fickerstealer | e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c

Analysis

max time kernel
184s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
Size

2.6MB
MD5

5596e6b3cac3574bd957b86c8250773a
SHA1

298016941cfa7095a19fc274137dc0f7dbed2a7a
SHA256

e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c
SHA512

78dfdc615f3239e655d63e310f6778831a5b384eb28e67099d12aa5a433b79a9a75754cca38f4a1838126b64a8d4aa2af0d482d34ea0b2b89cad91e2f0290870
SSDEEP

49152:5vJeIiv6Lcj0hB/8qyTO4LMJDdhK27BYV:5vJ5ivIS0hBDyK4LMJrbY

Score

10^/10

fickerstealer infostealer spyware stealer

Malware Config

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 5 IoCs

pid	Process
1304	1666498177177.exe
1068	unohostclr.exe
1256	unohostclr.exe
1656	unohostclr.exe
1352	unohostclr.exe

Loads dropped DLL 7 IoCs

pid	Process
1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
1304	1666498177177.exe
1304	1666498177177.exe
1304	1666498177177.exe
1304	1666498177177.exe
1304	1666498177177.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1788	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1304	1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	27
PID 1380 wrote to memory of 1304	1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	27
PID 1380 wrote to memory of 1304	1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	27
PID 1380 wrote to memory of 1304	1380	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	27
PID 1304 wrote to memory of 1788	1304	1666498177177.exe	28
PID 1304 wrote to memory of 1788	1304	1666498177177.exe	28
PID 1304 wrote to memory of 1788	1304	1666498177177.exe	28
PID 1304 wrote to memory of 1788	1304	1666498177177.exe	28
PID 1304 wrote to memory of 1068	1304	1666498177177.exe	30
PID 1304 wrote to memory of 1068	1304	1666498177177.exe	30
PID 1304 wrote to memory of 1068	1304	1666498177177.exe	30
PID 1304 wrote to memory of 1068	1304	1666498177177.exe	30
PID 1828 wrote to memory of 1256	1828	taskeng.exe	32
PID 1828 wrote to memory of 1256	1828	taskeng.exe	32
PID 1828 wrote to memory of 1256	1828	taskeng.exe	32
PID 1828 wrote to memory of 1256	1828	taskeng.exe	32
PID 1828 wrote to memory of 1656	1828	taskeng.exe	33
PID 1828 wrote to memory of 1656	1828	taskeng.exe	33
PID 1828 wrote to memory of 1656	1828	taskeng.exe	33
PID 1828 wrote to memory of 1656	1828	taskeng.exe	33
PID 1828 wrote to memory of 1352	1828	taskeng.exe	34
PID 1828 wrote to memory of 1352	1828	taskeng.exe	34
PID 1828 wrote to memory of 1352	1828	taskeng.exe	34
PID 1828 wrote to memory of 1352	1828	taskeng.exe	34

C:\Users\Admin\AppData\Local\Temp\e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
"C:\Users\Admin\AppData\Local\Temp\e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\1666498177177.exe
  "C:\Users\Admin\AppData\Local\Temp\1666498177177.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN UnoHostCLR /F /TR "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" /st 00:00 /du 23:59 /sc daily /ri 1
    3⤵
    - Creates scheduled task(s)
    PID:1788
- - C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
    "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" C:\Users\Admin\AppData\Local\Temp\1666498177177.exe
    3⤵
    - Executes dropped EXE
    PID:1068

C:\Windows\system32\taskeng.exe
taskeng.exe {2B049F58-70C3-4D64-9C84-1E1B55B39216} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
  2⤵
  - Executes dropped EXE
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1666498177177.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Local\Temp\1666498177177.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Local\Temp\1666498177177.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Local\Temp\1666498177177.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
memory/1068-75-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1068-70-0x0000000000000000-mapping.dmp

Download
memory/1256-77-0x0000000000000000-mapping.dmp

Download
memory/1256-80-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1304-74-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1304-71-0x0000000002ED0000-0x000000000300B000-memory.dmp

Filesize
1.2MB

Download
memory/1304-59-0x0000000000000000-mapping.dmp

Download
memory/1352-88-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1352-85-0x0000000000000000-mapping.dmp

Download
memory/1380-62-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1380-56-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1380-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000003030000-0x000000000322F000-memory.dmp

Filesize
2.0MB

Download
memory/1656-81-0x0000000000000000-mapping.dmp

Download
memory/1656-84-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads