fickerstealer | 19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df

General

Target

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe
Size

1.1MB
MD5

863693e30254434532cd8a493f632565
SHA1

f54dbac3ae13df6f842baf253b6e80b0c0a8b47a
SHA256

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df
SHA512

024f5be15c520b4f813b0f7509183666875e2fe6a5aac0e291f663b33e0f8c7c4a64f057278201de84af7aae6085edb54fb98e30890f8136a84d7afb5e02670b
SSDEEP

12288:I5dMOMt/9NH/eNYmItwRHAR315ycgVkIHG9scLKt97NXTPTFyPPeIETaq:4VYLHY0tMgyJZcOt7dyh

Score

10^/10

fickerstealer infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

C2

91.240.118.51:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 1 IoCs

Processes:

1674151867998.exe

pid	Process
1900	1674151867998.exe

Loads dropped DLL 1 IoCs

Processes:

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe

pid	Process
1664	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1674151867998.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1900	1674151867998.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe1674151867998.exe

description	pid	Process	procid_target
PID 1664 wrote to memory of 1900	1664	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	28
PID 1664 wrote to memory of 1900	1664	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	28
PID 1664 wrote to memory of 1900	1664	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	28
PID 1664 wrote to memory of 1900	1664	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	28
PID 1900 wrote to memory of 1432	1900	1674151867998.exe	30
PID 1900 wrote to memory of 1432	1900	1674151867998.exe	30
PID 1900 wrote to memory of 1432	1900	1674151867998.exe	30
PID 1900 wrote to memory of 1432	1900	1674151867998.exe	30

C:\Users\Admin\AppData\Local\Temp\19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe
"C:\Users\Admin\AppData\Local\Temp\19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\1674151867998.exe
  "C:\Users\Admin\AppData\Local\Temp\1674151867998.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\167415~1.EXE > nul
    3⤵
    PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1674151867998.exe

Filesize
5.2MB

MD5
1ae225cad8ed0bfe5566ac6978140c32

SHA1
a7d63db34b1148406d7a6a55423f7b314f9c8f42

SHA256
d7f233b5e2b7f8a629e127c72e0fddcd3fe2dd66a9e633c53b4acc22252f9c19

SHA512
29ac35df879d18352717ec6c9f2676261dc4d63fa34058cf1ea852d924f5142306ed5feac08f3b7d81b559e5ee72f04a67e2e94533daedebd47335e3f5c121ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1674151867998.exe

Filesize
5.2MB

MD5
1ae225cad8ed0bfe5566ac6978140c32

SHA1
a7d63db34b1148406d7a6a55423f7b314f9c8f42

SHA256
d7f233b5e2b7f8a629e127c72e0fddcd3fe2dd66a9e633c53b4acc22252f9c19

SHA512
29ac35df879d18352717ec6c9f2676261dc4d63fa34058cf1ea852d924f5142306ed5feac08f3b7d81b559e5ee72f04a67e2e94533daedebd47335e3f5c121ee

Download Submit
\Users\Admin\AppData\Local\Temp\1674151867998.exe

Filesize
5.2MB

MD5
1ae225cad8ed0bfe5566ac6978140c32

SHA1
a7d63db34b1148406d7a6a55423f7b314f9c8f42

SHA256
d7f233b5e2b7f8a629e127c72e0fddcd3fe2dd66a9e633c53b4acc22252f9c19

SHA512
29ac35df879d18352717ec6c9f2676261dc4d63fa34058cf1ea852d924f5142306ed5feac08f3b7d81b559e5ee72f04a67e2e94533daedebd47335e3f5c121ee

Download Submit
memory/1432-62-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1664-55-0x0000000002060000-0x0000000002104000-memory.dmp

Filesize
656KB

Download
memory/1664-56-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1664-61-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1900-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads