fickerstealer | a82d27f251f423a8016520aafce59827c39c4101d655dc85b01cd39e0b2f61a6

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 10:25

Target

library.exe
Size

391KB
MD5

33c62f580ece1c3cad5b05b87e1e760b
SHA1

bbcccfa4d9980a168e9cb13634cc09bd6672ee00
SHA256

a82d27f251f423a8016520aafce59827c39c4101d655dc85b01cd39e0b2f61a6
SHA512

9735f1c790dac5556ad3c0cfe208566d01794c1be19e9704038e03168483ad00e4c6cfa02fa96c2a7185ca865b69fa40e9bcca8e166375fdd1be80da882846d1
SSDEEP

12288:Q9tH7cSF9pKMynR8oOvqTPx3vt3grVppT:e1wwyfgM3vtwrLx

Score

10^/10

Family

fickerstealer

fickita.info:8080

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 2752	2104	library.exe	83

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83
PID 2104 wrote to memory of 2752	2104	library.exe	83

C:\Users\Admin\AppData\Local\Temp\library.exe
"C:\Users\Admin\AppData\Local\Temp\library.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\library.exe
  "C:\Users\Admin\AppData\Local\Temp\library.exe"
  2⤵
  PID:2752

memory/2104-135-0x0000000002E37000-0x0000000002E6D000-memory.dmp

Filesize
216KB

Download
memory/2104-136-0x0000000002DA0000-0x0000000002E02000-memory.dmp

Filesize
392KB

Download
memory/2752-133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-137-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-138-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-139-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download