67d9ddbdf439f1d8fde	—	2024-07-02
FileHash-SHA256	3bd95eadb44349c7d88ea989501590fb3652ae27eded15ab5d12b17e2708969f	—	2024-07-02
FileHash-SHA256	3d3a9cd140972b7b8a01dde2e4cd9707913f2eba09a3742c72016fd073004951	—	2024-07-02
FileHash-SHA256	400277618bd2591efb2eb22ac0041c1c5561d96c479a60924ef799de3e2d290c	—	2024-07-02
FileHash-SHA256	4029e194864e2557786e169c7f2c101b9972164de7b4f1ffadf89382317cf96c	—	2024-07-02
FileHash-SHA256	409a2a2a4e442017e6d647524fdec11507515a9f58a314e74307e67059bd8149	—	2024-07-02
FileHash-SHA256	49a7668d60e8df9d0a57ba9e0e736c1eb48700da19711cc0ec0f3c94a56ce507	—	2024-07-02
FileHash-SHA256	4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad	—	2024-07-02
FileHash-SHA256	5e5c134cea48e57da9604981c0a7fd6ef1704c4151b540f29de685e0017fa730	—	2024-07-02
FileHash-SHA256	5ee273180702a54f32520be02c170ad154588893b63eefe2062cdb34ad83712c	—	2024-07-02
FileHash-SHA256	67663233f9e3763171afd3a44b769dc67a8a61d4a159f205003c5fdb150e2ca1	—	2024-07-02
FileHash-SHA256	6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c	—	2024-07-02
FileHash-SHA256	6fb502d83b7b5181abcb53784270239cc3e4143344e1f64101537aa3848c8c95	—	2024-07-02
FileHash-SHA256	7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630	—	2024-07-02
FileHash-SHA256	72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28	—	2024-07-02
FileHash-SHA256	7316ed0cb0fdbede33a0b6d05d0be1fe3c616ef7c1098dfcc9a2339c793e7020	—	2024-07-02
FileHash-SHA256	763bdd0b5413bb2e0e3c4a68a7542586bbd638665b7ca250dbd9c7558216e427	—	2024-07-02
FileHash-SHA256	767dd301dc5297828a35eaba81f84bd0f50d61fe1a9208b8d89b5eaba064d65e	—	2024-07-02
FileHash-SHA256	7c7dc62ed7af2f90aeafdd5c3af5284c5539aeded7d642d39f5fd5f187d33c87	—	2024-07-02
FileHash-SHA256	7d0aaf734f73c1cf93e53703e648125bba43e023203be9a938f270dfe3492718	—	2024-07-02
FileHash-SHA256	806d08e6169569eb1649b2d1f770ad30a01ff55beedfe93aebccac2bc24533c0	—	2024-07-02
FileHash-SHA256	8f88a86d57b93cd7f63dfdf3cb8cc398cdce358e683fb04e19b0d0ed73dd50ee	—	2024-07-02
FileHash-SHA256	904ce1b1ffa601f9aeb0a6d68bc83532c5e76b958029bd1c889937fa7cf1867f	—	2024-07-02
FileHash-SHA256	90641a72a4ea6f1fca57ec5e5daec4319ec95bec53dd2bf0fa58d1f9ade42ad4	—	2024-07-02
FileHash-SHA256	96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580	—	2024-07-02
FileHash-SHA256	9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c	—	2024-07-02
FileHash-SHA256	9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960	—	2024-07-02
FileHash-SHA256	9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de	—	2024-07-02
FileHash-SHA256	aa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2	—	2024-07-02
FileHash-SHA256	ae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d	—	2024-07-02
FileHash-SHA256	b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f	—	2024-07-02
FileHash-SHA256	b7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63	—	2024-07-02
FileHash-SHA256	c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4	—	2024-07-02
FileHash-SHA256	cea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b	—	2024-07-02
FileHash-SHA256	d069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60	—	2024-07-02
FileHash-SHA256	d1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed	—	2024-07-02
FileHash-SHA256	e3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb	—	2024-07-02
FileHash-SHA256	e5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1	—	2024-07-02
FileHash-SHA256	f0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1	—	2024-07-02
FileHash-SHA256	f0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe	—	2024-07-02
FileHash-SHA256	f138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af	—	2024-07-02
FileHash-SHA256	f1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95	—	2024-07-02
FileHash-SHA256	f312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414	—	2024-07-02
FileHash-SHA256	f3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068	—	2024-07-02
FileHash-SHA256	f8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174	—	2024-07-02
URL	http://clk-info.site/?status=install	—	2024-07-02
URL	http://clk-info.site/?status=start&av=Windows%20Defender	—	2024-07-02
URL	http://utd-corts.com/buy/	—	2024-07-02
URL	https://3010cars.top/?status=start&av=Names&domain=$domain&os=$urlEncodedOsCaption	—	2024-07-02
URL	https://amydlesk.com/download/dwnl.php	—	2024-07-02
URL	https://app.getmess.io/	—	2024-07-02
URL	https://app.getmess.io/download/dwnl.php	—	2024-07-02
URL	https://brow-ser-update.top/GoogleChrome-x86.msix	—	2024-07-02
URL	https://brow-ser-update.top/download/dwnl.php	—	2024-07-02
URL	https://getmess.download/Getmess.msix	—	2024-07-02
URL	https://monkeybeta.com/build/AnyDesk-x86.msix	—	2024-07-02
URL	https://photoshop-adobe.shop/download/dwnl.php	—	2024-07-02
URL	https://utr-jopass.com/buy/	—	2024-07-02
domain	0212top.online	—	2024-07-02
domain	0212top.site	—	2024-07-02
domain	0212top.top	—	2024-07-02
domain	0212top.xyz	—	2024-07-02
domain	0909kses.top	—	2024-07-02
domain	11234jkhfkujhs.online	—	2024-07-02
domain	11234jkhfkujhs.site	—	2024-07-02
domain	11234jkhfkujhs.top	—	2024-07-02
domain	11234jkhfkujhs.xyz	—	2024-07-02
domain	1212stars.online	—	2024-07-02
domain	1212stars.site	—	2024-07-02
domain	1212stars.top	—	2024-07-02
domain	1212stars.xyz	—	2024-07-02
domain	2311foreign.xyz	—	2024-07-02
domain	2311forget.online	—	2024-07-02
domain	2311forget.site	—	2024-07-02
domain	2311forget.xyz	—	2024-07-02
domain	2610asdkj.online	—	2024-07-02
domain	2610asdkj.site	—	2024-07-02
domain	2610asdkj.top	—	2024-07-02
domain	2610asdkj.xyz	—	2024-07-02
domain	2610kjhsda.online	—	2024-07-02
domain	2610kjhsda.site	—	2024-07-02
domain	2610kjhsda.top	—	2024-07-02
domain	2610kjhsda.xyz	—	2024-07-02
domain	3010cars.online	—	2024-07-02
domain	3010cars.site	—	2024-07-02
domain	3010cars.top	—	2024-07-02
domain	3010cars.xyz	—	2024-07-02
domain	3010offers.online	—	2024-07-02
domain	3010offers.site	—	2024-07-02
domain	3010offers.top	—	2024-07-02
domain	3010offers.xyz	—	2024-07-02
domain	343-ads-info.top	—	2024-07-02
domain	364klhjsfsl.top	—	2024-07-02
domain	465jsdlkd.top	—	2024-07-02
domain	756-ads-info.site	—	2024-07-02
domain	756-ads-info.top	—	2024-07-02
domain	756-ads-info.xyz	—	2024-07-02
domain	875jhrfks.top	—	2024-07-02
domain	98762341tdgi.online	—	2024-07-02
domain	98762341tdgi.site	—	2024-07-02
domain	98762341tdgi.top	—	2024-07-02
domain	98762341tdgi.xyz	—	2024-07-02
domain	999-ads-info.top	—	2024-07-02
domain	ads-analyze.online	—	2024-07-02
domain	ads-analyze.site	—	2024-07-02
domain	ads-analyze.top	—	2024-07-02
domain	ads-analyze.xyz	—	2024-07-02
domain	ads-change.online	—	2024-07-02
domain	ads-change.site	—	2024-07-02
domain	ads-change.top	—	2024-07-02
domain	ads-change.xyz	—	2024-07-02
domain	ads-creep.top	—	2024-07-02
domain	ads-creep.xyz	—	2024-07-02
domain	ads-eagle.top	—	2024-07-02
domain	ads-eagle.xyz	—	2024-07-02
domain	ads-forget.top	—	2024-07-02
domain	ads-hoop.top	—	2024-07-02
domain	ads-hoop.xyz	—	2024-07-02
domain	ads-info.ru	—	2024-07-02
domain	ads-info.site	—	2024-07-02
domain	ads-moon.top	—	2024-07-02
domain	ads-moon.xyz	—	2024-07-02
domain	ads-pill.top	—	2024-07-02
domain	ads-pill.xyz	—	2024-07-02
domain	ads-star.online	—	2024-07-02
domain	ads-star.site	—	2024-07-02
domain	ads-star.top	—	2024-07-02
