fickerstealer | 1045b0b441c50d7268f9fbcc19a23093f9efae22c0fc006a28e11190f7115fa4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31/07/2024, 09:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
Size

390KB
MD5

562daf0dafe1eeed0d7b541d39136156
SHA1

3b432a2b66cd8eb3837d7547ea3eb287f2b26574
SHA256

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb
SHA512

62abb8de0a46f320161e393560748ffa6ed3f89fa342dbc41e429ae67c5c1248b7facc1e26e203a61131d84eda03de2612bc1f719a0525cbba03e37abac007ba
SSDEEP

6144:WlztA+MRDqoqLgblVk9hXWADQk8kVh6OV5dVvQ7ceWJdpp00xsu:Wl++MRDsKlahPDQEVpvwWJ5fxsu

Score

10^/10

fickerstealer discovery infostealer

Malware Config

Extracted

Family

fickerstealer

188.120.251.192:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85
PID 3504 wrote to memory of 3628	3504	c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe	85

C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
  "C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0E0F063B65846F1B0E7D12F6643F6EFA; domain=.bing.com; expires=Mon, 25-Aug-2025 09:20:11 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EC94BA24A4D9453F81D2ABCAC0B01444 Ref B: LON04EDGE0910 Ref C: 2024-07-31T09:20:11Z
date: Wed, 31 Jul 2024 09:20:10 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E0F063B65846F1B0E7D12F6643F6EFA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=dduAHtTdTpEnmE6ii-t43QySOQwUdW2kLJScI5WOzbE; domain=.bing.com; expires=Mon, 25-Aug-2025 09:20:11 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F77E4E87E9864AE098735FCDF91CA95C Ref B: LON04EDGE0910 Ref C: 2024-07-31T09:20:11Z
date: Wed, 31 Jul 2024 09:20:10 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E0F063B65846F1B0E7D12F6643F6EFA; MSPTC=dduAHtTdTpEnmE6ii-t43QySOQwUdW2kLJScI5WOzbE

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0AD17DDE9D854FE18681A9ACE70B08E8 Ref B: LON04EDGE0910 Ref C: 2024-07-31T09:20:11Z
date: Wed, 31 Jul 2024 09:20:11 GMT
DNS

api.ipify.org

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.12.205

api.ipify.org

IN A

104.26.13.205
GET

http://api.ipify.org/?format=xml

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

Remote address:

172.67.74.152:80

Request

GET /?format=xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 31 Jul 2024 09:20:11 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8abc82d7afdc951d-LHR
DNS

20.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.177.190.20.in-addr.arpa

IN PTR

Response
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

152.74.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.74.67.172.in-addr.arpa

IN PTR

Response
DNS

192.251.120.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.251.120.188.in-addr.arpa

IN PTR

Response

192.251.120.188.in-addr.arpa

IN PTR

serovaolgfvdsru
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1970627466fc41608aaba38282893d9a&localId=w:50499107-7B11-00CF-583F-9E70DD597E52&deviceId=6896205211204188&anid=

HTTP Response

204
172.67.74.152:80

http://api.ipify.org/?format=xml

http

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

559 B
401 B
6
4

HTTP Request

GET http://api.ipify.org/?format=xml

HTTP Response

200
188.120.251.192:80

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

144 B
92 B
3
2

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

api.ipify.org

dns

c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

172.67.74.152

104.26.12.205

104.26.13.205
8.8.8.8:53

20.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.177.190.20.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

152.74.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

152.74.67.172.in-addr.arpa
8.8.8.8:53

192.251.120.188.in-addr.arpa

dns

74 B
105 B
1
1

DNS Request

192.251.120.188.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt

Filesize
13B

MD5
907326301a53876360553d631f2775c4

SHA1
e900c12c18a7295611f3e2234bc68e8dc0501e06

SHA256
d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

SHA512
435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

Download Submit
memory/3504-1-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3504-2-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/3628-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3628-5-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3628-6-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3628-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.