fickerstealer | b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

General

Target

0708_3355614568218.doc
Size

877KB
MD5

992338b40b38f1f55bd4a9599f70771c
SHA1

866086438592043aebb88f3da34ad437681a5cb0
SHA256

b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699
SHA512

cd0482f15b709a61dcc3c0007486d5d2eaeb5bfc315cc2d82bd4f75dae68fed5fee8a0e90c61163723f34b0cdc6c459c186f14ef6b936bc5ed70e7b4d97da50a

Score

10^/10

fickerstealer hancitor downloader infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3176	672	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

30 3204 rundll32.exe
32 3204 rundll32.exe
34 3204 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3204 rundll32.exe
3204 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3204 set thread context of 3880 3204 rundll32.exe svchost.exe

flow	pid	process
30	3204	rundll32.exe
32	3204	rundll32.exe
34	3204	rundll32.exe

pid	process
3204	rundll32.exe
3204	rundll32.exe

flow	ioc
29	api.ipify.org

description	pid	process	target process
PID 3204 set thread context of 3880	3204	rundll32.exe	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEsvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{2C14B83B-344B-46C1-95C0-E1291EBC54FD}\nimb.dll:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

672 WINWORD.EXE
672 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exesvchost.exe

pid process

3204 rundll32.exe
3204 rundll32.exe
3880 svchost.exe
3880 svchost.exe

pid	process
3204	rundll32.exe
3204	rundll32.exe
3880	svchost.exe
3880	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE
672	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 672 wrote to memory of 2372	672	WINWORD.EXE	splwow64.exe
PID 672 wrote to memory of 2372	672	WINWORD.EXE	splwow64.exe
PID 672 wrote to memory of 3176	672	WINWORD.EXE	rundll32.exe
PID 672 wrote to memory of 3176	672	WINWORD.EXE	rundll32.exe
PID 3176 wrote to memory of 3204	3176	rundll32.exe	rundll32.exe
PID 3176 wrote to memory of 3204	3176	rundll32.exe	rundll32.exe
PID 3176 wrote to memory of 3204	3176	rundll32.exe	rundll32.exe
PID 3204 wrote to memory of 3880	3204	rundll32.exe	svchost.exe
PID 3204 wrote to memory of 3880	3204	rundll32.exe	svchost.exe
PID 3204 wrote to memory of 3880	3204	rundll32.exe	svchost.exe
PID 3204 wrote to memory of 3880	3204	rundll32.exe	svchost.exe
PID 3204 wrote to memory of 3880	3204	rundll32.exe	svchost.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0708_3355614568218.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2372

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll,ONOQWPYIEIR
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
4⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\appdata\roaming\microsoft\templates\niberius.dll
MD5
d22d8bb38cf8d6a5ce6d8be4106350e7

SHA1
02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

SHA256
4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

SHA512
434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dll
MD5
d22d8bb38cf8d6a5ce6d8be4106350e7

SHA1
02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

SHA256
4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

SHA512
434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\niberius.dll
MD5
d22d8bb38cf8d6a5ce6d8be4106350e7

SHA1
02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe

SHA256
4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

SHA512
434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41

Download Submit
memory/672-119-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/672-117-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/672-118-0x00007FFD10F10000-0x00007FFD13A33000-memory.dmp

Filesize
43.1MB

Download
memory/672-122-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmp

Filesize
16.9MB

Download
memory/672-123-0x00007FFD09880000-0x00007FFD0B775000-memory.dmp

Filesize
31.0MB

Download
memory/672-115-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/672-116-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/672-114-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmp

Filesize
64KB

Download
memory/2372-179-0x0000000000000000-mapping.dmp

Download
memory/3176-180-0x0000000000000000-mapping.dmp

Download
memory/3204-182-0x0000000000000000-mapping.dmp

Download
memory/3204-185-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3880-186-0x0000000000401480-mapping.dmp

Download
memory/3880-187-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads