Analysis
-
max time kernel
112s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
265969856a9b0eebf03295101c2a75ba.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
265969856a9b0eebf03295101c2a75ba.exe
Resource
win10v2004-20220812-en
General
-
Target
265969856a9b0eebf03295101c2a75ba.exe
-
Size
371KB
-
MD5
265969856a9b0eebf03295101c2a75ba
-
SHA1
f57aae5d8a6634d2cb3fb9255209e067e849228b
-
SHA256
95db6418da0c11842b06ec98495f327dca6428ce7575798d2c3a36eecac508a2
-
SHA512
16973e15dc7b7f41121bb2474aef6755a89db3fe11d0ecf62784ecb47e8ec30f9495c338965befff634a115b3628b961a432e61005a58fd827188d6d42dead55
-
SSDEEP
6144:QsDlrgiL9cgPMhndCxsSsok5jNsIeA7PaflD8TleZk/YPstmKctTPjRMwU4b:Qsxki+8MNNlNB+9D2eGk48b
Malware Config
Extracted
fickerstealer
fickita.info:8080
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1620 set thread context of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 265969856a9b0eebf03295101c2a75ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 265969856a9b0eebf03295101c2a75ba.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2044 265969856a9b0eebf03295101c2a75ba.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27 PID 1620 wrote to memory of 2044 1620 265969856a9b0eebf03295101c2a75ba.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\265969856a9b0eebf03295101c2a75ba.exe"C:\Users\Admin\AppData\Local\Temp\265969856a9b0eebf03295101c2a75ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\265969856a9b0eebf03295101c2a75ba.exe"C:\Users\Admin\AppData\Local\Temp\265969856a9b0eebf03295101c2a75ba.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2044
-