General
-
Target
0722_0258046206.xls
-
Size
343KB
-
Sample
210722-d3lmdt3zm2
-
MD5
4942f8e35bde6d5e85139c848a8285c0
-
SHA1
7ae9a3b43f191fdc818cbbdcaa60b475e64e3b9e
-
SHA256
e4a33c7818a9cf9ceb3ac44b0138c1bbd40f288bdaf8839add5b42e74a238ade
-
SHA512
9186518dc8ca345f8afb53ee03609a1b0704adcace59a3bfba3e3596f89489f5cdad5b19a802a93ff285bb4f75e130088e5060eb0da0b469cca63bb6ae024d5b
Malware Config
Extracted
hancitor
2207_xwpi67
http://tholeferli.com/8/forum.php
http://aidgodown.ru/8/forum.php
http://relifleappin.ru/8/forum.php
Extracted
fickerstealer
pospvisis.com:80
Targets
-
-
Target
0722_0258046206.xls
-
Size
343KB
-
MD5
4942f8e35bde6d5e85139c848a8285c0
-
SHA1
7ae9a3b43f191fdc818cbbdcaa60b475e64e3b9e
-
SHA256
e4a33c7818a9cf9ceb3ac44b0138c1bbd40f288bdaf8839add5b42e74a238ade
-
SHA512
9186518dc8ca345f8afb53ee03609a1b0704adcace59a3bfba3e3596f89489f5cdad5b19a802a93ff285bb4f75e130088e5060eb0da0b469cca63bb6ae024d5b
Score10/10-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-