General

  • Target

    0715_522785908988.doc

  • Size

    1.4MB

  • Sample

    210715-memt8dh5f6

  • MD5

    b2a7e405503858e1e6f8ec093e50d8e5

  • SHA1

    afd698cb46334da3aabf417befdf4ba2611b2d00

  • SHA256

    b56285ce43b1934bdabdd4fac12e368d5464eb5654afa87979221ba477fa350d

  • SHA512

    ec6b237279b32a9d7387a6c0b473f943f5e39a2d29d2d75e94a6fe9e792e9c114ea92f58f9fbefd69519e2145aaea70a0ee7500164333dfeec73f5c83b72782d

Malware Config

Extracted

Family

hancitor

Botnet

1507_pewut

C2

http://gatiallyde.com/8/forum.php

http://dialencelu.ru/8/forum.php

http://accomead.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

    • Target

      0715_522785908988.doc

    • Size

      1.4MB

    • MD5

      b2a7e405503858e1e6f8ec093e50d8e5

    • SHA1

      afd698cb46334da3aabf417befdf4ba2611b2d00

    • SHA256

      b56285ce43b1934bdabdd4fac12e368d5464eb5654afa87979221ba477fa350d

    • SHA512

      ec6b237279b32a9d7387a6c0b473f943f5e39a2d29d2d75e94a6fe9e792e9c114ea92f58f9fbefd69519e2145aaea70a0ee7500164333dfeec73f5c83b72782d

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks