Analysis Overview
SHA256
4540480117da80ab268159e5ac07dae1e06818b5a17ee2adc7dfe83abec96ef1
Threat Level: Known bad
The file fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-21 13:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 13:29
Reported
2023-03-21 13:31
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1544 set thread context of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe | C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe
"C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe"
C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe
"C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
Files
memory/1528-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1528-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1544-58-0x0000000000480000-0x00000000004EC000-memory.dmp
memory/1528-59-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1528-60-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 0146b97f1bf748301734071d33706ba1 |
| SHA1 | 4fe8ed756a2e7d09499d962cb3ffd9a7d3e20495 |
| SHA256 | c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f |
| SHA512 | 34e2df58d22ddbc3b5d4355394232e71b8ec68c389d2a21d99981200ba80e3f90e4af3c56aef2d50b5042796d658e6ac9007450d4e32f0d8db43d167a59f0cfb |
memory/1528-66-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 13:29
Reported
2023-03-21 13:31
Platform
win10v2004-20230221-en
Max time kernel
153s
Max time network
158s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 860 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe | C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe
"C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe"
C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe
"C:\Users\Admin\AppData\Local\Temp\fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 3.69.157.220:16577 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 11.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 52.182.143.210:443 | tcp | |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| NL | 20.190.160.22:443 | tcp | |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| NL | 20.190.160.22:443 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.132.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
| NL | 20.190.160.17:443 | tcp | |
| US | 8.8.8.8:53 | 55.154.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wejqwed.link | udp |
Files
memory/860-134-0x0000000000620000-0x000000000068C000-memory.dmp
memory/1428-135-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-137-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-138-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\gwegwe.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/1428-144-0x0000000000400000-0x0000000000471000-memory.dmp