fickerstealer | 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a

Analysis

max time kernel
175s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:52

Target

3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
Size

349KB
MD5

59024427b1d83a475e33157c41aa8048
SHA1

e69ddf03cb1a72b5b6cfd07677fff2550b506077
SHA256

3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a
SHA512

f14e0c6c18ff8115156467621243aaefef6253dbede47747696029b433daa0bc2ddc420d0aebf2ca7394759a710b667e2fd18c5044d57c1a5476cc38f8bef40b
SSDEEP

6144:xgqFVwCVJ4MzpHA7gc3sjYhIcwkoy6eZnBiSaL5X28mQ399ydab204VRJ:ZVwsm4pg7gcsYIFeVBiSaMKer04R

Score

10^/10

Family

fickerstealer

deniedfight.com:80

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe

description	pid	Process	procid_target
PID 4252 set thread context of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe

description	pid	Process	procid_target
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79
PID 4252 wrote to memory of 4224	4252	3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe	79

C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
"C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
  "C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"
  2⤵
  PID:4224

memory/4224-132-0x0000000000000000-mapping.dmp

Download
memory/4224-133-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4224-137-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4224-138-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4224-139-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4252-135-0x0000000000AE2000-0x0000000000B09000-memory.dmp

Filesize
156KB

Download
memory/4252-136-0x0000000000980000-0x00000000009C5000-memory.dmp

Filesize
276KB

Download