General

  • Target

    DFB6F96342FC5AC3E57338C8BD2061AE.exe

  • Size

    357KB

  • Sample

    210428-vwq254yal2

  • MD5

    dfb6f96342fc5ac3e57338c8bd2061ae

  • SHA1

    b6c9d7cccf701c2c14c28ca2115feaf216c27ec8

  • SHA256

    15c65f4a42518ca6cb19fbab258b09ed43f79d111e20af2efb69bf855637909b

  • SHA512

    93383936241a6a21016982d09d28f231d72ebaebaeb88308955e53d49366f510d40f466782c97c23dbfda851390979489a0bdceedc1710acd335f7231c4376c4

Malware Config

Extracted

Family

fickerstealer

C2

gurums.space:80

Targets

    • Target

      DFB6F96342FC5AC3E57338C8BD2061AE.exe

    • Size

      357KB

    • MD5

      dfb6f96342fc5ac3e57338c8bd2061ae

    • SHA1

      b6c9d7cccf701c2c14c28ca2115feaf216c27ec8

    • SHA256

      15c65f4a42518ca6cb19fbab258b09ed43f79d111e20af2efb69bf855637909b

    • SHA512

      93383936241a6a21016982d09d28f231d72ebaebaeb88308955e53d49366f510d40f466782c97c23dbfda851390979489a0bdceedc1710acd335f7231c4376c4

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks