General
-
Target
532.dll
-
Size
200KB
-
Sample
210722-5wesg13ng6
-
MD5
7348620f737ec1b0997cae7548344f2c
-
SHA1
5550f62fdc0963c331b460f8a967c45d481e505a
-
SHA256
8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
-
SHA512
568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6
Static task
static1
Behavioral task
behavioral1
Sample
532.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
532.dll
Resource
win10v20210410
Malware Config
Extracted
hancitor
2207_xwpi67
http://tholeferli.com/8/forum.php
http://aidgodown.ru/8/forum.php
http://relifleappin.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Targets
-
-
Target
532.dll
-
Size
200KB
-
MD5
7348620f737ec1b0997cae7548344f2c
-
SHA1
5550f62fdc0963c331b460f8a967c45d481e505a
-
SHA256
8efac1531e83525bb0806eebca0bb9a797a18feb1848a4ceee4a88fdb85cbbbd
-
SHA512
568babf18ba8ad33c9756e43610172361132f076bb4601e0e046317a30a298da453219f43a2b5ffafc5c535e4ca62ffff622ae7bf084efba786946b880f9ddb6
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-