Resubmissions
31-07-2024 09:17
240731-k84a5axckp 10Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 09:17
Static task
static1
Behavioral task
behavioral1
Sample
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
Resource
win10v2004-20240730-en
General
-
Target
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
-
Size
390KB
-
MD5
562daf0dafe1eeed0d7b541d39136156
-
SHA1
3b432a2b66cd8eb3837d7547ea3eb287f2b26574
-
SHA256
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb
-
SHA512
62abb8de0a46f320161e393560748ffa6ed3f89fa342dbc41e429ae67c5c1248b7facc1e26e203a61131d84eda03de2612bc1f719a0525cbba03e37abac007ba
-
SSDEEP
6144:WlztA+MRDqoqLgblVk9hXWADQk8kVh6OV5dVvQ7ceWJdpp00xsu:Wl++MRDsKlahPDQEVpvwWJ5fxsu
Malware Config
Extracted
fickerstealer
188.120.251.192:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exedescription pid Process procid_target PID 1384 set thread context of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exec04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exedescription pid Process procid_target PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85 PID 1384 wrote to memory of 4624 1384 c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5907326301a53876360553d631f2775c4
SHA1e900c12c18a7295611f3e2234bc68e8dc0501e06
SHA256d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8
SHA512435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa