Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05-01-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
428194f0c7817cd2d1ba7c94291107a3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
428194f0c7817cd2d1ba7c94291107a3.exe
Resource
win10v2004-20231215-en
General
-
Target
428194f0c7817cd2d1ba7c94291107a3.exe
-
Size
578KB
-
MD5
428194f0c7817cd2d1ba7c94291107a3
-
SHA1
3cc2291ae305f80034626aba354b35a5529b282a
-
SHA256
615417eba83a4c9800d6c375de53aaeadbb5113029a1db3c14cd22abc55f2a92
-
SHA512
5b8ab230380f8100901dc669033057dfd3205e707d301593e9faf487d1d4ee590cbb56a5b95281cad700264d0cafcd46d45ac7b65b03f6c03199cb922224c660
-
SSDEEP
12288:pc0Sv/ZoFTTqc2aK6beLd1YcEDuck3zMW0rwrsu:NSv/Z8Tq36KdKXDuNh3
Malware Config
Extracted
fickerstealer
80.87.192.115:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
428194f0c7817cd2d1ba7c94291107a3.exedescription pid Process procid_target PID 2528 set thread context of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
428194f0c7817cd2d1ba7c94291107a3.exedescription pid Process procid_target PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28 PID 2528 wrote to memory of 2456 2528 428194f0c7817cd2d1ba7c94291107a3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\428194f0c7817cd2d1ba7c94291107a3.exe"C:\Users\Admin\AppData\Local\Temp\428194f0c7817cd2d1ba7c94291107a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\428194f0c7817cd2d1ba7c94291107a3.exe"C:\Users\Admin\AppData\Local\Temp\428194f0c7817cd2d1ba7c94291107a3.exe"2⤵PID:2456
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD58cf4dec152a9d79a3d62202b886eda9b
SHA10c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd