fickerstealer | 0a6614754166b5110120b24f6782afe731d935328b806e4fb009557a9a23c431 | Triage

Submit
Reports

Overview

overview

Static

static

8

file.doc

windows7_x64

4

file.doc

windows10_x64

Sharing

General

Target

file
Size

1.3MB
Sample

210623-zvxyqdcmz2
MD5

a000f1b5cc28082867a6350bea669f8d
SHA1

70acd6a3a0a903537fac08e780f51709c950639c
SHA256

0a6614754166b5110120b24f6782afe731d935328b806e4fb009557a9a23c431
SHA512

4048d0684d87fc1c21c142f7542730b2fce5b149d1b8ec010fa4b534b1a8146b0aa9de51e59d12ffb8464b3545e5108b5d2bcd76fd78f2034d727cdb6e61ad3d

Score

10^/10

fickerstealer hancitor 2306_vensip downloader infostealer macro macro_on_action spyware stealer

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

file.doc

Resource

win7v20210408

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

file.doc

Resource

win10v20210408

fickerstealer hancitor 2306_vensip downloader infostealer spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

hancitor

Botnet

2306_vensip

C2

http://extilivelly.com/8/forum.php

http://cludimetifte.ru/8/forum.php

http://sakincesed.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

- Target
  
  file
- Size
  
  1.3MB
- MD5
  
  a000f1b5cc28082867a6350bea669f8d
- SHA1
  
  70acd6a3a0a903537fac08e780f51709c950639c
- SHA256
  
  0a6614754166b5110120b24f6782afe731d935328b806e4fb009557a9a23c431
- SHA512
  
  4048d0684d87fc1c21c142f7542730b2fce5b149d1b8ec010fa4b534b1a8146b0aa9de51e59d12ffb8464b3545e5108b5d2bcd76fd78f2034d727cdb6e61ad3d
Score

10^/10

fickerstealer hancitor 2306_vensip downloader infostealer spyware stealer
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

fickerstealerhancitor2306_vensipdownloaderinfostealerspywarestealer

© 2018-2024

Terms | Privacy