Analysis Overview
SHA256
c83c9155b3ebab58bbd40ed61624f8d8ddb9d1f87601d2dfa0f7b529a49800c6
Threat Level: Known bad
The file 42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-21 13:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win7-20230220-en
Max time kernel
148s
Max time network
162s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1852 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | fasdas.link | udp |
Files
memory/2032-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2032-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1852-58-0x0000000000330000-0x000000000039C000-memory.dmp
memory/2032-59-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2032-60-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/2032-67-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4108 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe | C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe
"C:\Users\Admin\AppData\Local\Temp\42a3a11367f39f4b5dda0d40b1183330072f8d85c3d2e79e42c46489e7dcce1d.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 211.62.237.104.in-addr.arpa | udp |
| NL | 20.123.141.233:443 | tcp | |
| US | 152.195.38.76:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 131.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 135.17.126.40.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 55.154.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | 140.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
| US | 8.8.8.8:53 | fasdas.link | udp |
Files
memory/756-134-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4108-136-0x00000000021B0000-0x000000000221C000-memory.dmp
memory/756-137-0x0000000000400000-0x0000000000471000-memory.dmp
memory/756-138-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/756-144-0x0000000000400000-0x0000000000471000-memory.dmp