Analysis Overview
SHA256
8892935bec17053a8d64963a76d49b709a131e3f3a10ae72e8463b4e66bbd8ce
Threat Level: Known bad
The file c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-21 13:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win7-20230220-en
Max time kernel
156s
Max time network
162s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe | C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe
"C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe"
C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe
"C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
Files
memory/856-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/856-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1996-58-0x00000000002B0000-0x000000000031C000-memory.dmp
memory/856-59-0x0000000000400000-0x0000000000471000-memory.dmp
memory/856-60-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\wefwegge.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/856-66-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe | C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe
"C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe"
C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe
"C:\Users\Admin\AppData\Local\Temp\c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 76.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | ed2efjw.link | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1588-134-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2012-136-0x0000000004930000-0x000000000499C000-memory.dmp
memory/1588-137-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\wefwegge.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/1588-143-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1588-144-0x0000000000400000-0x0000000000471000-memory.dmp