General

  • Target

    ab33dd2fe5e133ea982810c86ac78f41572e632a037536e3e908f1cea2483223

  • Size

    2.9MB

  • Sample

    220511-31rlgadge6

  • MD5

    5598027d46551abb118ee343baaa530d

  • SHA1

    16907ea747cbaaae64b83b95566e0aba6a022a2c

  • SHA256

    ab33dd2fe5e133ea982810c86ac78f41572e632a037536e3e908f1cea2483223

  • SHA512

    8ba9536a4556ad0aa95cef9a0b5e26d729cdb9e0f03aed5d721358b650e6be0764217d348e4d353276ccfc39e43a0c16d51cd6d7166034f9bb31c6a479880c84

Malware Config

Extracted

Family

fickerstealer

C2

45.67.231.4:80

Targets

    • Target

      ab33dd2fe5e133ea982810c86ac78f41572e632a037536e3e908f1cea2483223

    • Size

      2.9MB

    • MD5

      5598027d46551abb118ee343baaa530d

    • SHA1

      16907ea747cbaaae64b83b95566e0aba6a022a2c

    • SHA256

      ab33dd2fe5e133ea982810c86ac78f41572e632a037536e3e908f1cea2483223

    • SHA512

      8ba9536a4556ad0aa95cef9a0b5e26d729cdb9e0f03aed5d721358b650e6be0764217d348e4d353276ccfc39e43a0c16d51cd6d7166034f9bb31c6a479880c84

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks