fickerstealer | fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda

Analysis

max time kernel
172s
max time network
208s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe
Size

277KB
MD5

605db2ba5163b547c8a3fbc3eda9300d
SHA1

b356fa386bb6ca5816429189bb7d687121dfb131
SHA256

fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda
SHA512

48444f4d53ebccc13e7d0627b7ff01ebb2bbf1fcfab8cf5fc3577608c1f6426cdde68850e2fad6f6394eb7b94f79d079e2f82483158ab541694acd33d60e38a8
SSDEEP

6144:f8bcvL/PEIbNj0jgorXqtK4FxLXhngbN81xtt:f+cvzPEIb2jgor6IWdXVf

Score

10^/10

fickerstealer infostealer

Malware Config

Extracted

Family

fickerstealer

deniedfight.com:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28
PID 1364 wrote to memory of 1296	1364	fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe	28

C:\Users\Admin\AppData\Local\Temp\fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe
"C:\Users\Admin\AppData\Local\Temp\fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe
  "C:\Users\Admin\AppData\Local\Temp\fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda.exe"
  2⤵
  PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-54-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1296-58-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1296-60-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1296-62-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1364-57-0x00000000009CA000-0x00000000009F1000-memory.dmp

Filesize
156KB

Download
memory/1364-59-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download