MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b
SHA3-384 hash: 87fd22fca1ed18932b9d2068e0ead404e38371b0ffde6a636c1390d4e8481a50805992312291573eff6259b7293795f3
SHA1 hash: 68c6474188f587dcc146898543e564566b646d82
MD5 hash: b73194a81a9a57c97c6615faef5c4415
humanhash: snake-hawaii-berlin-echo
File name:mixsix_20211008-150045
Download: download sample
Signature FickerStealer
Create hunting rule
File size:444'940 bytes
First seen:2021-10-08 13:37:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f9c7d0d3671483fa7b1247d926d59c4 (3 x RaccoonStealer, 2 x Smoke Loader, 1 x FickerStealer)
ssdeep 6144:9BshZeNLwDLlKC0uv292QxV8bKkSwnrYAYMW0rLAb56dpLN4XQKJ3:rAsNUKW0TxmtrzYMW0rw3
Threatray 264 similar samples on MalwareBazaar
TLSH T1F1948E6064F82C25EF8E227D489B9356973E7E505A33C3D34635A5B5CF532C3EA68382
File icon (PE):PE icon
dhash icon a1bcdcac9cccb484 (6 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
Reporter benkow_
Tags:exe FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mixsix_20211008-150045
Verdict:
Malicious activity
Analysis date:
2021-10-08 13:41:44 UTC
Tags:
evasion trojan ficker stealer
Link:
https://app.any.run/tasks/2bb865b1-7ca8-4ea4-91c9-398d6b48bb4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196172/
Detection(s):
Win.Packed.Pwsx-9862513-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Threat name:
Ficker Stealer Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867120
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Costura Assembly Loader
Yara detected Ficker Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499548 Sample: mixsix_20211008-150045 Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 73 Yara detected Ficker Stealer 2->73 75 Yara detected Vidar stealer 2->75 77 Machine Learning detection for sample 2->77 79 Yara detected Costura Assembly Loader 2->79 8 mixsix_20211008-150045.exe 2->8         started        11 hvytube.exe 8 2->11         started        14 hvytube.exe 2->14         started        process3 dnsIp4 97 Detected unpacking (changes PE section rights) 8->97 99 Detected unpacking (overwrites its own PE header) 8->99 16 mixsix_20211008-150045.exe 17 8->16         started        57 140.82.121.4 GITHUBUS United States 11->57 59 13.226.145.123 AMAZON-02US United States 14->59 61 13.226.145.84 AMAZON-02US United States 14->61 63 192.168.2.1 unknown unknown 14->63 signatures5 process6 dnsIp7 49 80.249.148.176 SELECTELRU Russian Federation 16->49 51 8.8.8.8 GOOGLEUS United States 16->51 53 54.243.253.71 AMAZON-AESUS United States 16->53 35 C:\Users\user\AppData\...\1633737745809.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\...\1633737744714.exe, PE32 16->37 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->81 83 Tries to steal Instant Messenger accounts or passwords 16->83 85 Tries to harvest and steal browser information (history, passwords, etc) 16->85 87 Tries to harvest and steal Bitcoin Wallet information 16->87 21 1633737744714.exe 1 3 16->21         started        25 1633737745809.exe 16 16->25         started        file8 signatures9 process10 dnsIp11 39 C:\Users\user\AppData\Roaming\...\hvytube.exe, PE32 21->39 dropped 89 Multi AV Scanner detection for dropped file 21->89 91 Machine Learning detection for dropped file 21->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->93 28 hvytube.exe 15 116 21->28         started        55 185.251.89.116 SPRINTHOSTRU Russian Federation 25->55 95 Tries to harvest and steal browser information (history, passwords, etc) 25->95 33 WerFault.exe 23 9 25->33         started        file12 signatures13 process14 dnsIp15 65 104.222.176.202 SEABONE-NETTELECOMITALIASPARKLESpAIT United States 28->65 67 140.82.121.3 GITHUBUS United States 28->67 71 3 other IPs or domains 28->71 41 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32+ 28->41 dropped 43 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 28->43 dropped 45 C:\Users\user\AppData\Roaming\...\xul.dll, PE32+ 28->45 dropped 47 55 other files (none is malicious) 28->47 dropped 101 Drops executable to a common third party application directory 28->101 69 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->69 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 13:38:04 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ck5y5vbylqhff47ehnkkq7y45agifhr54rhblbw7vp7nzt3h5qvq._file
Verdict:
malicious
Similar samples:
56c26a2b13759364f9cc066e2d876bcca463ea1c699b0fe63774686922029f72
FickerStealer
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
FickerStealer
7d3efc13c0e57297f93660f037219f22cc127f7d6b302a5ed8a78dbfeff98dd9
FickerStealer
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
FickerStealer
b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee
FickerStealer
cbc3b5b5bb5bb659f000bf19de99582e19df5f5fbd721e0951d2d2fa93780808
FickerStealer
d4842f9caa07b1dab09b1f2475f280eeacacdd6c4a3d625e4398b3cf67171f99
FickerStealer
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
FickerStealer
+ 254 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:fickerstealer discovery infostealer persistence spyware stealer suricata
Link:
https://tria.ge/reports/211008-qxdh8aeecp/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Arkei Stealer Payload
Arkei
Fickerstealer
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Malware Config
C2 Extraction:
game2030.site:80
Unpacked files
SH256 hash:
12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b
MD5 hash:
b73194a81a9a57c97c6615faef5c4415
SHA1 hash:
68c6474188f587dcc146898543e564566b646d82
Link:
https://www.unpac.me/results/2de66f6a-e68e-44d6-8630-ccfde7b70ef4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/12bb8ed4385c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:win_fickerstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.fickerstealer.
Rule name:win_fickerstealer_w0
Create hunting rule
Author:Ben Cohen, CyberArk
Description:Yara rule for Ficker Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
Cape
Cape
https://www.capesandbox.com/analysis/196172/

Comments