Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 13:28
Static task
static1
Behavioral task
behavioral1
Sample
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
Resource
win10v2004-20230220-en
General
-
Target
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
-
Size
480KB
-
MD5
a8347795e62fd5ea607f98579c1d49ec
-
SHA1
6e4b74e8f7447b6a7db13b4dbcefea258e430a4f
-
SHA256
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d
-
SHA512
790726f6e8045324e1482e8614194299f1b501fa73f22ef516dddf5157404fbaeb7ef1983f4f771f34673d6749853a236ceff97be3e58d32740d2e08b7f5e349
-
SSDEEP
6144:ALaTiFA3m+iCOvax2wVTqUiYTOefJC/cpTQbrZxBqZugCoZsBgbIOHH4:AuTH3mzCYA20mMOehjkbr7BUug6gbL4
Malware Config
Extracted
fickerstealer
fasdas.link:8080
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exedescription pid process target process PID 4108 set thread context of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exedescription pid process target process PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe PID 4108 wrote to memory of 756 4108 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\gwegwe.txtFilesize
12B
MD571d587e911373f62d72a158eceb6e0e7
SHA168d81a1a4fb19c609288a94f10d1bbb92d972a68
SHA256acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
SHA512a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060
-
memory/756-134-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/756-137-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/756-138-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/756-144-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4108-136-0x00000000021B0000-0x000000000221C000-memory.dmpFilesize
432KB