Overview
overview
10Static
static
10app.exe
windows7-x64
10app.exe
windows10-2004-x64
10arnatic_2.exe
windows7-x64
10arnatic_2.exe
windows10-2004-x64
10arnatic_3.exe
windows7-x64
10arnatic_3.exe
windows10-2004-x64
7arnatic_4.exe
windows7-x64
9arnatic_4.exe
windows10-2004-x64
9arnatic_5.exe
windows7-x64
10arnatic_5.exe
windows10-2004-x64
10arnatic_6.exe
windows7-x64
10arnatic_6.exe
windows10-2004-x64
10arnatic_7.exe
windows7-x64
10arnatic_7.exe
windows10-2004-x64
10null.exe
windows7-x64
10null.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 14:34
Behavioral task
behavioral1
Sample
app.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
app.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
arnatic_2.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
arnatic_2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
arnatic_3.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
arnatic_3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
arnatic_4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
arnatic_4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
arnatic_5.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
arnatic_5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
arnatic_6.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
arnatic_6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
arnatic_7.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
arnatic_7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
null.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
null.exe
Resource
win10v2004-20241007-en
General
-
Target
null.exe
-
Size
445KB
-
MD5
f3a5853a448abbe8b10144d11401d835
-
SHA1
3b1faf00ff991c603fd6c9b01ba1f01e535bf5d4
-
SHA256
91a7a0dd8930ad66fc44cac3720d7db83fda6f9902c967e47bec0d67cafc6631
-
SHA512
9c6b30a077859dfdc2e5d59d451096bc5089b3be8f44c7787cb4e82462789b50925964c2048ac7989699b47421622ed1d4c01507e56c87d7d5e83ef5253844cc
-
SSDEEP
12288:3kcf3zuGM5Zyc2YBXzziGlTA7W/+PzSYF6ey:3D3zuGMPA8TAvzuey
Malware Config
Extracted
fickerstealer
bukkva.club:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Fickerstealer family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 796 set thread context of 3036 796 null.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language null.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language null.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29 PID 796 wrote to memory of 3036 796 null.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\null.exe"C:\Users\Admin\AppData\Local\Temp\null.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\null.exe"C:\Users\Admin\AppData\Local\Temp\null.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD517bcf11dc5f1fa6c48a1a856a72f1119
SHA1873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA5129c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25