fickerstealer | e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c

General

Target

e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
Size

2.6MB
MD5

5596e6b3cac3574bd957b86c8250773a
SHA1

298016941cfa7095a19fc274137dc0f7dbed2a7a
SHA256

e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c
SHA512

78dfdc615f3239e655d63e310f6778831a5b384eb28e67099d12aa5a433b79a9a75754cca38f4a1838126b64a8d4aa2af0d482d34ea0b2b89cad91e2f0290870
SSDEEP

49152:5vJeIiv6Lcj0hB/8qyTO4LMJDdhK27BYV:5vJ5ivIS0hBDyK4LMJrbY

Score

10^/10

fickerstealer infostealer spyware stealer

Malware Config

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 4 IoCs

pid	Process
2112	1666498212308.exe
2496	unohostclr.exe
3608	unohostclr.exe
3412	unohostclr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1666498212308.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2364	1660	WerFault.exe	79
332	1660	WerFault.exe	79
1796	1660	WerFault.exe	79
1144	1660	WerFault.exe	79

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2452	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2112	1660	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	87
PID 1660 wrote to memory of 2112	1660	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	87
PID 1660 wrote to memory of 2112	1660	e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe	87
PID 2112 wrote to memory of 2452	2112	1666498212308.exe	92
PID 2112 wrote to memory of 2452	2112	1666498212308.exe	92
PID 2112 wrote to memory of 2452	2112	1666498212308.exe	92
PID 2112 wrote to memory of 2496	2112	1666498212308.exe	94
PID 2112 wrote to memory of 2496	2112	1666498212308.exe	94
PID 2112 wrote to memory of 2496	2112	1666498212308.exe	94

C:\Users\Admin\AppData\Local\Temp\e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe
"C:\Users\Admin\AppData\Local\Temp\e94bfd09dc3b73fa96c284fd08d351197b2e6a7b4f2a4d051c76d7f77539639c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1064
  2⤵
  - Program crash
  PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1108
  2⤵
  - Program crash
  PID:332
- C:\Users\Admin\AppData\Local\Temp\1666498212308.exe
  "C:\Users\Admin\AppData\Local\Temp\1666498212308.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN UnoHostCLR /F /TR "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" /st 00:00 /du 23:59 /sc daily /ri 1
    3⤵
    - Creates scheduled task(s)
    PID:2452
- - C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
    "C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe" C:\Users\Admin\AppData\Local\Temp\1666498212308.exe
    3⤵
    - Executes dropped EXE
    PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1084
  2⤵
  - Program crash
  PID:1796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 140
  2⤵
  - Program crash
  PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1660 -ip 1660
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1660 -ip 1660
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1660 -ip 1660
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1660 -ip 1660
1⤵
PID:4340

C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe
1⤵
- Executes dropped EXE
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1666498212308.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Local\Temp\1666498212308.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
C:\Users\Admin\AppData\Roaming\UnoHost\unohostclr.exe

Filesize
2.0MB

MD5
83ad610d5f50751a7ae466869169389e

SHA1
1d2f894b0ca610cf6c88ccb2eabdd4e0d639447f

SHA256
07bbeb90b6cb4bac7f08ea5332d65f4063de53121d1b7e16a95fd42d0e67d35c

SHA512
c7d0e6aa81f05d660be1a09fbe17953d577915eb7f4decfb9b9c84946ca8b6ab5926dda3afa1429eb7938d4337463d0d002c610c872a3e27a7a11bfffc3b9529

Download Submit
memory/1660-133-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1660-134-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1660-140-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1660-132-0x0000000002D00000-0x0000000002EFF000-memory.dmp

Filesize
2.0MB

Download
memory/2112-145-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2112-135-0x0000000000000000-mapping.dmp

Download
memory/2112-139-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2112-138-0x0000000002B40000-0x0000000002C7B000-memory.dmp

Filesize
1.2MB

Download
memory/2452-141-0x0000000000000000-mapping.dmp

Download
memory/2496-142-0x0000000000000000-mapping.dmp

Download
memory/2496-146-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3412-150-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/3608-148-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads