Analysis
-
max time kernel
39s -
max time network
173s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-07-2021 01:09
Static task
static1
Behavioral task
behavioral1
Sample
niberius.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
niberius.dll
Resource
win10v20210410
General
-
Target
niberius.dll
-
Size
268KB
-
MD5
d22d8bb38cf8d6a5ce6d8be4106350e7
-
SHA1
02fc51e6572a17f5dbbc32c4e3dd03cca3c51afe
-
SHA256
4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557
-
SHA512
434e6b553bb96c5ae6b26d22cc35614f248f93a442e702395ce925578598bdf74eb884daf5a40d6c02cb1769eaf3dfdf858205e0c7b64f8afda38574991fcc41
Malware Config
Extracted
hancitor
0707_wvcr
http://sudepallon.com/8/forum.php
http://anspossthrly.ru/8/forum.php
http://thentabecon.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 6 836 rundll32.exe 8 836 rundll32.exe 10 836 rundll32.exe -
Downloads MZ/PE file
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 836 set thread context of 1812 836 rundll32.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exesvchost.exepid process 836 rundll32.exe 836 rundll32.exe 1812 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 836 1120 rundll32.exe rundll32.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe PID 836 wrote to memory of 1812 836 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\niberius.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\niberius.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-60-0x0000000000000000-mapping.dmp
-
memory/836-61-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/836-62-0x00000000007C0000-0x00000000008A2000-memory.dmpFilesize
904KB
-
memory/836-63-0x00000000007C0000-0x00000000007CA000-memory.dmpFilesize
40KB
-
memory/836-64-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1812-65-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1812-66-0x0000000000401480-mapping.dmp
-
memory/1812-68-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB