General

  • Target

    ter.dll

  • Size

    773KB

  • Sample

    210715-1l2ebbtjj6

  • MD5

    2dc334887c1180331aca5fe3316adbe9

  • SHA1

    63ea01c0cb12b29e968938d8429ca4052011900a

  • SHA256

    67bae0c522e8a516c008d9144bb42f0c4e0783c8c84cc3abe58d7a786cfd4cbe

  • SHA512

    a38f71795dfb25feb8c93d2503ae9df33a5f2c6e0722e30110104b34a4168ed1f0d9991c428aaa6397c91383d3d7a4e4ad02d786fd7290503d5141bb79c69b64

Malware Config

Extracted

Family

hancitor

Botnet

1507_pewut

C2

http://gatiallyde.com/8/forum.php

http://dialencelu.ru/8/forum.php

http://accomead.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

    • Target

      ter.dll

    • Size

      773KB

    • MD5

      2dc334887c1180331aca5fe3316adbe9

    • SHA1

      63ea01c0cb12b29e968938d8429ca4052011900a

    • SHA256

      67bae0c522e8a516c008d9144bb42f0c4e0783c8c84cc3abe58d7a786cfd4cbe

    • SHA512

      a38f71795dfb25feb8c93d2503ae9df33a5f2c6e0722e30110104b34a4168ed1f0d9991c428aaa6397c91383d3d7a4e4ad02d786fd7290503d5141bb79c69b64

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks