fickerstealer | 7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

793.8MB
MD5

9a851a47a9bd2f92c61d2486d1be3064
SHA1

3cda31c06db97246705d95dfcf4908eafb514b87
SHA256

7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
SHA512

90340910dc1ee90ccfe7f451578de67c5ca32b95525157acd8b5bc2e99b9c0b2254bfb58997cc848a0ead871bc3f1e03dbb152d56aa709c4ecd3742404eec27b
SSDEEP

196608:6spHQk/ICYcdYtOQYMvm6Iu+8RuJQHIsuRuJyPquRuJXMD349nt3njto03qJbYav:6csCYgIBH2XD349nt3nW03s8up

Score

10^/10

fickerstealer infostealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org

flow	ioc
3	api.ipify.org

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Setup.exe

pid	process
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe
2024	Setup.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Setup.exe

pid process

2024 Setup.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe
PID 2024 wrote to memory of 2180	2024	Setup.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\krosqm.txt
Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\Desktop\CloseComplete.txt
Filesize
396KB

MD5
e38a8cc6024a645e11994f5657fd6d3f

SHA1
dce3faeab95e60bb32e9e070d3bc6bbb7c742609

SHA256
9c83ec3ffb33a93a35da297f01734fc0ee26e62504b928ae4283e0fe7bfe2517

SHA512
029009477fcb92749d876b44a30a0616f418747b87ff4cdb9d3a9ae4d6eb85abac9ce0e4c009c3371ccf7e8bc15903d4d6682a91bacef50676b4a0a3ccc9c7f7

Download Submit
C:\Users\Admin\Desktop\CompleteDisable.vbs
Filesize
227KB

MD5
913449e33e245600d9546bba07ea7966

SHA1
52f1331ff44ec8810508f1cdaa61b53fc2aa6a66

SHA256
79f715410f9d6936cde3ebd94f06fb499d1462ad91f3b1ee818f9f44bc177c57

SHA512
1370816f85b3651f2c1bac11121a55ab5ada4dce5bf52a9078c449ddbf9465afea6829f98c192b3fb37722dc980016baf9efb548c5560c6bf744e9f180981f47

Download Submit
C:\Users\Admin\Desktop\DebugShow.potx
Filesize
412KB

MD5
2890238107d4165c0e13afda44549e9a

SHA1
df87be98d35644081810d73aff5168ecd6e2890a

SHA256
c61ea91883f9c74db177a2129ff9a2e65e21b215b47a270d2a2dd5b507f82635

SHA512
361ea96d0dc9a6bc1b59825ffc460bf5ac14c0e2158d236c075ec184151be9dbd914d6e55afe2e72846722282380d76acfd30fb4cb9db65bd087010b5f3a2f9b

Download Submit
C:\Users\Admin\Desktop\InstallBlock.svg
Filesize
261KB

MD5
0ac170f5e3c8043899c8389219345e7c

SHA1
6fd9c957ef5aa0ba75827362ec75923f8ff73157

SHA256
f73bf3e4ff66dfaf6af1b136ddeafb4f3a59ec063e7cd4a6129bc14384ddb61a

SHA512
f75cf92b107285b5921eb850a4778d6334089c57698c67d560d10c309d18cc05e3ad49e3ce40a5a0d29c06e44c52df30f623c0a9cbb3498955f58e9b597263ce

Download Submit
C:\Users\Admin\Desktop\InstallSend.tif
Filesize
429KB

MD5
86ef8c41e14cf460f1fb65e501bbc814

SHA1
57778dc24d496ddf70464645fe27eba7904b8733

SHA256
645ec06c38d454562227b817b7c0d621905095648bc8f05ce12d3f3331547418

SHA512
325c485bd689eff65e0d4e1cb77b2785ba71926963c4003b50af35b3d69ac94a2d2d861e430903d21b25036724eae03a52c67aeef51251b3995a4a3208ef5f6a

Download Submit
C:\Users\Admin\Desktop\JoinShow.3g2
Filesize
362KB

MD5
b8045e9b600c6848c23d6fa1a64e39f5

SHA1
cc3d33f147a4ffdfa0e173d9d9e079d1aec342bb

SHA256
e4b04d20da998097b987d8f56e2509f00a87dae0e6752800289393e16de956a7

SHA512
241e14ed446e0595e7ebca9a63f4e78d10b38d2765b9172e7396f44b5c1a5c4faec925e6694514752a091d09dc1bf6ca95d5f51e9070033aece061dd4239e2f7

Download Submit
C:\Users\Admin\Desktop\ReadUpdate.htm
Filesize
632KB

MD5
b383e879b4eca7ce0223fc8a748b2548

SHA1
c7926f4c3c2002d8013facaaf176ef6e796d6c50

SHA256
d357e931b1e1d36203c669271782acb0f048070b017aa9d49c8c1c455a6a9ce7

SHA512
3db4fb7230d2824ef32b57607d13e00afbc3859fdd41aef78c0b8440f93a1b5e1b350fe5d19866972c5307f609dd19e90ce8fbc8cd58cf4020402ea0864d440d

Download Submit
C:\Users\Admin\Desktop\ReceivePublish.dib
Filesize
514KB

MD5
379e90ed332d05dcb879fee2d81d13a1

SHA1
e50f60e5a2526e6e4ea457c660fa510d0df641b2

SHA256
f1ac23d3930fb7073f2441d4da58f9488320aa3090f0292871067bdfc8c9eb6b

SHA512
eee3ace817042105579f88448056efc98d112bd0e1c53fed6a1ba07f264749738635c7cec156fbf6fecb5ccf7857b2d50edc3403d32083c770f17bc1f1ef19af

Download Submit
C:\Users\Admin\Desktop\RedoWatch.tif
Filesize
294KB

MD5
cac73728bdbdc3813c3b7cf08c37c177

SHA1
ce9ebb1fe771b6bf859ca6dcd720a4aeb4993208

SHA256
59ed93253107fd834818fd2060e79e645c34f62aacba910e4167e2382bff9fba

SHA512
d11785b6825fc078f42424fea9c2965295985d93e83212dbb272691172cc699288fa14f62fc949c4b64614885033a4919f86ece7ff0221982759d9e4062c8e4e

Download Submit
C:\Users\Admin\Desktop\SplitExit.temp
Filesize
547KB

MD5
661abcada3237e7d70851d125c765d57

SHA1
4e397cf9cbb0e9492c23811d90af3552920a9667

SHA256
4dd61a604be7b4d4ecc458babe54380b87b0c2a1181ae36068e7816ea6fd0a07

SHA512
9b7924bf4c22a00cf3716bd1355e91fd28aaac1e20563afd50a9da4ce3f0d481eb513089be370c12dad195c767fecccf104590702f041ab9f78612cab82ee2ed

Download Submit
C:\Users\Admin\Desktop\SplitRedo.raw
Filesize
328KB

MD5
f8c19cb556f76ab826efb96c977f03e5

SHA1
1d57af933434c4fd885aed93868286f6937790df

SHA256
107c86010fda6e37c43d3c300a9d981be473515bce9e1137af221619b28c2794

SHA512
05aed5101714e1291f2089a4be74660dc85f6e08ba06398df14f0eb9406699cb874e2bc776aad327ccc9a98d81b6ea2a6cbcc1400da2b35a0c636dcc04adb696

Download Submit
C:\Users\Admin\Desktop\SplitRestart.asf
Filesize
530KB

MD5
6f8a77026e4bc4cf453263d8336725c2

SHA1
24bf33e19123c114c33d12f77e886d8043139687

SHA256
cad602e8d59eb919737a42d91cdfb875280b534730ccfa486415a6eaa94bb04b

SHA512
2c4dc7ba0bac37db051a2449744cfb7e16e236288c1ccc5df75ed43229da8aaca97cfe2b95f19258b22b89fa855a756be36bf4f90d8893b993542e08b71fd251

Download Submit
C:\Users\Admin\Desktop\UnlockImport.aif
Filesize
244KB

MD5
132753882d41bc55ab51e0ac2f66a763

SHA1
d539bbb4aa8226e36b3c33c12c21f0ef60bb1d1b

SHA256
7f3f93c3de67ab07522b2c17c9e2fe1d32c73b73e60accdc46fc0cc4cd951a66

SHA512
1265229c55d5eab6f6b014ea54ae69b091abee3452f607a084654deef6b05c3b50f01ea11d463f83fe7fef3d5b20c31bd250f661c53b4e428b8fa78d1b9869ef

Download Submit
memory/2024-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2180-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download