Overview

overview

10

Static

static

8

7b707d7788...f8.exe

windows7_x64

3

7b707d7788...f8.exe

windows10_x64

7

7be6c0d38e...ce.exe

windows7_x64

10

7be6c0d38e...ce.exe

windows10_x64

10

8e9d85ae52...28.exe

windows7_x64

3

8e9d85ae52...28.exe

windows10_x64

3

a246c7a036...82.exe

windows7_x64

8

a246c7a036...82.exe

windows10_x64

8

a8a9389353...c4.exe

windows7_x64

10

a8a9389353...c4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.zip

  • Size

    853KB

  • Sample

    210701-nqg66smycx

  • MD5

    3f07601c9e60d83a9bdc46f7d771473e

  • SHA1

    c904774644f38785645ac5300b37e7b53754bd75

  • SHA256

    6014b30bcb29b6bcc758164ee4057e84dc08180c12688e2396dd638f2142c322

  • SHA512

    b8ac7dce230edceba1b121a9b264d408a037d6f3b5375e31738948d008db859c695b4fedae6e0aae76df732f71f72581ab7b962f8c56c28c2c02e5fa76953a23

Score
10/10
fickerstealerxmrigdiscoveryevasioninfostealerminerpersistencespywarestealerupx

Malware Config

Extracted

Family

fickerstealer

C2

80.87.192.115:80

Targets

    • Target

      7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8

    • Size

      209KB

    • MD5

      1a736d7a0881473473a6c5f782836e69

    • SHA1

      9e42b57a2076867afdd47373b867ac87cba5083f

    • SHA256

      7b707d7788849ef1b8722aaea161ee016228239f0713fce4cb9592552f6715f8

    • SHA512

      7e758e89292fec2d23f7b1041bb375ef0baab55571324a0c8414bd3a5332361936a552b07e27ae217bedddf777d6ae5bffff91870280b32421d6137e5905256d

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      7be6c0d38ef7ac12dbfd8a45d5b9513934d1e1195eb62c7cb44f103269b1bbce

    • Size

      222KB

    • MD5

      d97990b3f79d8ec2d4b174cf0c8b8a1e

    • SHA1

      1dbd733efb3c0064739c9da11e4de6319984b98f

    • SHA256

      7be6c0d38ef7ac12dbfd8a45d5b9513934d1e1195eb62c7cb44f103269b1bbce

    • SHA512

      ee5ee5613391d8231d1ad6855f155d3fd3fcffa19c9f7f0bf0e19be42c4472e3436d269e0d59e462734ba9dcbaca83d3c1b0b5ce8174cde111a14cf405ae4252

    Score
    10/10
    xmrigminerpersistence

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      8e9d85ae521c93539b3c58c3c9f3aedfe235ee4cea0688f580fc67cefdbeaa28

    • Size

      296KB

    • MD5

      0284ad0eb6ae288cc4cb13fbd9280483

    • SHA1

      f8e81aa7be42334347b7433414dbd4e919232a46

    • SHA256

      8e9d85ae521c93539b3c58c3c9f3aedfe235ee4cea0688f580fc67cefdbeaa28

    • SHA512

      927bcae18074850771882cf864c68504cf30ccdc59ca42412e07bbbd4d70b8e24b237656b25210220dd0b06ebe38263cccb9a43dab4d73409c6df73e3d0dcd6a

    Score
    3/10
    behavioral5behavioral6

    • Target

      a246c7a0362b24c2022ebdb4c229f3c8bdd0f8541f55880a03d394f85aa10582

    • Size

      366KB

    • MD5

      edcb9e4837cb1118d11931bc0955c5eb

    • SHA1

      cb5505dea7d55cf00a7bf3db3d21becf4872da76

    • SHA256

      a246c7a0362b24c2022ebdb4c229f3c8bdd0f8541f55880a03d394f85aa10582

    • SHA512

      fc3fff3da308f4cb0359e96a0969393eda0d71ffe03c47ca5caabbe6a91616e4e3b17cd3409262b59503012d37e16f1dd151fd8115dd9ba413f99af7f1845fb0

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      a8a9389353cbc3155ef587c59f6f2e250740cbad4c7bd1c6f3ff501652f593c4

    • Size

      535KB

    • MD5

      24529921569a021456436d4088937002

    • SHA1

      e51ed743a9b4e639c44e9dd01879ed9861301374

    • SHA256

      a8a9389353cbc3155ef587c59f6f2e250740cbad4c7bd1c6f3ff501652f593c4

    • SHA512

      508aedf4215b944ce454c89134d19cc1bb51d3eebfada2c5a75cb53d271c5ac1cead074cd61c784eceb7ac8a70fbefb14ecf42e7635218ca85188da3348f6112

    Score
    10/10
    fickerstealerdiscoveryinfostealerspywarestealer

    • fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks