Overview

overview

10

Static

static

123.dll

windows7_x64

10

123.dll

windows10_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    21-07-2021 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.dll

  • Size

    244KB

  • MD5

    24190cd699631d16521dfb588b2571a3

  • SHA1

    546a86929e82babd0ee6f970d7729e3bf6a14698

  • SHA256

    99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6

  • SHA512

    fd3123ababc536c2530785d52b3323c1250da0d41e18574ee2877013c6ac033f08157e1221cb3b01d971a3e214eba19bbcc4d29b3ea482cc52b433ecb6eacb21

Score
10/10
fickerstealerhancitor1907_hjfsddownloaderinfostealerspywarestealer

Malware Config

Extracted

Family

hancitor

Botnet

1907_hjfsd

C2

http://thervidolown.com/8/forum.php

http://wiltuslads.ru/8/forum.php

http://anithedtatione.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Hancitor

    Hancitor is downloader used to deliver other malware families.

    downloaderhancitor
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\123.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\123.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\System32\svchost.exe
        3⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-64-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/864-65-0x0000000000401480-mapping.dmp

    Download

  • memory/864-67-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1100-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1100-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1100-61-0x0000000000880000-0x0000000000950000-memory.dmp

    Filesize

    832KB

    Download

  • memory/1100-62-0x0000000000880000-0x000000000088A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1100-63-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

    Download