domain	ads-star.xyz	—	2024-07-02
domain	ads-strong.online	—	2024-07-02
domain	ads-strong.site	—	2024-07-02
domain	ads-strong.top	—	2024-07-02
domain	ads-strong.xyz	—	2024-07-02
domain	ads-tooth.xyz	—	2024-07-02
domain	ads-work.site	—	2024-07-02
domain	ads-work.top	—	2024-07-02
domain	ads-work.xyz	—	2024-07-02
domain	advancedipscannerapp.com	—	2024-07-02
domain	aipanelnew.ru	—	2024-07-02
domain	aipanelnew.site	—	2024-07-02
domain	amydlesk.com	—	2024-07-02
domain	anydesk.best	—	2024-07-02
domain	bienvenido.com	—	2024-07-02
domain	brow-ser-update.top	—	2024-07-02
domain	cdn-ads.ru	—	2024-07-02
domain	cdn-ads.site	—	2024-07-02
domain	cdn-dwnld.ru	—	2024-07-02
domain	cdn-dwnld.site	—	2024-07-02
domain	cdn-new-dwnl.ru	—	2024-07-02
domain	clk-brom.ru	—	2024-07-02
domain	clk-brom.site	—	2024-07-02
domain	clk-brood.online	—	2024-07-02
domain	clk-brood.top	—	2024-07-02
domain	clk-info.ru	—	2024-07-02
domain	clk-info.site	—	2024-07-02
domain	cornbascet.ru	—	2024-07-02
domain	cornbascet.site	—	2024-07-02
domain	dns-inform.top	—	2024-07-02
domain	findreaders.com	—	2024-07-02
domain	fresh-prok.ru	—	2024-07-02
domain	fresh-prok.site	—	2024-07-02
domain	ganalytics-api.com	—	2024-07-02
domain	getmess.download	—	2024-07-02
domain	getmess.io	—	2024-07-02
domain	gotrustfear.ru	—	2024-07-02
domain	gotrustfear.site	—	2024-07-02
domain	infocdn-111.online	—	2024-07-02
domain	infocdn-111.site	—	2024-07-02
domain	infocdn-111.xyz	—	2024-07-02
domain	monkeybeta.com	—	2024-07-02
domain	new-prok.ru	—	2024-07-02
domain	new-prok.site	—	2024-07-02
domain	newtorpan.ru	—	2024-07-02
domain	newtorpan.site	—	2024-07-02
domain	noltlion.com	—	2024-07-02
domain	notilion.co	—	2024-07-02
domain	notilon.co	—	2024-07-02
domain	notion-loads.com	—	2024-07-02
domain	notion.help	—	2024-07-02
domain	notion.li	—	2024-07-02
domain	notiorn.org	—	2024-07-02
domain	notiron.org	—	2024-07-02
domain	notliion.com	—	2024-07-02
domain	notlilon.co	—	2024-07-02
domain	notlon.top	—	2024-07-02
domain	photoshop-adobe.shop	—	2024-07-02
domain	pputy.com	—	2024-07-02
domain	prkl-ads.ru	—	2024-07-02
domain	prkl-ads.site	—	2024-07-02
domain	puttyy.ca	—	2024-07-02
domain	rabby.pro	—	2024-07-02
domain	test-pn.ru	—	2024-07-02
domain	test-pn.site	—	2024-07-02
domain	topttr.com	—	2024-07-02
domain	trust-flare.ru	—	2024-07-02
domain	trust-flare.site	—	2024-07-02
domain	trustdwnl.ru	—	2024-07-02
domain	udr-offdips.com	—	2024-07-02
domain	updaterdrivers.com	—	2024-07-02
domain	urd-apdaps.com	—	2024-07-02
domain	usm-pontic.com	—	2024-07-02
domain	utd-corts.com	—	2024-07-02
domain	utd-forts.com	—	2024-07-02
domain	utd-gochisu.com	—	2024-07-02
domain	utd-horipsy.com	—	2024-07-02
domain	utm-adrooz.com	—	2024-07-02
domain	utm-adschuk.com	—	2024-07-02
domain	utm-adsgoogle.com	—	2024-07-02
domain	utm-advrez.com	—	2024-07-02
domain	utm-drmka.com	—	2024-07-02
domain	utm-fukap.com	—	2024-07-02
domain	utm-msh.com	—	2024-07-02
domain	utr-gavlup.com	—	2024-07-02
domain	utr-jopass.com	—	2024-07-02
domain	utr-krubz.com	—	2024-07-02
domain	utr-provit.com	—	2024-07-02
hostname	notion.findreaders.com	—	2024-07-02
hostname	notion.ilusofficial.com	—	2024-07-02
hostname	notion.kyngsacademy.com	—	2024-07-02
hostname	notion.officespacesearchdc.com	—	2024-07-02
hostname	www.womansvitamin.com	—	2024-07-02
YARA	8c318bdabff95c901dbad64f88c5834f26965302	Finds FakeBat initial PowerShell script downloading and executing the next-stage payload.	2024-07-02
YARA	2da522f4f22570906f1ce34536894a8b9b0c1045	Finds FakeBat PowerShell script fingerprinting the infected host.	2024-07-02

References (1)

↗ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/#h-iocs