MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308
SHA3-384 hash:	d10c8d8f6f04612613a02d720308d513fc48546c67aff80da6217099b848dd0593732f9151e10ff4766a4bf06bc167ba
SHA1 hash:	e3b83775565c2423b6b2e9306e4f95adf96cd9a4
MD5 hash:	8190bc7269c65034e5709ee7bd726129
humanhash:	lactose-magnesium-georgia-triple
File name:	8190bc7269c65034e5709ee7bd726129.exe
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	350'208 bytes
First seen:	2021-03-20 08:21:09 UTC
Last seen:	2021-03-20 09:31:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7f9f3f4681e672c59c53a0b16cf9e28 (2 x FickerStealer)
ssdeep	6144:wn/pbNlGnjaPOm9fUKRbNPVovsJLwPWobeTKjtszl3DkFyXaWy/BbtWcsKn2CxSj:wn/pbNkaPbf7/JuWobeTKjuzlFXaWGDO
Threatray	79 similar samples on MalwareBazaar
TLSH	D374DF9AFDC7E634DE074DF16914769C981AF810F52A9CFF21081B3ACDA55E4130EA3A
Reporter	abuse_ch
Tags:	exe FickerStealer

Intelligence

File Origin

# of uploads :

# of downloads :

267

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8190bc7269c65034e5709ee7bd726129.exe

Verdict:

Malicious activity

Analysis date:

2021-03-20 08:22:01 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/4dde5567-8cb9-4aea-9c14-921bdc1cc50c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/125763/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.63008.27949.21145.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FickerStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2291fb93-3b93-4ea3-ac2c-a2ab1eeec8d5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/646801

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Detected unpacking (creates a PE file in dynamic memory)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308/

Threat name:

Win32.Infostealer.Ficker

Status:

Malicious

First seen:

2021-03-20 08:22:05 UTC

AV detection:

23 of 47 (48.94%)

Threat level:

5/5

Verdict:

malicious

FickerStealer

0a05acba81358c991a65bec090a8d8be970ac43b60105736ae73ccc2ace00490

FickerStealer

3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f

FickerStealer

508453fada299cf0300c709a42a613a86f8f728fa5fae070f600e5fa2400d73d

FickerStealer

55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8

FickerStealer

7d9779fbd1bf96300874dfb62e5756308807a2c16a83de2a3f2edab794215946

FickerStealer

86995c6af264f6f9eeb381bbe0578ba59b3134a38b57345910bf958a222abf3b

FickerStealer

8e4f25ae17e2868391994dee1de589d93b6162b085a726f76bd5b848330dd44d

FickerStealer

94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1

FickerStealer

a6af404cb4c891c28895a5f311f6ead7c4007a5eb16b3be8c77630998a08895f

FickerStealer

+ 69 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210320-45ebg1g9nj/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads local data of messenger clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

ec0e314c4f5a2e809f616671240cfaf19d3baabc38e3c9c9814df8eed386c39e

MD5 hash:

3c5abe92a4009d852babf4063d756822

SHA1 hash:

092e3407f109d76399080a3efb58d6326536eb84

Link:

https://www.unpac.me/results/ee57abff-564d-4d76-b831-cf0c9b0a0a3c/

SH256 hash:

0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308

MD5 hash:

8190bc7269c65034e5709ee7bd726129

SHA1 hash:

e3b83775565c2423b6b2e9306e4f95adf96cd9a4

Link:

https://www.unpac.me/results/ee57abff-564d-4d76-b831-cf0c9b0a0a3c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.