fickerstealer | 7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206

Analysis

max time kernel
137s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

793.8MB
MD5

9a851a47a9bd2f92c61d2486d1be3064
SHA1

3cda31c06db97246705d95dfcf4908eafb514b87
SHA256

7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
SHA512

90340910dc1ee90ccfe7f451578de67c5ca32b95525157acd8b5bc2e99b9c0b2254bfb58997cc848a0ead871bc3f1e03dbb152d56aa709c4ecd3742404eec27b
SSDEEP

196608:6spHQk/ICYcdYtOQYMvm6Iu+8RuJQHIsuRuJyPquRuJXMD349nt3njto03qJbYav:6csCYgIBH2XD349nt3nW03s8up

Score

10^/10

fickerstealer evasion infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

91.240.118.51:253

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

Setup.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "irsetup.exe"	Setup.exe

Executes dropped EXE 8 IoCs

Processes:

1662925916626.exe1662925916634.exe1662925916673.exeunohostclr.exe1662925920402.exeunohostclr.exeunohostclr.exeunohostclr.exe

pid	Process
3888	1662925916626.exe
4916	1662925916634.exe
1680	1662925916673.exe
1124	unohostclr.exe
3472	1662925920402.exe
5020	unohostclr.exe
4320	unohostclr.exe
4996	unohostclr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1662925916626.exe1662925916634.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1662925916626.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1662925916634.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
21	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2464	1680	WerFault.exe	94
2932	1680	WerFault.exe	94
4888	1680	WerFault.exe	94

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Setup.exe

pid	Process
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe
2512	Setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1662925916634.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	4916	1662925916634.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Setup.exeSetup.exe1662925916626.exe1662925916673.exe1662925916634.exe

description	pid	Process	procid_target
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 2512 wrote to memory of 3008	2512	Setup.exe	83
PID 3008 wrote to memory of 3888	3008	Setup.exe	92
PID 3008 wrote to memory of 3888	3008	Setup.exe	92
PID 3008 wrote to memory of 3888	3008	Setup.exe	92
PID 3008 wrote to memory of 4916	3008	Setup.exe	93
PID 3008 wrote to memory of 4916	3008	Setup.exe	93
PID 3008 wrote to memory of 4916	3008	Setup.exe	93
PID 3008 wrote to memory of 1680	3008	Setup.exe	94
PID 3008 wrote to memory of 1680	3008	Setup.exe	94
PID 3008 wrote to memory of 1680	3008	Setup.exe	94
PID 3888 wrote to memory of 2652	3888	1662925916626.exe	95
PID 3888 wrote to memory of 2652	3888	1662925916626.exe	95
PID 3888 wrote to memory of 2652	3888	1662925916626.exe	95
PID 3888 wrote to memory of 1124	3888	1662925916626.exe	97
PID 3888 wrote to memory of 1124	3888	1662925916626.exe	97
PID 3888 wrote to memory of 1124	3888	1662925916626.exe	97
PID 1680 wrote to memory of 3472	1680	1662925916673.exe	105
PID 1680 wrote to memory of 3472	1680	1662925916673.exe	105
PID 1680 wrote to memory of 3472	1680	1662925916673.exe	105
PID 4916 wrote to memory of 4104	4916	1662925916634.exe	118
PID 4916 wrote to memory of 4104	4916	1662925916634.exe	118
PID 4916 wrote to memory of 4104	4916	1662925916634.exe	118

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Blocks application from running via registry modification
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\1662925916626.exe
    "C:\Users\Admin\AppData\Local\Temp\1662925916626.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN UnoHostCLR /F /TR "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" /st 00:00 /du 23:59 /sc daily /ri 1
      4⤵
      Creates scheduled task(s)
      PID:2652
  - - C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
      "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" C:\Users\Admin\AppData\Local\Temp\1662925916626.exe
      4⤵
      Executes dropped EXE
      PID:1124
- - C:\Users\Admin\AppData\Local\Temp\1662925916634.exe
    "C:\Users\Admin\AppData\Local\Temp\1662925916634.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\166292~2.EXE > nul
      4⤵
      PID:4104
- - C:\Users\Admin\AppData\Local\Temp\1662925916673.exe
    "C:\Users\Admin\AppData\Local\Temp\1662925916673.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1328
      4⤵
      Program crash
      PID:2464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1356
      4⤵
      Program crash
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\1662925920402.exe
      "C:\Users\Admin\AppData\Local\Temp\1662925920402.exe"
      4⤵
      Executes dropped EXE
      PID:3472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 140
      4⤵
      Program crash
      PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1680 -ip 1680
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1680 -ip 1680
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1680 -ip 1680
1⤵
PID:400

