General
-
Target
ter.dll
-
Size
773KB
-
Sample
210715-whm78dmtd2
-
MD5
2dc334887c1180331aca5fe3316adbe9
-
SHA1
63ea01c0cb12b29e968938d8429ca4052011900a
-
SHA256
67bae0c522e8a516c008d9144bb42f0c4e0783c8c84cc3abe58d7a786cfd4cbe
-
SHA512
a38f71795dfb25feb8c93d2503ae9df33a5f2c6e0722e30110104b34a4168ed1f0d9991c428aaa6397c91383d3d7a4e4ad02d786fd7290503d5141bb79c69b64
Static task
static1
Behavioral task
behavioral1
Sample
ter.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ter.dll
Resource
win10v20210408
Malware Config
Extracted
hancitor
1507_pewut
http://gatiallyde.com/8/forum.php
http://dialencelu.ru/8/forum.php
http://accomead.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Targets
-
-
Target
ter.dll
-
Size
773KB
-
MD5
2dc334887c1180331aca5fe3316adbe9
-
SHA1
63ea01c0cb12b29e968938d8429ca4052011900a
-
SHA256
67bae0c522e8a516c008d9144bb42f0c4e0783c8c84cc3abe58d7a786cfd4cbe
-
SHA512
a38f71795dfb25feb8c93d2503ae9df33a5f2c6e0722e30110104b34a4168ed1f0d9991c428aaa6397c91383d3d7a4e4ad02d786fd7290503d5141bb79c69b64
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-