fickerstealer | 79877ff84a9faa5618a8eb36af74ab50431dcb8dc6afb923e0010518e03d49a5

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 01:53

Target

237c10d4fbbc7218229e3b41aceb1a0d.exe
Size

595KB
MD5

237c10d4fbbc7218229e3b41aceb1a0d
SHA1

18f1c2b7b788439cffd394068ef5c98764d1b6f3
SHA256

79877ff84a9faa5618a8eb36af74ab50431dcb8dc6afb923e0010518e03d49a5
SHA512

758abe7787817d5a5a40243daa06166f90873f07a159bcdff5ee6d99f21b6121447d4bb093fb871dd67d88fe35292092077a215b91bdd52db23c78e9ee2599c2
SSDEEP

6144:eHS6bolVtRUhX4riR0e9xA3f/Oc674bpDS3sROWMoawMt3MW0rLAb56dpLN4XQKl:T6bo7gX4ri9m3XOYbEsRO5MW0rwrsu

Score

10^/10

Family

fickerstealer

80.87.192.115:80

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50
PID 2100 wrote to memory of 5068	2100	237c10d4fbbc7218229e3b41aceb1a0d.exe	50

C:\Users\Admin\AppData\Local\Temp\237c10d4fbbc7218229e3b41aceb1a0d.exe
"C:\Users\Admin\AppData\Local\Temp\237c10d4fbbc7218229e3b41aceb1a0d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\237c10d4fbbc7218229e3b41aceb1a0d.exe
  "C:\Users\Admin\AppData\Local\Temp\237c10d4fbbc7218229e3b41aceb1a0d.exe"
  2⤵
  PID:5068

memory/2100-2-0x0000000003540000-0x0000000003587000-memory.dmp

Filesize
284KB

Download
memory/2100-1-0x0000000003620000-0x0000000003720000-memory.dmp

Filesize
1024KB

Download
memory/5068-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5068-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5068-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5068-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download