General

  • Target

    mixsix_20210924-083109

  • Size

    523KB

  • Sample

    210926-nzm5bsegf6

  • MD5

    9b0e18017ea35c11d4e477028d8b862a

  • SHA1

    3ae7f49984dc702af623d39af51a071fba37fd6b

  • SHA256

    023e18099649da79f4edf0067b155f78effb978f2d4d9d9ff8d5cebcdd656cc1

  • SHA512

    f94efa893f4cb55883a7a9fdb163fefaee5bf7fa8adcccd13ae6da4746564b73b5abc4994a089f0f3d14b0f44475ead7159b0dd42cbb69065429f1500e496763

Malware Config

Extracted

Family

fickerstealer

C2

game2030.site:80

Targets

    • Target

      mixsix_20210924-083109

    • Size

      523KB

    • MD5

      9b0e18017ea35c11d4e477028d8b862a

    • SHA1

      3ae7f49984dc702af623d39af51a071fba37fd6b

    • SHA256

      023e18099649da79f4edf0067b155f78effb978f2d4d9d9ff8d5cebcdd656cc1

    • SHA512

      f94efa893f4cb55883a7a9fdb163fefaee5bf7fa8adcccd13ae6da4746564b73b5abc4994a089f0f3d14b0f44475ead7159b0dd42cbb69065429f1500e496763

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks