Analysis
-
max time kernel
1711s -
max time network
1717s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28-02-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win11-20240221-en
General
-
Target
Setup (password is THEPIRATEBAY007).zip
-
Size
5.1MB
-
MD5
5a7b05af6be77d411d38e4b9603de6fb
-
SHA1
890c2441287979341aea951ff1dd0e4e692493bf
-
SHA256
f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
-
SHA512
ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
-
SSDEEP
98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k
Malware Config
Extracted
fickerstealer
45.93.201.181:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Executes dropped EXE 8 IoCs
pid Process 2196 Setup.exe 3444 Setup.exe 4176 Setup.exe 612 Setup.exe 2520 Setup.exe 1496 Setup.exe 2888 Setup.exe 2648 Setup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 2196 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe 4176 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4772 osk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1664 AUDIODG.EXE Token: SeRestorePrivilege 5108 7zG.exe Token: 35 5108 7zG.exe Token: SeSecurityPrivilege 5108 7zG.exe Token: SeSecurityPrivilege 5108 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5108 7zG.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 1568 DllHost.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe 4772 osk.exe -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 2196 Setup.exe 4176 Setup.exe 2520 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 2196 wrote to memory of 3444 2196 Setup.exe 81 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 4176 wrote to memory of 612 4176 Setup.exe 84 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2520 wrote to memory of 1496 2520 Setup.exe 86 PID 2888 wrote to memory of 2648 2888 Setup.exe 88
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"1⤵PID:192
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4772
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1228
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\" -spe -an -ai#7zMap9394:150:7zEvent93891⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
PID:3444
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- Suspicious use of SetWindowsHookEx
PID:1568
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
PID:2648
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD58cf4dec152a9d79a3d62202b886eda9b
SHA10c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd
-
Filesize
2.6MB
MD5d5a504c65f4947f80d41a6bb16e7a31a
SHA1b8b021c9235aa88f75db08bd856f8a7ae9db0f6a
SHA2567bd18c5f0349682cb86262635a817bf22b4e904cd757aa208697133cd53c85b0
SHA512c002473fc8728bd5b4cd68a66a77d37741c8238a75efc8bbe77c021da077c25816dfc0cb53f548ebadb73cf70c73cedebf12b3edd238bf2fb85e8dc23e11d7f2
-
Filesize
2.0MB
MD50015f7dd6898da27c6a32d8d81fbde8c
SHA1adea0141b3cea617241ab69260f9156c838ab3fb
SHA25660c075883078d95e93bcd9325642fc683b661b94122ede4140b0bce634f237ed
SHA5126e8f02e4b0b4c0eaf9884758a3291ccb16ba6e7008baeb8bc6898a2795e0a4f2cd6ed6660d286ccfaa05011d95ca63c1c2ba0fa07f6bd3fdedae924027b80a9c
-
Filesize
3.4MB
MD54e1de51f9b8108a900b75f04072e3bd6
SHA167c25591fe36a5328358b97c2549d22fa2b19ade
SHA2567d4b21dbb5879abbec61141a8c3d399b9cc402aa301e48cc0c62a6c34910d004
SHA512ca0f3b5b533d6e6732dab007780b937f2ef294b8295cc598bc69b0cb9da9e17432c933c2fbcdc8b0533ea09c6d3b736df52b8f1711d081a8f79873eb1ccb034f
-
Filesize
1.1MB
MD5990ec639070f40b8d33d8b35c0ca7b26
SHA1edbeb0481199d52d4a3b822a84a1474aaa3b632f
SHA25619dc240b7ad92d606fa93cdedf2411f0fe11a7e95c4b32e8c09a4859865f0944
SHA512fa3351768ec8cddfd2cea9e4ea5db5f8f09677f172712885c79758e261650d4d3210d37c5fb70fb2c9fec7cefc838ca63af828e0ec0858c10dbe1ee2a863ad98
-
Filesize
5.0MB
MD506a0906938fc1a48051911051f433a19
SHA129691c4be7f1d5201c3c5c52445fd06d390a82a1
SHA256b4d28a6a41f23e02da9c0b77db1d11dbc7d3a8d177b92f2909599d665f730b2a
SHA51231172d35f7f09d9f482446737bc0151949b139360d5aca30cbc2148609e302d70feb99d298693afd54a083276dd52936aa9e8be731e9002252880ff15a8e76e9
-
Filesize
3.0MB
MD53cdda21d1f08d31937d3ed51a8280db0
SHA134d87c353bc6c6e5f690b20c1457ed303db9bbbb
SHA256a55a4c5faf580b02c8f488f203eb88c1f19d4ae417877f84272320577c916336
SHA5125b5be85be8405dca2a69386215778740f41577dd0d35de6827bae0fb4556a832e6a83888d068b2af7d43738e930976e95411a81dc2e4d90b57e5355522fc006f
-
Filesize
1.3MB
MD53545dad0614c5a44f93907a20db8fa70
SHA1c9d23f56451bf41f2fb092a7fb1edc4173c06e41
SHA256145665113f911ca3ea1bf3047431b9cdaf1903b5f445e6afd33f353d4746faa7
SHA512951a21a3c6fa0331667595894b0d0898608219f4267d325e6f105b6f50fa8782da84db3af92e5d13563956ffabf5b9ab3c11dbe7585afddc5c9da2c0768d7fc8
-
Filesize
494KB
MD58698ffaad6fe6ef20f01c684c9c63bf0
SHA138fec57f62eff8cba8963b5999dbc5a4e583c069
SHA25668f4e71ec828b40104a0d122a0ea405db140785349c515db4a46f1af2eb6bd80
SHA5125de6b7b8323b5f0e878c06dfab4f8d93cac937ea9f354540b9a85aba4ba36434b3d5f7427d3db378b46173fc3534c529b64f4f4b2e4acfcc0e7c42c72cab7cd3
-
Filesize
794KB
MD5c080f73273aaf7a904662274ac1d6bbd
SHA1ddfa4541f7ff915a5ddd0fd37fdb4ceb483a4853
SHA2564ce107d5abd596e9d537adfbfceb6b18df630e233251cc1eb35f2a419f47a4c4
SHA5122f5ed758cf8581a02e97de701900c5d450cf354e25aca2f1fbc0f962a00ccda7172d8f589b374b619f7317ba0d0acd9d29cb9e06da80a4a7b6320ff91f84cb93