fickerstealer | 19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df

General

Target

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe
Size

1.1MB
MD5

863693e30254434532cd8a493f632565
SHA1

f54dbac3ae13df6f842baf253b6e80b0c0a8b47a
SHA256

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df
SHA512

024f5be15c520b4f813b0f7509183666875e2fe6a5aac0e291f663b33e0f8c7c4a64f057278201de84af7aae6085edb54fb98e30890f8136a84d7afb5e02670b
SSDEEP

12288:I5dMOMt/9NH/eNYmItwRHAR315ycgVkIHG9scLKt97NXTPTFyPPeIETaq:4VYLHY0tMgyJZcOt7dyh

Score

10^/10

fickerstealer infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

C2

91.240.118.51:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 1 IoCs

Processes:

1674148271092.exe

pid	Process
3844	1674148271092.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1674148271092.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1674148271092.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2104	4964	WerFault.exe	81
4328	4964	WerFault.exe	81
4032	4964	WerFault.exe	81
3588	4964	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1674148271092.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	3844	1674148271092.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe1674148271092.exe

description	pid	Process	procid_target
PID 4964 wrote to memory of 3844	4964	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	87
PID 4964 wrote to memory of 3844	4964	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	87
PID 4964 wrote to memory of 3844	4964	19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe	87
PID 3844 wrote to memory of 3324	3844	1674148271092.exe	98
PID 3844 wrote to memory of 3324	3844	1674148271092.exe	98
PID 3844 wrote to memory of 3324	3844	1674148271092.exe	98

C:\Users\Admin\AppData\Local\Temp\19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe
"C:\Users\Admin\AppData\Local\Temp\19d2d1ecaa693fb74b39ac3f3a049f335dafba5d5669b921aab1a2c486ec77df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 992
  2⤵
  - Program crash
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\1674148271092.exe
  "C:\Users\Admin\AppData\Local\Temp\1674148271092.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\167414~1.EXE > nul
    3⤵
    PID:3324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1128
  2⤵
  - Program crash
  PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 992
  2⤵
  - Program crash
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 140
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4964 -ip 4964
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4964 -ip 4964
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4964 -ip 4964
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1674148271092.exe

Filesize
5.2MB

MD5
1ae225cad8ed0bfe5566ac6978140c32

SHA1
a7d63db34b1148406d7a6a55423f7b314f9c8f42

SHA256
d7f233b5e2b7f8a629e127c72e0fddcd3fe2dd66a9e633c53b4acc22252f9c19

SHA512
29ac35df879d18352717ec6c9f2676261dc4d63fa34058cf1ea852d924f5142306ed5feac08f3b7d81b559e5ee72f04a67e2e94533daedebd47335e3f5c121ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1674148271092.exe

Filesize
5.2MB

MD5
1ae225cad8ed0bfe5566ac6978140c32

SHA1
a7d63db34b1148406d7a6a55423f7b314f9c8f42

SHA256
d7f233b5e2b7f8a629e127c72e0fddcd3fe2dd66a9e633c53b4acc22252f9c19

SHA512
29ac35df879d18352717ec6c9f2676261dc4d63fa34058cf1ea852d924f5142306ed5feac08f3b7d81b559e5ee72f04a67e2e94533daedebd47335e3f5c121ee

Download Submit
memory/3324-141-0x0000000000000000-mapping.dmp

Download
memory/3844-137-0x0000000000000000-mapping.dmp

Download
memory/4964-135-0x0000000002A50000-0x0000000002AF4000-memory.dmp

Filesize
656KB

Download
memory/4964-136-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/4964-140-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads