fickerstealer | f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96

General

Target

Setup (password is THEPIRATEBAY007).zip
Size

5.1MB
MD5

5a7b05af6be77d411d38e4b9603de6fb
SHA1

890c2441287979341aea951ff1dd0e4e692493bf
SHA256

f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
SHA512

ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
SSDEEP

98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k

Score

10^/10

fickerstealer discovery infostealer

Malware Config

Extracted

Family

fickerstealer

C2

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Fickerstealer family
fickerstealer

Executes dropped EXE 2 IoCs

pid	Process
3620	Setup.exe
336	Setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3620	Setup.exe
3936	7zFM.exe
3936	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3936	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3936	7zFM.exe
Token: 35	3936	7zFM.exe
Token: SeSecurityPrivilege	3936	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3936	7zFM.exe
3936	7zFM.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3620	3936	7zFM.exe	81
PID 3936 wrote to memory of 3620	3936	7zFM.exe	81
PID 3936 wrote to memory of 3620	3936	7zFM.exe	81
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84
PID 3620 wrote to memory of 336	3620	Setup.exe	84

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\7zO06F29587\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO06F29587\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\7zO06F29587\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO06F29587\Setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\krosqm.txt

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
memory/336-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/336-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/336-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/336-24-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3620-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing