Analysis Overview
SHA256
f5f542f8ee99e8d6fd8273cbd8142f5a5d6a1076b25cd6157b12274b81f333da
Threat Level: Known bad
The file 58d1e777704216e668537c6db64d0178d44071736ed966eb3fc88bc05e6840c3.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer family
Fickerstealer
Looks up external IP address via web service
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-21 13:28
Signatures
Fickerstealer family
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win7-20230220-en
Max time kernel
150s
Max time network
160s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\58d1e777704216e668537c6db64d0178d44071736ed966eb3fc88bc05e6840c3.exe
"C:\Users\Admin\AppData\Local\Temp\58d1e777704216e668537c6db64d0178d44071736ed966eb3fc88bc05e6840c3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | blogsme.link | udp |
Files
C:\ProgramData\fasfvv.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/608-59-0x0000000000400000-0x0000000000468000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 13:28
Reported
2023-03-21 13:31
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\58d1e777704216e668537c6db64d0178d44071736ed966eb3fc88bc05e6840c3.exe
"C:\Users\Admin\AppData\Local\Temp\58d1e777704216e668537c6db64d0178d44071736ed966eb3fc88bc05e6840c3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 152.195.38.76:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| IE | 20.190.159.23:443 | tcp | |
| US | 152.195.38.76:80 | tcp | |
| US | 152.195.38.76:80 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 64.185.227.155:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 11.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 154.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | 126.132.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blogsme.link | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1536-133-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\7WM1EQLA.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/1536-140-0x0000000000400000-0x0000000000468000-memory.dmp