Overview

overview

10

Static

static

1

42a3a11367...1d.exe

windows7-x64

10

42a3a11367...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2023 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe

  • Size

    480KB

  • MD5

    a8347795e62fd5ea607f98579c1d49ec

  • SHA1

    6e4b74e8f7447b6a7db13b4dbcefea258e430a4f

  • SHA256

    42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d

  • SHA512

    790726f6e8045324e1482e8614194299f1b501fa73f22ef516dddf5157404fbaeb7ef1983f4f771f34673d6749853a236ceff97be3e58d32740d2e08b7f5e349

  • SSDEEP

    6144:ALaTiFA3m+iCOvax2wVTqUiYTOefJC/cpTQbrZxBqZugCoZsBgbIOHH4:AuTH3mzCYA20mMOehjkbr7BUug6gbL4

Score
10/10
fickerstealerinfostealer

Malware Config

Extracted

Family

fickerstealer

C2

fasdas.link:8080

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
    "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
      "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
      2⤵
        PID:1932
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1168
    • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
      "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
        "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
        2⤵
          PID:1788
      • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
        "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
          "C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
          2⤵
            PID:1508
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
          1⤵
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:272

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\gwegwe.txt
          Filesize

          12B

          MD5

          71d587e911373f62d72a158eceb6e0e7

          SHA1

          68d81a1a4fb19c609288a94f10d1bbb92d972a68

          SHA256

          acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

          SHA512

          a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml
          Filesize

          109B

          MD5

          884320a9b8f018f309f5a96107133f89

          SHA1

          102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff

          SHA256

          50fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64

          SHA512

          b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78

          Download Submit

        • memory/272-108-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-119-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-97-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-117-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-115-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-114-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-113-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-112-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-98-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-111-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-89-0x0000000002700000-0x000000000271E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/272-90-0x000000001CE50000-0x000000001D196000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/272-91-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/272-93-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-92-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-94-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-95-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-96-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-110-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-107-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-104-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-100-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-101-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-103-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-105-0x0000000004100000-0x0000000004180000-memory.dmp

          Filesize

          512KB

          Download

        • memory/272-99-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/272-106-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1168-69-0x0000000002240000-0x0000000002250000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1168-67-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1168-66-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/1508-86-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1636-58-0x0000000000290000-0x00000000002FC000-memory.dmp

          Filesize

          432KB

          Download

        • memory/1788-76-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1932-59-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1932-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1932-68-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1932-56-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1932-60-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

          Download