Important elements of the analysis:
- ClickFix Phishing campaign threat
- FakeCaptcha
- C&C domain and IP address
- Multi-stage dropped artifacts
- Infostealer threats
- Windows Defender exclusion to perform malware detection evasion
- CMD and PowerShell executions
- Execution environment information collection
- Anti-VM and anti-sandbox
- cfgmgr32.dll library calls
In the present analysis we will analyze a ClickFix sample compiled on 12th May 2025. The artifact has been developed in C++:
MITRE Matrix:
With the hexadecimal code inspection of the PE we can see evidences related to the development phase and release version of the threat made with the IDE:
With an analysis of the strings extracted from the threat we can see the C&C domain getsveriff[.]com used to download the second stage artifact named "hrjfb.exe". The CMD execution is used to launch a PowerShell execution to exclude from Windows Defender the folder C:\Windows\Temp and the dropped artifact "tybd7.exe". The artifacts downloaded and dropped by ClickFix and FakeCaptcha Phishng threats are usually associated to Infostealer threats.
The sample is generally not packed, the entropy coefficient of the .text section is 6.49102. Here are also the details of the bytes distribution:
Here are others details regarding to the PE, which include the date of compiling, we can see the IDE signature used for the development of the threat Visual Studio 2015:
The entrypoint of the .text section is 0x00009218:
Here are the details of the functions called, which include the function used to execute external processes like ShellExecuteExW and to obtain further details about the execution environment it calls the functions GetEnvironmentStrings and GetModuleHandleExW:
The execution level in the manifest file has been set asInvoker:
With a dynamic analysis and debugging session we can see the call to the C&C domain getsveriff[.]com to retrieve the artifact hrjfb.exe
Here is the access to the C:\Windows\Temp folder to do the consequent action of excluding the dropped threat tybd7.exe:
Another evidence about the fact of environment information gathering is the execution of the function EnumSystemLocalesEx, which can be used to get the details and loop through the locales present in the Operating System:
The malware keeps trace of the malicious executions and stages with a Result attribute:
The malware gets information and details about the system settings and customizations via the function GetUserDefaultLCID:
The C&C domain is recognized as malicious by OSINT sources:
Here are the details of the correlations to the downloaders executables (ClickFix fake Captcha Phishing campaign threats) and the artifacts downloading PowerShell scripts:
The domain getsveriff[.]com has been registered in Russia by the ISP LLC Baxet, which has a quite high Fraud Risk Score:
Here we have the URLs associated to the domain in question, including the threat in question:
The C&C host 193.233.84[.]124 has the OpenSSH service opened:
It uses the DNSPod service, registered in China:
With another OSINT research we can see details about others interesting protocols and services that were opened: 123 (NTP) and 25 (SMTP):
IOCs:
- 70a3808137c1eb258f3d491ed0a131e0
- e6cc4cf4cc77ac4a2620dae539d406047b0f31d1
- 79efd8a1872242772a82859313c3988826b0f3e026c9289b176cd23897785677
- getsveriff[.]com
- 193.233.84[.]124
- hrjfb.exe
- tybd7.exe
YARA rule:
rule ClickFix12052025
{
strings:
$str = "tybd7.exe"
$hex = { 74 79 62 64 37 2e 65 78 65 }
condition:
$str or $hex
}
rule ClickFix12052025CnC {
meta:
description = "Detects ClickFix Phishing downloader sample of 12th May 2025 with C&C information"
condition:
vt.net.url.raw icontains "193.233.84[.]124" or vt.net.url.raw icontains "getsveriff[.]com"
}