General
-
Target
file
-
Size
1.3MB
-
Sample
210623-lrdnfgbxlj
-
MD5
45d3f2916df2ecb00f228e3477ae4c1f
-
SHA1
86a4ea38cf7f8b61e1fbf35cc1b0921580fa81d4
-
SHA256
2c0936d98c5fe69db0c8e45d2626d23caade71079317f09f35a03035965b37f9
-
SHA512
16834386d3243f8ebc4e02b50e7b34b06f7635907bc15c0afbac43e326beb0c4873feba309605f78a29511688a3ae66dd8dbe3b40b77f76a26e867e715183d4c
Malware Config
Extracted
hancitor
2306_vensip
http://extilivelly.com/8/forum.php
http://cludimetifte.ru/8/forum.php
http://sakincesed.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Targets
-
-
Target
file
-
Size
1.3MB
-
MD5
45d3f2916df2ecb00f228e3477ae4c1f
-
SHA1
86a4ea38cf7f8b61e1fbf35cc1b0921580fa81d4
-
SHA256
2c0936d98c5fe69db0c8e45d2626d23caade71079317f09f35a03035965b37f9
-
SHA512
16834386d3243f8ebc4e02b50e7b34b06f7635907bc15c0afbac43e326beb0c4873feba309605f78a29511688a3ae66dd8dbe3b40b77f76a26e867e715183d4c
Score10/10-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-