Overview

overview

10

Static

static

kelly.n.dll

windows7_x64

10

kelly.n.dll

windows10_x64

10

Resubmissions

21-04-2021 15:20

210421-785dwczfms 10

21-04-2021 15:10

210421-kq112jc8an 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kelly.n.dll

  • Size

    335KB

  • Sample

    210421-kq112jc8an

  • MD5

    22427dfa4b50e3111559a198dd95377c

  • SHA1

    0cc247e4fc18a56b350dbedede1f0f433e18da41

  • SHA256

    e2c2f2f09847155f7e55b79bc8aa95843aff3686c695277afb655df5905ef8b6

  • SHA512

    d3552f766c9101acf87581231627d77e53dcfcbc32fd440d539b72e9cf5421ab817f95a94c20176670b1edf1b2c5df8c92ea7c03c7306fe84a3eacf3e1bf7188

Score
10/10
fickerstealerhancitor2104_mmvmdownloaderinfostealerspywarestealer

Malware Config

Extracted

Family

hancitor

Botnet

2104_mmvm

C2

http://lectionalt.com/8/forum.php

http://palimenciont.ru/8/forum.php

http://sidainopecelf.ru/8/forum.php

Extracted

Family

fickerstealer

C2

sweyblidian.com:80

Targets

    • Target

      kelly.n.dll

    • Size

      335KB

    • MD5

      22427dfa4b50e3111559a198dd95377c

    • SHA1

      0cc247e4fc18a56b350dbedede1f0f433e18da41

    • SHA256

      e2c2f2f09847155f7e55b79bc8aa95843aff3686c695277afb655df5905ef8b6

    • SHA512

      d3552f766c9101acf87581231627d77e53dcfcbc32fd440d539b72e9cf5421ab817f95a94c20176670b1edf1b2c5df8c92ea7c03c7306fe84a3eacf3e1bf7188

    Score
    10/10
    fickerstealerhancitor2104_mmvmdownloaderinfostealerspywarestealer

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks