fickerstealer | 7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206

Analysis

max time kernel
154s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

793.8MB
MD5

9a851a47a9bd2f92c61d2486d1be3064
SHA1

3cda31c06db97246705d95dfcf4908eafb514b87
SHA256

7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
SHA512

90340910dc1ee90ccfe7f451578de67c5ca32b95525157acd8b5bc2e99b9c0b2254bfb58997cc848a0ead871bc3f1e03dbb152d56aa709c4ecd3742404eec27b
SSDEEP

196608:6spHQk/ICYcdYtOQYMvm6Iu+8RuJQHIsuRuJyPquRuJXMD349nt3njto03qJbYav:6csCYgIBH2XD349nt3nW03s8up

Score

10^/10

fickerstealer discovery infostealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

vcredist_x64.exeSetup.exe

pid	Process
2564	vcredist_x64.exe
5116	Setup.exe

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid	Process
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
22	api.ipify.org

Drops file in System32 directory 18 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	\??\c:\Windows\system32\atl100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfcm100u.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100cht.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100esn.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100kor.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100rus.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\msvcp100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100u.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100enu.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100fra.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100jpn.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\msvcr100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfcm100.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100chs.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100deu.dll	msiexec.exe
File opened for modification	\??\c:\Windows\system32\mfc100ita.dll	msiexec.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	\??\c:\Windows\Installer\e592498.msp	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\e592498.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AD0.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25ED.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vcredist_x64.exeSetup.exeSetup.exeSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

msiexec.exechrome.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133733286459314973"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches\Patches = 3400440035003400300037003600430045004400340046003500420041003300320042004200440033004500350046004100440031004300440034004300390000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\FT_VCRedist_x64_KB2565063_Detection	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2524860 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2549743 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2565063 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2544655 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList\LastUsedSource = "n;2;c:\\c728de74af8038925d5363786ae8978b\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList\Net\2 = "c:\\c728de74af8038925d5363786ae8978b\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\Net\2 = "c:\\c728de74af8038925d5363786ae8978b\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\VCRedist_amd64_enu	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9 = ":SP1.1;:#SP1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\ProductName = "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Version = "167812379"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\LastUsedSource = "n;2;c:\\c728de74af8038925d5363786ae8978b\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exechrome.exeSetup.exemsiexec.exechrome.exe

pid	Process
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4652	Setup.exe
4520	chrome.exe
4520	chrome.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
5116	Setup.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid	Process
4