fickerstealer | c09d37e5458549e449d71b40a0e34bc97032dd00bcacb365e0ade893e4e35ec3

Analysis

max time kernel
83s
max time network
101s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
Size

282KB
MD5

72dcda0a0601b6e7df5b2d4133d8224f
SHA1

4604ae50310f18648bfdce614f6332088cddff63
SHA256

96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d
SHA512

d7e08462a7e6e27d707becc83825ec3ec9275cc36b60e85c4980d8ea5002d3a7973cb89ae993b657e38be502db206a0b27fa0cfd784505c0fba0f2b1edfc92a4
SSDEEP

6144:K8it3a+Prec1DJGDBXgN61cZlCsIH37fv1u5Jj6mV6:KJ3ofFXgcWWsIH37fya

Score

10^/10

fickerstealer infostealer

Malware Config

Extracted

Family

fickerstealer

lukkeze.club:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
324	chrome.exe
324	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	324	chrome.exe
Token: SeShutdownPrivilege	324	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 924 wrote to memory of 1792	924	96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe	28
PID 324 wrote to memory of 1892	324	chrome.exe	32
PID 324 wrote to memory of 1892	324	chrome.exe	32
PID 324 wrote to memory of 1892	324	chrome.exe	32
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1956	324	chrome.exe	34
PID 324 wrote to memory of 1632	324	chrome.exe	35
PID 324 wrote to memory of 1632	324	chrome.exe	35
PID 324 wrote to memory of 1632	324	chrome.exe	35
PID 324 wrote to memory of 1668	324	chrome.exe	36
PID 324 wrote to memory of 1668	324	chrome.exe	36
PID 324 wrote to memory of 1668	324	chrome.exe	36
PID 324 wrote to memory of 1668	324	chrome.exe	36
PID 324 wrote to memory of 1668	324	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
  "C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
  2⤵
  PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fb9758,0x7fef6fb9768,0x7fef6fb9778
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3336 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1248,i,7515060348071908941,4869773130233107486,131072 /prefetch:8
  2⤵
  PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt

Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6431ab35-d074-4d02-b86a-4ce3120e23a7.tmp

Filesize
145KB

MD5
2430f0ec4e8410b20cbda46a00b4ff6f

SHA1
54281578a1c679ccdfea9437f7d7cfa4f00e126e

SHA256
2fdef04b470dec670ed2dce60a77d3e33319a776b053c7069c81f690a6330283

SHA512
37c6a0cf62bc6557488cfe2f3f0555050c85d0bc62680df516afde2fa85a8e11d6f23b756146fc53c5c87e2b1d116f887f2e39f72e2fd67bbf257feeb8c7dbe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0370d6ca96d7d0b277a63459af83fb4b

SHA1
4faa4673402629e08e75e22998f0fc98269883e6

SHA256
28d93f5653b5a4dffa30198fb8e03e55ea23cd0ff4d1e988d12e221b4ad32e6b

SHA512
5d61de0deb5ebcf446310529a44ca5f2be11dc80d56544e1063a33137e2a9c19f1ae1bb9382e84c38452e14ae605c669e740d0155f60f53ed3c576a6eee3bf42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
32120383e35a94a9f77e77f967b1a9d3

SHA1
2baf024eb359303a37b3c4edbbf8986d735d03e8

SHA256
304c1e573ee24573ad8f7ba0f3983eae427c263ef01e6ddcbe3941ad14ed058e

SHA512
335f23fc7838b0640f868878276f981e31ab9648ea4fefc7f693e37319f705d2059a2b44ce8e84a9af95c0718ba65177e8885ef5322f41bfca965f3f233cd609

Download Submit
memory/924-57-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1792-59-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-66-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1792-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download