Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 09:20

General

  • Target

    c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe

  • Size

    390KB

  • MD5

    562daf0dafe1eeed0d7b541d39136156

  • SHA1

    3b432a2b66cd8eb3837d7547ea3eb287f2b26574

  • SHA256

    c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb

  • SHA512

    62abb8de0a46f320161e393560748ffa6ed3f89fa342dbc41e429ae67c5c1248b7facc1e26e203a61131d84eda03de2612bc1f719a0525cbba03e37abac007ba

  • SSDEEP

    6144:WlztA+MRDqoqLgblVk9hXWADQk8kVh6OV5dVvQ7ceWJdpp00xsu:Wl++MRDsKlahPDQEVpvwWJ5fxsu

Malware Config

Extracted

Family

fickerstealer

C2

188.120.251.192:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
    "C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
      "C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\kaosdma.txt

    Filesize

    13B

    MD5

    907326301a53876360553d631f2775c4

    SHA1

    e900c12c18a7295611f3e2234bc68e8dc0501e06

    SHA256

    d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

    SHA512

    435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

  • memory/3504-1-0x0000000000700000-0x0000000000800000-memory.dmp

    Filesize

    1024KB

  • memory/3504-2-0x0000000000490000-0x00000000004D4000-memory.dmp

    Filesize

    272KB

  • memory/3628-3-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/3628-5-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/3628-6-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/3628-12-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB