Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-03-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
0b5410174129f6dbf798c41730efe2ff.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0b5410174129f6dbf798c41730efe2ff.exe
Resource
win10v20201028
General
-
Target
0b5410174129f6dbf798c41730efe2ff.exe
-
Size
284KB
-
MD5
0b5410174129f6dbf798c41730efe2ff
-
SHA1
5a121c20e0b230fb2408286aca5eca9193f62be4
-
SHA256
a3087f89fde08c1c5c69dd52168abf42d64658abc53d3c094bb886b9942d2f8f
-
SHA512
2af6619d968b8c875d3f41a403a1d4a543827ece6e26056e9f57c5b5aab041195a7bfca39cfb9e05cd881530810fbb1d4f22ce6b3b79058fe9fc422c148590f0
Malware Config
Extracted
fickerstealer
lukkeze.space:80
Signatures
-
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0b5410174129f6dbf798c41730efe2ff.exedescription pid process target process PID 1056 set thread context of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0b5410174129f6dbf798c41730efe2ff.exedescription pid process target process PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe PID 1056 wrote to memory of 1712 1056 0b5410174129f6dbf798c41730efe2ff.exe 0b5410174129f6dbf798c41730efe2ff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-2-0x0000000002350000-0x0000000002361000-memory.dmpFilesize
68KB
-
memory/1056-3-0x0000000002350000-0x0000000002361000-memory.dmpFilesize
68KB
-
memory/1056-7-0x0000000000220000-0x0000000000264000-memory.dmpFilesize
272KB
-
memory/1672-9-0x000007FEF5F20000-0x000007FEF619A000-memory.dmpFilesize
2.5MB
-
memory/1712-4-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1712-5-0x0000000000401480-mapping.dmp
-
memory/1712-6-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1712-8-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB