Analysis
-
max time kernel
166s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:23
Static task
static1
Behavioral task
behavioral1
Sample
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe
Resource
win10v2004-20220414-en
General
-
Target
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe
-
Size
3.2MB
-
MD5
00f73ae5d08c848ed4df5ca8e4a40133
-
SHA1
7c9fe77827aefc421887a02450133becc1049ef5
-
SHA256
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539
-
SHA512
2c5118a8648b94e551b2e9d63621f495b7dfac93bf2d5088c4813a7d73d5376c07c74cb350d1b99bfa41ea2c1ac8e3f7188569418aca6f03d8b7ea7c66b236be
Malware Config
Extracted
fickerstealer
45.67.231.4:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe -
Processes:
resource yara_rule behavioral2/memory/1904-130-0x0000000000400000-0x0000000000BB0000-memory.dmp themida behavioral2/memory/1904-132-0x0000000000400000-0x0000000000BB0000-memory.dmp themida behavioral2/memory/1904-133-0x0000000000400000-0x0000000000BB0000-memory.dmp themida behavioral2/memory/1904-134-0x0000000000400000-0x0000000000BB0000-memory.dmp themida behavioral2/memory/1904-135-0x0000000000400000-0x0000000000BB0000-memory.dmp themida -
Processes:
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exepid Process 1904 19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe"C:\Users\Admin\AppData\Local\Temp\19b0486caa9d36d7a358a25fffc5c549e95ad922ec7068667744ffcd206b2539.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1904