fickerstealer | 7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206

Analysis

max time kernel
155s
max time network
56s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
06-03-2023 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

793.8MB
MD5

9a851a47a9bd2f92c61d2486d1be3064
SHA1

3cda31c06db97246705d95dfcf4908eafb514b87
SHA256

7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
SHA512

90340910dc1ee90ccfe7f451578de67c5ca32b95525157acd8b5bc2e99b9c0b2254bfb58997cc848a0ead871bc3f1e03dbb152d56aa709c4ecd3742404eec27b
SSDEEP

196608:6spHQk/ICYcdYtOQYMvm6Iu+8RuJQHIsuRuJyPquRuJXMD349nt3njto03qJbYav:6csCYgIBH2XD349nt3nW03s8up

Score

10^/10

fickerstealer evasion infostealer spyware stealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

91.240.118.51:253

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

Setup.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "irsetup.exe"	Setup.exe

Executes dropped EXE 1 IoCs

Processes:

1678149144959.exe

pid	Process
2760	1678149144959.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1088	2760	WerFault.exe	69

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exetaskmgr.exe

pid	Process
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
3464	Setup.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
784	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	784	taskmgr.exe
Token: SeSystemProfilePrivilege	784	taskmgr.exe
Token: SeCreateGlobalPrivilege	784	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe
784	taskmgr.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Setup.exe

pid	Process
3464	Setup.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Setup.exeSetup.exe

description	pid	Process	procid_target
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3464 wrote to memory of 3944	3464	Setup.exe	68
PID 3944 wrote to memory of 2760	3944	Setup.exe	69
PID 3944 wrote to memory of 2760	3944	Setup.exe	69
PID 3944 wrote to memory of 2760	3944	Setup.exe	69

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Blocks application from running via registry modification
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\1678149144959.exe
    "C:\Users\Admin\AppData\Local\Temp\1678149144959.exe"
    3⤵
    - Executes dropped EXE
    PID:2760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 264
      4⤵
      Program crash
      PID:1088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\LZTI5EVF.txt

Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Users\Admin\AppData\Local\Temp\1678149144959.exe

Filesize
1.9MB

MD5
36279007f90425caff1cb216971a1d14

SHA1
9dac3a30c67ff986e93d6f1181d5d814b39a6c30

SHA256
b8b3733f532eb89f383115fc7e183dd0fdf24026fbf2e98ea95f0beaf0e57798

SHA512
84ad90ca8b3079ddb1be283d98c66df26c00c5a43fad6b7fd658b55b4207a0f8b2d6945469bc6ed4ee158b7512b5fa65700aa9ed6bc51d59103ebfe4ecbe0a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1678149144959.exe

Filesize
1.9MB

MD5
36279007f90425caff1cb216971a1d14

SHA1
9dac3a30c67ff986e93d6f1181d5d814b39a6c30

SHA256
b8b3733f532eb89f383115fc7e183dd0fdf24026fbf2e98ea95f0beaf0e57798

SHA512
84ad90ca8b3079ddb1be283d98c66df26c00c5a43fad6b7fd658b55b4207a0f8b2d6945469bc6ed4ee158b7512b5fa65700aa9ed6bc51d59103ebfe4ecbe0a7a

Download Submit
memory/2760-140-0x0000000002980000-0x0000000002AD6000-memory.dmp

Filesize
1.3MB

Download
memory/2760-139-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2760-146-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3464-126-0x0000000033950000-0x0000000033ADE000-memory.dmp

Filesize
1.6MB

Download
memory/3464-121-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3464-141-0x0000000033950000-0x0000000033ADE000-memory.dmp

Filesize
1.6MB

Download
memory/3464-125-0x0000000031E20000-0x0000000031E9B000-memory.dmp

Filesize
492KB

Download
memory/3944-129-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3944-123-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-122-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-124-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-142-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-145-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3944-128-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download