Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-03-2021 07:06
Static task
static1
Behavioral task
behavioral1
Sample
0b5410174129f6dbf798c41730efe2ff.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0b5410174129f6dbf798c41730efe2ff.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
0b5410174129f6dbf798c41730efe2ff.exe
-
Size
284KB
-
MD5
0b5410174129f6dbf798c41730efe2ff
-
SHA1
5a121c20e0b230fb2408286aca5eca9193f62be4
-
SHA256
a3087f89fde08c1c5c69dd52168abf42d64658abc53d3c094bb886b9942d2f8f
-
SHA512
2af6619d968b8c875d3f41a403a1d4a543827ece6e26056e9f57c5b5aab041195a7bfca39cfb9e05cd881530810fbb1d4f22ce6b3b79058fe9fc422c148590f0
Score
10/10
Malware Config
Extracted
Family
fickerstealer
C2
lukkeze.space:80
Signatures
-
fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4020 set thread context of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74 PID 4020 wrote to memory of 2416 4020 0b5410174129f6dbf798c41730efe2ff.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"C:\Users\Admin\AppData\Local\Temp\0b5410174129f6dbf798c41730efe2ff.exe"2⤵PID:2416
-