General

  • Target

    ac8e3612_by_Libranalysis

  • Size

    425KB

  • Sample

    210428-ej7c7agcv2

  • MD5

    ac8e361233e01d5f611558f70985fa28

  • SHA1

    638bb04aea700f374a3d9a1dddcf3180dbb5762f

  • SHA256

    b87058debe148793a01173971935cb36fe7d56e2400282629f810cbb1ef14ef7

  • SHA512

    35064c1be92b9ebd8cf7684b78a2624d5035d8e9225e0b7b3b4c3b459d26e041931d977d1440b30fddd8d7b9aacef4ee20c0affa4f33281f245aba54baad95d9

Malware Config

Extracted

Family

fickerstealer

C2

gurums.space:80

Targets

    • Target

      ac8e3612_by_Libranalysis

    • Size

      425KB

    • MD5

      ac8e361233e01d5f611558f70985fa28

    • SHA1

      638bb04aea700f374a3d9a1dddcf3180dbb5762f

    • SHA256

      b87058debe148793a01173971935cb36fe7d56e2400282629f810cbb1ef14ef7

    • SHA512

      35064c1be92b9ebd8cf7684b78a2624d5035d8e9225e0b7b3b4c3b459d26e041931d977d1440b30fddd8d7b9aacef4ee20c0affa4f33281f245aba54baad95d9

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks