fickerstealer | fbff39937b838ac6f56ac14968e4e95d5a9ec566f5b2ca8585e14a5a0f91e3d8

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c31ea226cf3dcd210ebff9e46828170N.exe
Size

377KB
MD5

9c31ea226cf3dcd210ebff9e46828170
SHA1

fff872ddebbbe45628bfc44416e1bf7d989163d6
SHA256

fbff39937b838ac6f56ac14968e4e95d5a9ec566f5b2ca8585e14a5a0f91e3d8
SHA512

3b8702c80125b3ef7320fd3e50aac1ebec64cd5a2f1cc3547dd9bc3ccfcee67c21e50c2529369704af49b9c37ec7be41d9734882eed7682124053e8b7000f05d
SSDEEP

6144:P1mOdykKG1ntO5nl4R64yQ5Htn0z02dNx+bZ2okKkV4ri9v0IemQ7idv5TuZC2oY:9rydSntO5l4R+sexwbIokKkV4m9cIm8O

Score

10^/10

fickerstealer discovery infostealer

Malware Config

Extracted

Family

fickerstealer

185.234.247.233:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c31ea226cf3dcd210ebff9e46828170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c31ea226cf3dcd210ebff9e46828170N.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30
PID 2532 wrote to memory of 2588	2532	9c31ea226cf3dcd210ebff9e46828170N.exe	30

C:\Users\Admin\AppData\Local\Temp\9c31ea226cf3dcd210ebff9e46828170N.exe
"C:\Users\Admin\AppData\Local\Temp\9c31ea226cf3dcd210ebff9e46828170N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\9c31ea226cf3dcd210ebff9e46828170N.exe
  "C:\Users\Admin\AppData\Local\Temp\9c31ea226cf3dcd210ebff9e46828170N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt

Filesize
13B

MD5
907326301a53876360553d631f2775c4

SHA1
e900c12c18a7295611f3e2234bc68e8dc0501e06

SHA256
d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

SHA512
435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

Download Submit
memory/2532-2-0x0000000000270000-0x00000000002B5000-memory.dmp

Filesize
276KB

Download
memory/2532-1-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2588-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2588-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2588-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2588-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download