General

  • Target

    651227ea1d7bd25e56aadef523689311de2aafae5ecfb9d6b5977d8ce30edbde

  • Size

    8.1MB

  • Sample

    220508-t2lbeafdbj

  • MD5

    d1e32649d8edf5f79028f067468ee9e0

  • SHA1

    62d920af35f70e81a29a301e326f5ad2853dfa69

  • SHA256

    651227ea1d7bd25e56aadef523689311de2aafae5ecfb9d6b5977d8ce30edbde

  • SHA512

    d329625a9cd5cd1b05ae23553e697946e7dd8cf9365ec8822c0576df4fd4d7965f45fb7492d4d51cc60715f0cd7494f33f28f8809919ae6c8ac61027b6025fac

Malware Config

Extracted

Family

fickerstealer

C2

45.67.231.4:80

Targets

    • Target

      651227ea1d7bd25e56aadef523689311de2aafae5ecfb9d6b5977d8ce30edbde

    • Size

      8.1MB

    • MD5

      d1e32649d8edf5f79028f067468ee9e0

    • SHA1

      62d920af35f70e81a29a301e326f5ad2853dfa69

    • SHA256

      651227ea1d7bd25e56aadef523689311de2aafae5ecfb9d6b5977d8ce30edbde

    • SHA512

      d329625a9cd5cd1b05ae23553e697946e7dd8cf9365ec8822c0576df4fd4d7965f45fb7492d4d51cc60715f0cd7494f33f28f8809919ae6c8ac61027b6025fac

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks