Analysis Overview
SHA256
c09d37e5458549e449d71b40a0e34bc97032dd00bcacb365e0ade893e4e35ec3
Threat Level: Known bad
The file 96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-03-27 12:11
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-27 12:11
Reported
2023-03-27 12:13
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
127s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 808 set thread context of 4052 | N/A | C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe | C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.155:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lukkeze.club | udp |
| US | 75.2.18.233:80 | lukkeze.club | tcp |
| US | 8.8.8.8:53 | 155.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.18.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| NL | 52.178.17.2:443 | tcp | |
| US | 8.248.3.254:80 | tcp | |
| US | 8.248.3.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.248.3.254:80 | tcp |
Files
memory/4052-134-0x0000000000400000-0x0000000000447000-memory.dmp
memory/808-136-0x0000000002570000-0x00000000025B4000-memory.dmp
memory/4052-137-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4052-138-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/4052-144-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-27 12:11
Reported
2023-03-27 12:13
Platform
win7-20230220-en
Max time kernel
141s
Max time network
125s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe | C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe
"C:\Users\Admin\AppData\Local\Temp\96e013855d1c673cd9c3a756c455881122d9ec5930131956b1a807189a9a991d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | lukkeze.club | udp |
| US | 75.2.18.233:80 | lukkeze.club | tcp |
Files
memory/836-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/836-56-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1368-58-0x00000000002C0000-0x0000000000304000-memory.dmp
memory/836-59-0x0000000000400000-0x0000000000447000-memory.dmp
memory/836-60-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 71d587e911373f62d72a158eceb6e0e7 |
| SHA1 | 68d81a1a4fb19c609288a94f10d1bbb92d972a68 |
| SHA256 | acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8 |
| SHA512 | a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060 |
memory/836-66-0x0000000000400000-0x0000000000447000-memory.dmp