Analysis
-
max time kernel
175s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2023, 19:52 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
Resource
win10v2004-20221111-en
General
-
Target
3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe
-
Size
349KB
-
MD5
59024427b1d83a475e33157c41aa8048
-
SHA1
e69ddf03cb1a72b5b6cfd07677fff2550b506077
-
SHA256
3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a
-
SHA512
f14e0c6c18ff8115156467621243aaefef6253dbede47747696029b433daa0bc2ddc420d0aebf2ca7394759a710b667e2fd18c5044d57c1a5476cc38f8bef40b
-
SSDEEP
6144:xgqFVwCVJ4MzpHA7gc3sjYhIcwkoy6eZnBiSaL5X28mQ399ydab204VRJ:ZVwsm4pg7gcsYIFeVBiSaMKer04R
Malware Config
Extracted
fickerstealer
deniedfight.com:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4252 set thread context of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79 PID 4252 wrote to memory of 4224 4252 3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"C:\Users\Admin\AppData\Local\Temp\3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe"2⤵PID:4224
-
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN CNAMEapi4.ipify.orgapi4.ipify.orgIN A64.185.227.155api4.ipify.orgIN A173.231.16.76api4.ipify.orgIN A104.237.62.211
-
GEThttp://api.ipify.org/?format=xml3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exeRemote address:64.185.227.155:80RequestGET /?format=xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Length: 12
Content-Type: text/plain
Date: Sun, 29 Jan 2023 19:53:39 GMT
Vary: Origin
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Request176.122.125.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN A
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN A
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN A
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN A
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN A
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
Remote address:8.8.8.8:53Requestdeniedfight.comIN AResponse
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
64.185.227.155:80http://api.ipify.org/?format=xmlhttp3300566fc05d714abb32bad90f37290e232cafc50709b7fb4c828c911d6e1b9a.exe559 B 404 B 6 5
HTTP Request
GET http://api.ipify.org/?format=xmlHTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
59 B 126 B 1 1
DNS Request
api.ipify.org
DNS Response
64.185.227.155173.231.16.76104.237.62.211
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
73 B 159 B 1 1
DNS Request
176.122.125.40.in-addr.arpa
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
305 B 5
DNS Request
deniedfight.com
DNS Request
deniedfight.com
DNS Request
deniedfight.com
DNS Request
deniedfight.com
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com
-
61 B 134 B 1 1
DNS Request
deniedfight.com