Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 22:27

General

  • Target

    mixsix_20211021-213834.exe

  • Size

    502KB

  • MD5

    8b88f6c7769be88bcc52eaeea38621f2

  • SHA1

    bb67682e4b6421dfcc26fee615e9bc8499786599

  • SHA256

    629483458b79478365479b415c1efa5334cf87b3b6617aff6b6145fd28ae085e

  • SHA512

    ebc8916650ae9682b3c32b194889589595325e26054d77fa2bc62ca2d520a4a754156931a01c7ca3e11f5c9323e2fadefc2e865f04baf7255b19ce41c22c37c0

Malware Config

Extracted

Family

fickerstealer

C2

game2030.site:80

Extracted

Family

arkei

Botnet

Default

C2

http://gurums.online/ggate.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • suricata: ET MALWARE Win32/Ficker Stealer Activity M3

    suricata: ET MALWARE Win32/Ficker Stealer Activity M3

  • Arkei Stealer Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe
    "C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe
      "C:\Users\Admin\AppData\Local\Temp\mixsix_20211021-213834.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Users\Admin\AppData\Local\Temp\1635121677588.exe
        "C:\Users\Admin\AppData\Local\Temp\1635121677588.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
          "C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Users\Admin\AppData\Local\Temp\hvytube.exe
            "C:\Users\Admin\AppData\Local\Temp\hvytube.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe
              "C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2264
      • C:\Users\Admin\AppData\Local\Temp\1635121677680.exe
        "C:\Users\Admin\AppData\Local\Temp\1635121677680.exe"
        3⤵
        • Executes dropped EXE
        PID:1624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1256
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvytube.exe.log
    MD5

    957779c42144282d8cd83192b8fbc7cf

    SHA1

    de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

    SHA256

    0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

    SHA512

    f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

  • C:\Users\Admin\AppData\Local\Temp\1635121677588.exe
    MD5

    07c4277b0278cafddb023934c154cc56

    SHA1

    8fc547689272aa2f26e5721264d4260caae499c0

    SHA256

    9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

    SHA512

    21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

  • C:\Users\Admin\AppData\Local\Temp\1635121677588.exe
    MD5

    07c4277b0278cafddb023934c154cc56

    SHA1

    8fc547689272aa2f26e5721264d4260caae499c0

    SHA256

    9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

    SHA512

    21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

  • C:\Users\Admin\AppData\Local\Temp\1635121677680.exe
    MD5

    4bb65548f890bed129c141c3c04fc8c4

    SHA1

    39257aa791e39dd40a79d1c33c35c30010a98e0d

    SHA256

    681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

    SHA512

    48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

  • C:\Users\Admin\AppData\Local\Temp\1635121677680.exe
    MD5

    4bb65548f890bed129c141c3c04fc8c4

    SHA1

    39257aa791e39dd40a79d1c33c35c30010a98e0d

    SHA256

    681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

    SHA512

    48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

  • C:\Users\Admin\AppData\Local\Temp\hvytube.exe
    MD5

    c7f0ff4bc816f92f0f421e380f453968

    SHA1

    e7fe567f76c95176068be75ad9f671142af23962

    SHA256

    e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10

    SHA512

    d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f

  • C:\Users\Admin\AppData\Local\Temp\hvytube.exe
    MD5

    c7f0ff4bc816f92f0f421e380f453968

    SHA1

    e7fe567f76c95176068be75ad9f671142af23962

    SHA256

    e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10

    SHA512

    d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f

  • C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe
    MD5

    c7f0ff4bc816f92f0f421e380f453968

    SHA1

    e7fe567f76c95176068be75ad9f671142af23962

    SHA256

    e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10

    SHA512

    d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f

  • C:\Users\Admin\AppData\Roaming\HVYtube3\hvytube.exe
    MD5

    c7f0ff4bc816f92f0f421e380f453968

    SHA1

    e7fe567f76c95176068be75ad9f671142af23962

    SHA256

    e75d1bfadd17d005eda82ec93adbdaa6b63000bb78accc01b8d33f7f7e1b1f10

    SHA512

    d7bb10b49d2153562d6b218fb2efd93133a90e39174b5b6ba20fa9109a2af9ba8fe6d348a20cd44304517ff43745c6745264cac71ddf559770074e191ad9a04f

  • C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
    MD5

    07c4277b0278cafddb023934c154cc56

    SHA1

    8fc547689272aa2f26e5721264d4260caae499c0

    SHA256

    9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

    SHA512

    21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

  • C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
    MD5

    07c4277b0278cafddb023934c154cc56

    SHA1

    8fc547689272aa2f26e5721264d4260caae499c0

    SHA256

    9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

    SHA512

    21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

  • memory/828-120-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

  • memory/828-116-0x0000000000400000-0x000000000044F000-memory.dmp
    Filesize

    316KB

  • memory/828-117-0x0000000000401480-mapping.dmp
  • memory/1488-144-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

  • memory/1488-140-0x0000000000000000-mapping.dmp
  • memory/1624-123-0x0000000000000000-mapping.dmp
  • memory/1964-137-0x0000000006B20000-0x0000000006BDA000-memory.dmp
    Filesize

    744KB

  • memory/1964-148-0x0000000006990000-0x0000000006991000-memory.dmp
    Filesize

    4KB

  • memory/1964-138-0x00000000060A0000-0x00000000060A5000-memory.dmp
    Filesize

    20KB

  • memory/1964-139-0x00000000060D0000-0x00000000060D6000-memory.dmp
    Filesize

    24KB

  • memory/1964-135-0x0000000006220000-0x0000000006226000-memory.dmp
    Filesize

    24KB

  • memory/1964-134-0x00000000034E0000-0x00000000034E1000-memory.dmp
    Filesize

    4KB

  • memory/1964-129-0x0000000000000000-mapping.dmp
  • memory/1964-153-0x0000000007800000-0x0000000007801000-memory.dmp
    Filesize

    4KB

  • memory/1964-142-0x0000000006C10000-0x0000000006C11000-memory.dmp
    Filesize

    4KB

  • memory/1964-146-0x00000000068A0000-0x00000000068A1000-memory.dmp
    Filesize

    4KB

  • memory/1964-147-0x00000000068C0000-0x000000000694F000-memory.dmp
    Filesize

    572KB

  • memory/1964-136-0x0000000006630000-0x0000000006707000-memory.dmp
    Filesize

    860KB

  • memory/1964-149-0x0000000006C00000-0x0000000006C01000-memory.dmp
    Filesize

    4KB

  • memory/1964-150-0x00000000069B0000-0x00000000069B1000-memory.dmp
    Filesize

    4KB

  • memory/1964-151-0x00000000073C0000-0x0000000007460000-memory.dmp
    Filesize

    640KB

  • memory/1964-152-0x00000000077D0000-0x00000000077D1000-memory.dmp
    Filesize

    4KB

  • memory/2264-154-0x0000000000000000-mapping.dmp
  • memory/2264-160-0x00000000057A0000-0x00000000057A1000-memory.dmp
    Filesize

    4KB

  • memory/2508-127-0x0000000000F10000-0x0000000000F11000-memory.dmp
    Filesize

    4KB

  • memory/2508-121-0x0000000000000000-mapping.dmp
  • memory/2704-119-0x0000000004B40000-0x0000000004B87000-memory.dmp
    Filesize

    284KB

  • memory/2704-118-0x0000000002FA0000-0x000000000304E000-memory.dmp
    Filesize

    696KB