Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-09-2021 11:48
Static task
static1
Behavioral task
behavioral1
Sample
mixsix_20210919-183217.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
mixsix_20210919-183217.exe
Resource
win10v20210408
General
-
Target
mixsix_20210919-183217.exe
-
Size
482KB
-
MD5
725fc46e4245c76f1365aaa7959b67d4
-
SHA1
cd25c8681fef3f57fb10564767a04194f4797a1f
-
SHA256
ce67cfc6138290ac9252744f77b9f2d09e3a60fcdf5b64224e0b245b751d01cf
-
SHA512
fbcd64b507cc63f4141db3ca3675359170fcac765c782b43a13b31affcd25b7bce2647403dffa0e8e5323624c911a21faf1097cb3df15ee56d72657e1660cfdc
Malware Config
Extracted
fickerstealer
game2030.site:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mixsix_20210919-183217.exedescription pid process target process PID 1296 set thread context of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
mixsix_20210919-183217.exedescription pid process target process PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe PID 1296 wrote to memory of 1656 1296 mixsix_20210919-183217.exe mixsix_20210919-183217.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-183217.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-183217.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-183217.exe"C:\Users\Admin\AppData\Local\Temp\mixsix_20210919-183217.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1296-57-0x0000000000470000-0x00000000004B7000-memory.dmpFilesize
284KB
-
memory/1656-55-0x0000000000401480-mapping.dmp
-
memory/1656-54-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1656-56-0x0000000075331000-0x0000000075333000-memory.dmpFilesize
8KB
-
memory/1656-58-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB