General

  • Target

    0708_3355614568218.doc

  • Size

    877KB

  • Sample

    210709-6p4nstnkwn

  • MD5

    992338b40b38f1f55bd4a9599f70771c

  • SHA1

    866086438592043aebb88f3da34ad437681a5cb0

  • SHA256

    b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

  • SHA512

    cd0482f15b709a61dcc3c0007486d5d2eaeb5bfc315cc2d82bd4f75dae68fed5fee8a0e90c61163723f34b0cdc6c459c186f14ef6b936bc5ed70e7b4d97da50a

Malware Config

Extracted

Family

fickerstealer

C2

pospvisis.com:80

Targets

    • Target

      0708_3355614568218.doc

    • Size

      877KB

    • MD5

      992338b40b38f1f55bd4a9599f70771c

    • SHA1

      866086438592043aebb88f3da34ad437681a5cb0

    • SHA256

      b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

    • SHA512

      cd0482f15b709a61dcc3c0007486d5d2eaeb5bfc315cc2d82bd4f75dae68fed5fee8a0e90c61163723f34b0cdc6c459c186f14ef6b936bc5ed70e7b4d97da50a

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Hancitor

      Hancitor is downloader used to deliver other malware families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks