Overview

overview

10

Static

static

532.dll

windows7_x64

10

532.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    532.dll

  • Size

    200KB

  • Sample

    210722-4a7m1txc46

  • MD5

    7348620f737ec1b0997cae7548344f2c

  • SHA1

    5550f62fdc0963c331b460f8a967c45d481e505a

  • SHA256

    8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd

  • SHA512

    568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

Score
10/10
fickerstealerhancitor2207_xwpi67downloaderinfostealerspywarestealer

Malware Config

Extracted

Family

hancitor

Botnet

2207_xwpi67

C2

http://tholeferli.com/8/forum.php

http://aidgodown.ru/8/forum.php

http://relifleappin.ru/8/forum.php

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

    • Target

      532.dll

    • Size

      200KB

    • MD5

      7348620f737ec1b0997cae7548344f2c

    • SHA1

      5550f62fdc0963c331b460f8a967c45d481e505a

    • SHA256

      8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd

    • SHA512

      568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6

    Score
    10/10
    fickerstealerhancitor2207_xwpi67downloaderinfostealerspywarestealer

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

      downloaderhancitor

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks