Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
library_2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
library_2.exe
Resource
win10v2004-20220812-en
General
-
Target
library_2.exe
-
Size
508KB
-
MD5
88367344c224ae3ed9030cfcb389184a
-
SHA1
a9b8a7f5ce5059e1423b5399199d3f7398956329
-
SHA256
6df186c3d5c563f492abed3e125ba4603f726bd1d257d4343f59d1584c0736db
-
SHA512
a41cfa28fe323d3e69cf94145e97a41df59bff253acd7e377602d0cdfcf93416b8df0cc7c18c8514be8fd9999092124d132ac374e43110afc3d6a55d362e2f38
-
SSDEEP
6144:g/1z+5QuL0f5QjKeVgv+v8mZFU2WKXFetnnOX7DKjimqcZfRPJXwOu1qlb:g/l8Qf5ct8A9WkFAnOXSqSJUqlb
Malware Config
Extracted
fickerstealer
fickitc.link:8080
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
library_2.exedescription pid Process procid_target PID 2564 set thread context of 2448 2564 library_2.exe 78 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
library_2.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 library_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString library_2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
library_2.exepid Process 2448 library_2.exe 2448 library_2.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
library_2.exedescription pid Process procid_target PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78 PID 2564 wrote to memory of 2448 2564 library_2.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\library_2.exe"C:\Users\Admin\AppData\Local\Temp\library_2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\library_2.exe"C:\Users\Admin\AppData\Local\Temp\library_2.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2448
-