General

  • Target

    0714_1137360888.doc

  • Size

    1.4MB

  • Sample

    210715-zt2s9f3qwa

  • MD5

    b55bb126dd3962a05bf15d27ba832223

  • SHA1

    069aefe704193c0014ffc90af2e3ce76166eee1c

  • SHA256

    d8bef6e24e6faa20f4cfaa6d3cadedefff93a37a2e6337fbb89b7be718b17d31

  • SHA512

    b197db5abeaa4c935a859bb355eb2c12a1ee5f42bdad039bd4372055a46207d60a5d4ea3ed3afd0705612e9879098e16362d7af45699a79574ca051180642f2e

Malware Config

Extracted

Family

hancitor

Botnet

1507_pewut

C2

http://gatiallyde.com/8/forum.php

http://dialencelu.ru/8/forum.php

http://accomead.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

    • Target

      0714_1137360888.doc

    • Size

      1.4MB

    • MD5

      b55bb126dd3962a05bf15d27ba832223

    • SHA1

      069aefe704193c0014ffc90af2e3ce76166eee1c

    • SHA256

      d8bef6e24e6faa20f4cfaa6d3cadedefff93a37a2e6337fbb89b7be718b17d31

    • SHA512

      b197db5abeaa4c935a859bb355eb2c12a1ee5f42bdad039bd4372055a46207d60a5d4ea3ed3afd0705612e9879098e16362d7af45699a79574ca051180642f2e

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks