fickerstealer

Sharing

General

Target

60d3af_Tuxera-NTFS-Cra.zip
Size

3.7MB
Sample

210623-l5rmzvwwnj
MD5

8b43356634bb0303ac22efbdd15d7b04
SHA1

68ef7049112380b64702848263eada70c2f662b5
SHA256

20ff7a2712194766e9b76a58af90bbe90dfb53a181a7499e24e3ababdc81cb44
SHA512

d386d4134b3d5c6b65890250161a985d9e01e1c1f28dd3397d24b55a83feb19a0a22fdba16ad33a193e2f79a80383badef5694644e09dde2cc8efd8b495863de

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

GxQ3GyI1SVg=

DDkKBA0ZQRA9DTQUNixBQAA8OlgtKC5J

Extracted

Family

fickerstealer

bukkva.club:80

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

redline

Botnet

7500

ahannnavod.xyz:80

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com

Attributes

profile_id
706

Extracted

Family

vidar

Version

39.4

Botnet

903

https://sergeevih43.tumblr.com

Attributes

profile_id
903

Targets

- Target
  
  main_setup_x86x64.exe
- Size
  
  3.7MB
- MD5
  
  b70e4c0710dee058e448fd2e5682dde9
- SHA1
  
  7cdf73e8bc5ab2eb999865bf6bf4c1ecdf0e8129
- SHA256
  
  c0d5ff27defeb5569887e495604662f44370d9f7e80cb9c8230585ca6574bbe5
- SHA512
  
  59963ba30e3d4d41271224ec665267207acaa7a3bed7284fb64c8107a97766909f8391e1928db523f4a40cfb5406425a195adedd59e842c70d6c19a588231c02
Score

10^/10

fickerstealer plugx redline smokeloader vidar gxq3gyi1svg=aspackv2 backdoor evasion infostealer stealer trojan 706 7500 903 cana servani upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

PlugX

RedLine

RedLine Payload

SmokeLoader

Vidar

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2