General
-
Target
file
-
Size
1.3MB
-
Sample
210623-zvxyqdcmz2
-
MD5
a000f1b5cc28082867a6350bea669f8d
-
SHA1
70acd6a3a0a903537fac08e780f51709c950639c
-
SHA256
0a6614754166b5110120b24f6782afe731d935328b806e4fb009557a9a23c431
-
SHA512
4048d0684d87fc1c21c142f7542730b2fce5b149d1b8ec010fa4b534b1a8146b0aa9de51e59d12ffb8464b3545e5108b5d2bcd76fd78f2034d727cdb6e61ad3d
Static task
static1
Behavioral task
behavioral1
Sample
file.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
file.doc
Resource
win10v20210408
Malware Config
Extracted
hancitor
2306_vensip
http://extilivelly.com/8/forum.php
http://cludimetifte.ru/8/forum.php
http://sakincesed.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Targets
-
-
Target
file
-
Size
1.3MB
-
MD5
a000f1b5cc28082867a6350bea669f8d
-
SHA1
70acd6a3a0a903537fac08e780f51709c950639c
-
SHA256
0a6614754166b5110120b24f6782afe731d935328b806e4fb009557a9a23c431
-
SHA512
4048d0684d87fc1c21c142f7542730b2fce5b149d1b8ec010fa4b534b1a8146b0aa9de51e59d12ffb8464b3545e5108b5d2bcd76fd78f2034d727cdb6e61ad3d
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-