General
-
Target
kelly.n.dll
-
Size
335KB
-
Sample
210421-785dwczfms
-
MD5
22427dfa4b50e3111559a198dd95377c
-
SHA1
0cc247e4fc18a56b350dbedede1f0f433e18da41
-
SHA256
e2c2f2f09847155f7e55b79bc8aa95843aff3686c695277afb655df5905ef8b6
-
SHA512
d3552f766c9101acf87581231627d77e53dcfcbc32fd440d539b72e9cf5421ab817f95a94c20176670b1edf1b2c5df8c92ea7c03c7306fe84a3eacf3e1bf7188
Static task
static1
Behavioral task
behavioral1
Sample
kelly.n.dll
Resource
win10v20210410
Malware Config
Extracted
hancitor
2104_mmvm
http://lectionalt.com/8/forum.php
http://palimenciont.ru/8/forum.php
http://sidainopecelf.ru/8/forum.php
Extracted
fickerstealer
sweyblidian.com:80
Targets
-
-
Target
kelly.n.dll
-
Size
335KB
-
MD5
22427dfa4b50e3111559a198dd95377c
-
SHA1
0cc247e4fc18a56b350dbedede1f0f433e18da41
-
SHA256
e2c2f2f09847155f7e55b79bc8aa95843aff3686c695277afb655df5905ef8b6
-
SHA512
d3552f766c9101acf87581231627d77e53dcfcbc32fd440d539b72e9cf5421ab817f95a94c20176670b1edf1b2c5df8c92ea7c03c7306fe84a3eacf3e1bf7188
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-