Overview

overview

10

Static

static

1

2eada291b0...cf.exe

windows7-x64

10

2eada291b0...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2eada291b0125c056b9860d5500c480b95c1d223fffafe9ffac518b1a1e535cf.zip

  • Size

    12.3MB

  • Sample

    221114-lql5kage49

  • MD5

    7e7abf8f818c5ef8109c5169cfedf4a4

  • SHA1

    e34326dfff1735d1a003790edf3bff4490f8fda4

  • SHA256

    b40001d4763266033f5a0f7ddb270472445a1cdcd762a30360073e2cb6aa8678

  • SHA512

    edb2bf1708e17c423bd4327ebd18c9f5328a72c16986d6be4ed5eb9f36cdd021e013562b5c69a9affded96dadda4a363db0953093844a3dda77143955659eb83

  • SSDEEP

    393216:0YYmrI+FI6hDHch6l4WTTdLhfdWVsjz3EQqVStLa:0xmcRU45QJ5/jjEd0u

Score
10/10
fickerstealerevasioninfostealer

Malware Config

Extracted

Family

fickerstealer

C2

45.67.231.4:80

Targets

    • Target

      2eada291b0125c056b9860d5500c480b95c1d223fffafe9ffac518b1a1e535cf.exe

    • Size

      12.3MB

    • MD5

      485e82a34baeb69c60dbd6f5361d2f6c

    • SHA1

      5ed78d891ffec76efe3fd580f0fea0fa147e620d

    • SHA256

      2eada291b0125c056b9860d5500c480b95c1d223fffafe9ffac518b1a1e535cf

    • SHA512

      e9aab6cb39be4e7c2136d0dbb7be8db8ebbd1e65142c86e0ffbeab61ed515774f00be6bfdea46d2183d65aa55723f6280cfd135415e84fafd62db7a5e0c02ea3

    • SSDEEP

      196608:871MmW1H/9FUAeD4/BB+PNhwy5C7uDWJ3LNXHlayW4ghxTXGSNAAeOxxT8zWspBF:8WJ/9FUA8YkPn7s7TdhwjXWAd7yN5

    Score
    10/10
    fickerstealerevasioninfostealer

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks