Analysis Overview
SHA256
1045b0b441c50d7268f9fbcc19a23093f9efae22c0fc006a28e11190f7115fa4
Threat Level: Known bad
The file 18419467094.zip was found to be: Known bad.
Malicious Activity Summary
Fickerstealer
Looks up external IP address via web service
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-31 09:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 09:17
Reported
2024-07-31 09:19
Platform
win7-20240708-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| RU | 188.120.251.192:80 | tcp |
Files
memory/2976-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2328-5-0x00000000003B0000-0x00000000003F4000-memory.dmp
memory/2328-4-0x00000000002F0000-0x0000000000316000-memory.dmp
memory/2976-3-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2976-7-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2976-8-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 907326301a53876360553d631f2775c4 |
| SHA1 | e900c12c18a7295611f3e2234bc68e8dc0501e06 |
| SHA256 | d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8 |
| SHA512 | 435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa |
memory/2976-14-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 09:17
Reported
2024-07-31 09:19
Platform
win10v2004-20240730-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Fickerstealer
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1384 set thread context of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe
"C:\Users\Admin\AppData\Local\Temp\c04433797667c205da21d0b783bdbbbd6ba3ca3d62f43f6e7e911ccdf09007cb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| RU | 188.120.251.192:80 | tcp | |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.251.120.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1384-1-0x0000000000740000-0x0000000000840000-memory.dmp
memory/1384-2-0x0000000000560000-0x00000000005A4000-memory.dmp
memory/4624-3-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4624-5-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4624-6-0x0000000000400000-0x0000000000447000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 907326301a53876360553d631f2775c4 |
| SHA1 | e900c12c18a7295611f3e2234bc68e8dc0501e06 |
| SHA256 | d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8 |
| SHA512 | 435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa |
memory/4624-12-0x0000000000400000-0x0000000000447000-memory.dmp