Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2023, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
ae8f1cd095afa12559ecca86166d8a7a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ae8f1cd095afa12559ecca86166d8a7a.exe
Resource
win10v2004-20220901-en
General
-
Target
ae8f1cd095afa12559ecca86166d8a7a.exe
-
Size
396KB
-
MD5
ae8f1cd095afa12559ecca86166d8a7a
-
SHA1
3b1be222db87f7a04d40e7062467e52a9cda9757
-
SHA256
fc583f0b1db0e61fd38fa6d02280554a392550ea905e2f1054602aba3aca42f9
-
SHA512
3a6e05f451e16cfdf8b564372377251bba95e4e6e423179d2dbd3fe6c0bd584dbde45e24c06b214f0317c9f7894ecdcc5c903c8e867784b03fcd028b8349c61a
-
SSDEEP
6144:ANL1bEzN+yhi6zKDAEdgNYYFRMNZAJHdRRqVhZilkbrNmYQASsui9yD6b6W:ANxAzNzlODAqgzKj2bAVqMrNR/86bv
Malware Config
Extracted
fickerstealer
clogsme.link:8080
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4396 set thread context of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ae8f1cd095afa12559ecca86166d8a7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ae8f1cd095afa12559ecca86166d8a7a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1448 ae8f1cd095afa12559ecca86166d8a7a.exe 1448 ae8f1cd095afa12559ecca86166d8a7a.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80 PID 4396 wrote to memory of 1448 4396 ae8f1cd095afa12559ecca86166d8a7a.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae8f1cd095afa12559ecca86166d8a7a.exe"C:\Users\Admin\AppData\Local\Temp\ae8f1cd095afa12559ecca86166d8a7a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\ae8f1cd095afa12559ecca86166d8a7a.exe"C:\Users\Admin\AppData\Local\Temp\ae8f1cd095afa12559ecca86166d8a7a.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1448
-