Inside FireScam : An Information Stealer with Spyware Capabilities

    Monday, January 6, 2025 In: Threat Research Print

    Date: 01/06/2025

    Severity: Medium

    Summary

    "Inside FireScam: An Information Stealer with Spyware Capabilities" delves into the workings of FireScam, a sophisticated Android malware disguised as a Telegram Premium app. The report analyzes its distribution techniques, operational features, and impact on both individuals and organizations. FireScam is identified as a threat with information-stealing and spyware capabilities, emphasizing the critical need for strong security defenses to protect against such evolving cyber threats.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://rustore-apk.github.io/telegram_premium

    https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*

    s-usc1b-nss-2100.firebaseio.com" or url like "s-usc1b-nss-2100.firebaseio.com

    https://androidscamru-default-rtdb.firebaseio.com

    Hash

    cae5a13c0b06de52d8379f4c61aece9c

5d21c52e6ea7769be45f10e82b973b1e

12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1

b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://rustore-apk.github.io/telegram_premium" or url like "https://rustore-apk.github.io/telegram_premium" or userdomainname like "https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*" or url like "https://s-usc1b-nss-2100.firebaseio.com/.ws?ns=androidscamru-default-rtdb&v=5&ls=*" or userdomainname like "s-usc1b-nss-2100.firebaseio.com" or url like "s-usc1b-nss-2100.firebaseio.com" or userdomainname like "https://androidscamru-default-rtdb.firebaseio.com" or url like "https://androidscamru-default-rtdb.firebaseio.com"

    Detection Query 2

    md5hash IN ("cae5a13c0b06de52d8379f4c61aece9c","5d21c52e6ea7769be45f10e82b973b1e")

    Detection Query 3

    sha256hash IN ("12305b2cacde34898f02bed0b12f580aff46531aa4ef28ae29b1bf164259e7d1","b041ff57c477947dacd73036bf0dee7a0d6221275368af8b6dbbd5c1ab4e981b")

    Reference: 

    https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/        


    Tags

    MalwareStealerSpywareTelegram

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.