Overview

overview

10

Static

static

10

app.exe

windows7-x64

10

app.exe

windows10-2004-x64

10

arnatic_2.exe

windows7-x64

10

arnatic_2.exe

windows10-2004-x64

10

arnatic_3.exe

windows7-x64

10

arnatic_3.exe

windows10-2004-x64

7

arnatic_4.exe

windows7-x64

9

arnatic_4.exe

windows10-2004-x64

9

arnatic_5.exe

windows7-x64

10

arnatic_5.exe

windows10-2004-x64

10

arnatic_6.exe

windows7-x64

10

arnatic_6.exe

windows10-2004-x64

10

arnatic_7.exe

windows7-x64

10

arnatic_7.exe

windows10-2004-x64

10

null.exe

windows7-x64

10

null.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    null.exe

  • Size

    445KB

  • MD5

    f3a5853a448abbe8b10144d11401d835

  • SHA1

    3b1faf00ff991c603fd6c9b01ba1f01e535bf5d4

  • SHA256

    91a7a0dd8930ad66fc44cac3720d7db83fda6f9902c967e47bec0d67cafc6631

  • SHA512

    9c6b30a077859dfdc2e5d59d451096bc5089b3be8f44c7787cb4e82462789b50925964c2048ac7989699b47421622ed1d4c01507e56c87d7d5e83ef5253844cc

  • SSDEEP

    12288:3kcf3zuGM5Zyc2YBXzziGlTA7W/+PzSYF6ey:3D3zuGMPA8TAvzuey

Score
10/10
fickerstealerdiscoveryinfostealer

Malware Config

Extracted

Family

fickerstealer

C2

bukkva.club:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Fickerstealer family
    fickerstealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\null.exe
    "C:\Users\Admin\AppData\Local\Temp\null.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Users\Admin\AppData\Local\Temp\null.exe
      "C:\Users\Admin\AppData\Local\Temp\null.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\kaosdma.txt
    Filesize

    13B

    MD5

    17bcf11dc5f1fa6c48a1a856a72f1119

    SHA1

    873ec0cbd312762df3510b8cccf260dc0a23d709

    SHA256

    a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

    SHA512

    9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

    Download Submit

  • memory/796-4-0x0000000000220000-0x0000000000264000-memory.dmp

    Filesize

    272KB

    Download

  • memory/796-6-0x0000000000D50000-0x0000000000E50000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3036-3-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3036-7-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3036-8-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3036-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3036-14-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download