C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
1⤵
- Executes dropped EXE
PID:4996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1662925916626.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925916626.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925916634.exe

Filesize
930KB

MD5
debcfcbc1a3a087ed6e81fb72b9d1a05

SHA1
b813179ad334a14140d5dddb7f1680db1e750ef1

SHA256
6618c9ac18982d3382ffe19966fa6bbd49cf78149e7a99293a917d343abcecca

SHA512
ddb35837cb7255ddb06a2bd34f1eea0b1da0e6e6003b298e24911b92a2a3effc8c81c49b1934cdcce97d9d35a086abad03cdfadf6bdbd34eb0ce0590c19db088

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925916634.exe

Filesize
930KB

MD5
debcfcbc1a3a087ed6e81fb72b9d1a05

SHA1
b813179ad334a14140d5dddb7f1680db1e750ef1

SHA256
6618c9ac18982d3382ffe19966fa6bbd49cf78149e7a99293a917d343abcecca

SHA512
ddb35837cb7255ddb06a2bd34f1eea0b1da0e6e6003b298e24911b92a2a3effc8c81c49b1934cdcce97d9d35a086abad03cdfadf6bdbd34eb0ce0590c19db088

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925916673.exe

Filesize
1.1MB

MD5
15cf9a3df90cd24f947d4989b00429a3

SHA1
6cc798e4f9fa9b08062b4107d9af35d184a6f52c

SHA256
76dc6bd6f9551861b758844ac37424a4d8f6640a69da0534f900c0be4195b607

SHA512
55083713e200b5cca6c1f1b25b920cab70d6fa8f061edf8ab7b2b79d89a06dfc7eb9a797f0d213b98c0a20ba1bb5aac7260ce04c23d483eaf336d2ceac98f0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925916673.exe

Filesize
1.1MB

MD5
15cf9a3df90cd24f947d4989b00429a3

SHA1
6cc798e4f9fa9b08062b4107d9af35d184a6f52c

SHA256
76dc6bd6f9551861b758844ac37424a4d8f6640a69da0534f900c0be4195b607

SHA512
55083713e200b5cca6c1f1b25b920cab70d6fa8f061edf8ab7b2b79d89a06dfc7eb9a797f0d213b98c0a20ba1bb5aac7260ce04c23d483eaf336d2ceac98f0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925920402.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1662925920402.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
833KB

MD5
415bc350e11b9a38fbfbe58b8227b2ad

SHA1
ae3c5ab01a8cfb40081c292e83c897229fc2d3f2

SHA256
8784ad2bc48c94eaddaf08bb542554ff695373eed99906bbb6b7be342bf03224

SHA512
16b83b8a62488c87f8a587d19eb851467833e73f84e5fc22d41bca723b5ac147403966ec0ab954d17142d814d08d6c552ece084d02beb92ebfb066ab941de7c7

Download Submit
memory/1124-150-0x0000000000000000-mapping.dmp

Download
memory/1124-159-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1680-158-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1680-157-0x0000000002830000-0x00000000028B9000-memory.dmp

Filesize
548KB

Download
memory/1680-164-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1680-144-0x0000000000000000-mapping.dmp

Download
memory/2512-165-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2512-135-0x0000000033BA0000-0x0000000033D43000-memory.dmp

Filesize
1.6MB

Download
memory/2512-137-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2512-133-0x0000000031F70000-0x0000000031FB4000-memory.dmp

Filesize
272KB

Download
memory/2652-149-0x0000000000000000-mapping.dmp

Download
memory/3008-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-136-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-138-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-148-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-132-0x0000000000000000-mapping.dmp

Download
memory/3472-163-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3472-160-0x0000000000000000-mapping.dmp

Download
memory/3888-153-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/3888-154-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3888-139-0x0000000000000000-mapping.dmp

Download
memory/4104-168-0x0000000000000000-mapping.dmp

Download
memory/4320-171-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4916-156-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4916-155-0x0000000002730000-0x000000000278C000-memory.dmp

Filesize
368KB

Download
memory/4916-169-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4916-141-0x0000000000000000-mapping.dmp

Download
memory/4996-173-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/5020-167-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download