fickerstealer | c83c9155b3ebab58bbd40ed61624f8d8ddb9d1f87601d2dfa0f7b529a49800c6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 13:28

Target

42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
Size

480KB
MD5

a8347795e62fd5ea607f98579c1d49ec
SHA1

6e4b74e8f7447b6a7db13b4dbcefea258e430a4f
SHA256

42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d
SHA512

790726f6e8045324e1482e8614194299f1b501fa73f22ef516dddf5157404fbaeb7ef1983f4f771f34673d6749853a236ceff97be3e58d32740d2e08b7f5e349
SSDEEP

6144:ALaTiFA3m+iCOvax2wVTqUiYTOefJC/cpTQbrZxBqZugCoZsBgbIOHH4:AuTH3mzCYA20mMOehjkbr7BUug6gbL4

Score

10^/10

Family

fickerstealer

fasdas.link:8080

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87
PID 4108 wrote to memory of 756	4108	42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe	87

C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
  "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
  2⤵
  PID:756

C:\ProgramData\gwegwe.txt

Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
memory/756-134-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/756-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/756-138-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/756-144-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4108-136-0x00000000021B0000-0x000000000221C000-memory.dmp

Filesize
432KB

Download