fickerstealer | a82d27f251f423a8016520aafce59827c39c4101d655dc85b01cd39e0b2f61a6

Analysis

max time kernel
42s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 10:25

Target

library.exe
Size

391KB
MD5

33c62f580ece1c3cad5b05b87e1e760b
SHA1

bbcccfa4d9980a168e9cb13634cc09bd6672ee00
SHA256

a82d27f251f423a8016520aafce59827c39c4101d655dc85b01cd39e0b2f61a6
SHA512

9735f1c790dac5556ad3c0cfe208566d01794c1be19e9704038e03168483ad00e4c6cfa02fa96c2a7185ca865b69fa40e9bcca8e166375fdd1be80da882846d1
SSDEEP

12288:Q9tH7cSF9pKMynR8oOvqTPx3vt3grVppT:e1wwyfgM3vtwrLx

Score

10^/10

Family

fickerstealer

fickita.info:8080

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1416	900	library.exe	27

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27
PID 900 wrote to memory of 1416	900	library.exe	27

C:\Users\Admin\AppData\Local\Temp\library.exe
"C:\Users\Admin\AppData\Local\Temp\library.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\library.exe
  "C:\Users\Admin\AppData\Local\Temp\library.exe"
  2⤵
  PID:1416

memory/900-57-0x0000000002DBA000-0x0000000002DF0000-memory.dmp

Filesize
216KB

Download
memory/900-58-0x0000000000220000-0x0000000000282000-memory.dmp

Filesize
392KB

Download
memory/1416-54-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1416-55-0x00000000004014C0-mapping.dmp

Download
memory/1416-59-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1416-60-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1416-61-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1416-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download