Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 11:47
Static task
static1
Behavioral task
behavioral1
Sample
mixsix_20210919-093205.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
mixsix_20210919-093205.exe
Resource
win10v20210408
General
-
Target
mixsix_20210919-093205.exe
-
Size
477KB
-
MD5
5a201b72a6586afe40b60948afab9d22
-
SHA1
2cca256b60e74f7e002a6c2422598e5eb7ab4fbd
-
SHA256
3700fd2107cc453097ff092f1d2be1678cba183034b950ffb74c38a2abc6b260
-
SHA512
24446cede744c59a19c5ca4998a80f67c6e95cb4ffdee0e118136022f1252e770e158dcfbf9f1fce9d1735e1597d31ea7d28ef6b24ef2ef8589d8010aa007418
Malware Config
Extracted
fickerstealer
game2030.site:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mixsix_20210919-093205.exedescription pid process target process PID 1108 set thread context of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
mixsix_20210919-093205.exedescription pid process target process PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe PID 1108 wrote to memory of 1708 1108 mixsix_20210919-093205.exe mixsix_20210919-093205.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-093205.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-093205.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-093205.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-093205.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-56-0x0000000000220000-0x0000000000267000-memory.dmpFilesize
284KB
-
memory/1708-54-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1708-55-0x0000000000401480-mapping.dmp
-
memory/1708-57-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1708-58-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB