Overview

overview

10

Static

static

1

Setup (pas...7).zip

windows10-1703-x64

10

Setup (pas...7).zip

windows7-x64

10

Setup (pas...7).zip

windows10-1703-x64

10

Setup (pas...7).zip

windows10-2004-x64

1

Setup (pas...7).zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    1789s
  • max time network
    1809s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-02-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup (password is THEPIRATEBAY007).zip

  • Size

    5.1MB

  • MD5

    5a7b05af6be77d411d38e4b9603de6fb

  • SHA1

    890c2441287979341aea951ff1dd0e4e692493bf

  • SHA256

    f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96

  • SHA512

    ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e

  • SSDEEP

    98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k

Score
10/10
fickerstealerinfostealer

Malware Config

Extracted

Family

fickerstealer

C2

45.93.201.181:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Executes dropped EXE 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"
    1⤵
      PID:3744
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1260
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\" -spe -an -ai#7zMap934:150:7zEvent15544
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3480
      • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
          2⤵
          • Executes dropped EXE
          PID:4908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 644
            3⤵
            • Program crash
            PID:3036
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 648
            3⤵
            • Program crash
            PID:4720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
        1⤵
          PID:4732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4908 -ip 4908
          1⤵
            PID:4420
          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
              2⤵
              • Executes dropped EXE
              PID:4916
          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:224
            • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
              2⤵
              • Executes dropped EXE
              PID:4924

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\krosqm.txt
            Filesize

            12B

            MD5

            8cf4dec152a9d79a3d62202b886eda9b

            SHA1

            0c1b3d3d02c0b655aa3526a58486b84872f18cc2

            SHA256

            c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

            SHA512

            a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            2.4MB

            MD5

            9c53ebe0f73210b48f3ae5f9ebd9bc7e

            SHA1

            1e0688aed679919c6283471d61f7af3a0f1a3cbc

            SHA256

            df4e9e42b746617be9f864bc9d02c30977a972297e9b0fe695910d163cc2f8d4

            SHA512

            32a2a720cfda0b7422db3d2906fdceb284574e888c2cb06b3f761d765eaa3d5be4894cd75e2d1e239404010d7c66ac3c4e8b74643c859d727441a71d5184f6f3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            192KB

            MD5

            757f0a2c30fb7ab28cdc662c55cb5a27

            SHA1

            23b6ddf41ba1dc942daf74ba583f2d94792bf20a

            SHA256

            c31faf4c9fedc8356e19b2357626507313091093dbf1b829638b59e5acc78dee

            SHA512

            701a7c9430ee2e263bd052f3c2a19e3c5ccdb337c307a4a3d7281d4f479171349fed2cae194befa1f7c265c16cd0ffa3784b52ea5413af5f55dc4cd357a535fe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            1.4MB

            MD5

            77f152a093a445c4b4568b95d57af9bf

            SHA1

            b14848a1ebaaeb4a6f3f21bb563a849ecd5cd6df

            SHA256

            a2f3b7de1fe2301a05ddfd8ee377fcd0a41524963dec834f9b8edbaec549ab7b

            SHA512

            eef79d91f705a6443158820c0174fcfd444c5d9546dd68608c847443ff5e8c231c4768a387f83e6f20add381b4ad643a127f9f11c6a351942af8a3acd060a7ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            1.6MB

            MD5

            a2171855f154931b174c01d9ca0be844

            SHA1

            2678fcedb4cf508e4d270314d1565a22adce5b57

            SHA256

            c2240fab87390fd99ec8e5699835d52802f7b5f0cbe5e2e08fb2e478c84ae5ce

            SHA512

            f4bc0c4c1351691ea38e86d0ae465ca212b3c14d88d0b0cde764740725ade06f484806a23b30cf3c21483d36eca8fd4fe1b0ca065dac53331f80b871c10b4854

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            1.3MB

            MD5

            91d42f6339c43bc9aa47cf570c03e87c

            SHA1

            7c43e83df777b8410990046ffcaf15a7749a1dbd

            SHA256

            bc4fa11680e4f098b4fa3404bf306c7b3dd3a263a7c85ca8502db7d0eef7a063

            SHA512

            bdfedce71f2d4d4506aec9e6ad92a224a9ff051769162b92b9f9a30a22fdca4a1cc746435a9fa9976885fe5f8da534cdf9f96b743f21a42a7980d9129d991039

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            1.9MB

            MD5

            085762c5245c4f9412963fe385cf65f7

            SHA1

            d17f0ecb08a1ee7c9f591c3f6a5cfcf2e4ce2a92

            SHA256

            b7db938a775cf4209fa51b48a688699a71721065a8530207645806c2263bc1b3

            SHA512

            594622dcaf90d1ff0567315eabe1ef4e0537962d48e4091f99d5b014f7e68747d31f234fe1595374525f11e64ea833ab7c78a052511061e8fc07bf423e6e8f32

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
            Filesize

            3.0MB

            MD5

            3cdda21d1f08d31937d3ed51a8280db0

            SHA1

            34d87c353bc6c6e5f690b20c1457ed303db9bbbb

            SHA256

            a55a4c5faf580b02c8f488f203eb88c1f19d4ae417877f84272320577c916336

            SHA512

            5b5be85be8405dca2a69386215778740f41577dd0d35de6827bae0fb4556a832e6a83888d068b2af7d43738e930976e95411a81dc2e4d90b57e5355522fc006f

            Download Submit

          • memory/224-54-0x0000000033B60000-0x0000000033BDB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/224-43-0x0000000033D30000-0x0000000033ED9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/224-40-0x0000000033B60000-0x0000000033BDB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/224-39-0x0000000000400000-0x0000000001400000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/3060-23-0x0000000033A80000-0x0000000033AFB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/3060-24-0x0000000033C60000-0x0000000033E09000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3060-31-0x0000000033A80000-0x0000000033AFB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/3060-21-0x0000000000400000-0x0000000001400000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/4584-7-0x0000000033D20000-0x0000000033EC9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/4584-6-0x0000000077C34000-0x0000000077C35000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4584-4-0x0000000000400000-0x0000000001400000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/4584-5-0x0000000033B40000-0x0000000033BBB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/4584-16-0x0000000033B40000-0x0000000033BBB000-memory.dmp

            Filesize

            492KB

            Download

          • memory/4908-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4908-10-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4908-9-0x0000000077C34000-0x0000000077C35000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4908-18-0x00000000009F0000-0x0000000000B71000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4908-12-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4908-14-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4916-38-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4916-29-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4924-49-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4924-50-0x0000000000AE0000-0x0000000000C61000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4924-53-0x0000000000400000-0x0000000000466000-memory.dmp

            Filesize

            408KB

            Download