Analysis
-
max time kernel
1711s -
max time network
1717s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
28-02-2024 17:59
General
-
Target
Setup (password is THEPIRATEBAY007).zip
-
Size
5.1MB
-
MD5
5a7b05af6be77d411d38e4b9603de6fb
-
SHA1
890c2441287979341aea951ff1dd0e4e692493bf
-
SHA256
f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
-
SHA512
ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
-
SSDEEP
98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k
Malware Config
Extracted
fickerstealer
45.93.201.181:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Executes dropped EXE 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of UnmapMainImage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"1⤵
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\" -spe -an -ai#7zMap9394:150:7zEvent93891⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD58cf4dec152a9d79a3d62202b886eda9b
SHA10c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd
-
Filesize
2.6MB
MD5d5a504c65f4947f80d41a6bb16e7a31a
SHA1b8b021c9235aa88f75db08bd856f8a7ae9db0f6a
SHA2567bd18c5f0349682cb86262635a817bf22b4e904cd757aa208697133cd53c85b0
SHA512c002473fc8728bd5b4cd68a66a77d37741c8238a75efc8bbe77c021da077c25816dfc0cb53f548ebadb73cf70c73cedebf12b3edd238bf2fb85e8dc23e11d7f2
-
Filesize
2.0MB
MD50015f7dd6898da27c6a32d8d81fbde8c
SHA1adea0141b3cea617241ab69260f9156c838ab3fb
SHA25660c075883078d95e93bcd9325642fc683b661b94122ede4140b0bce634f237ed
SHA5126e8f02e4b0b4c0eaf9884758a3291ccb16ba6e7008baeb8bc6898a2795e0a4f2cd6ed6660d286ccfaa05011d95ca63c1c2ba0fa07f6bd3fdedae924027b80a9c
-
Filesize
3.4MB
MD54e1de51f9b8108a900b75f04072e3bd6
SHA167c25591fe36a5328358b97c2549d22fa2b19ade
SHA2567d4b21dbb5879abbec61141a8c3d399b9cc402aa301e48cc0c62a6c34910d004
SHA512ca0f3b5b533d6e6732dab007780b937f2ef294b8295cc598bc69b0cb9da9e17432c933c2fbcdc8b0533ea09c6d3b736df52b8f1711d081a8f79873eb1ccb034f
-
Filesize
1.1MB
MD5990ec639070f40b8d33d8b35c0ca7b26
SHA1edbeb0481199d52d4a3b822a84a1474aaa3b632f
SHA25619dc240b7ad92d606fa93cdedf2411f0fe11a7e95c4b32e8c09a4859865f0944
SHA512fa3351768ec8cddfd2cea9e4ea5db5f8f09677f172712885c79758e261650d4d3210d37c5fb70fb2c9fec7cefc838ca63af828e0ec0858c10dbe1ee2a863ad98
-
Filesize
5.0MB
MD506a0906938fc1a48051911051f433a19
SHA129691c4be7f1d5201c3c5c52445fd06d390a82a1
SHA256b4d28a6a41f23e02da9c0b77db1d11dbc7d3a8d177b92f2909599d665f730b2a
SHA51231172d35f7f09d9f482446737bc0151949b139360d5aca30cbc2148609e302d70feb99d298693afd54a083276dd52936aa9e8be731e9002252880ff15a8e76e9
-
Filesize
3.0MB
MD53cdda21d1f08d31937d3ed51a8280db0
SHA134d87c353bc6c6e5f690b20c1457ed303db9bbbb
SHA256a55a4c5faf580b02c8f488f203eb88c1f19d4ae417877f84272320577c916336
SHA5125b5be85be8405dca2a69386215778740f41577dd0d35de6827bae0fb4556a832e6a83888d068b2af7d43738e930976e95411a81dc2e4d90b57e5355522fc006f
-
Filesize
1.3MB
MD53545dad0614c5a44f93907a20db8fa70
SHA1c9d23f56451bf41f2fb092a7fb1edc4173c06e41
SHA256145665113f911ca3ea1bf3047431b9cdaf1903b5f445e6afd33f353d4746faa7
SHA512951a21a3c6fa0331667595894b0d0898608219f4267d325e6f105b6f50fa8782da84db3af92e5d13563956ffabf5b9ab3c11dbe7585afddc5c9da2c0768d7fc8
-
Filesize
494KB
MD58698ffaad6fe6ef20f01c684c9c63bf0
SHA138fec57f62eff8cba8963b5999dbc5a4e583c069
SHA25668f4e71ec828b40104a0d122a0ea405db140785349c515db4a46f1af2eb6bd80
SHA5125de6b7b8323b5f0e878c06dfab4f8d93cac937ea9f354540b9a85aba4ba36434b3d5f7427d3db378b46173fc3534c529b64f4f4b2e4acfcc0e7c42c72cab7cd3
-
Filesize
794KB
MD5c080f73273aaf7a904662274ac1d6bbd
SHA1ddfa4541f7ff915a5ddd0fd37fdb4ceb483a4853
SHA2564ce107d5abd596e9d537adfbfceb6b18df630e233251cc1eb35f2a419f47a4c4
SHA5122f5ed758cf8581a02e97de701900c5d450cf354e25aca2f1fbc0f962a00ccda7172d8f589b374b619f7317ba0d0acd9d29cb9e06da80a4a7b6320ff91f84cb93
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
492KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
16.0MB
-
Filesize
492KB
-
Filesize
1.6MB
-
Filesize
492KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
1.6MB
-
Filesize
16.0MB