MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92
SHA3-384 hash: 5e32d832ad63fd0ecb331a5eb7706af46e5a970e580103e25a93a565635b69d4cd87935a7ef8d669bc73c1c2673bd8f3
SHA1 hash: e213b328410a19cf5d7709faedf20ab14423227d
MD5 hash: e1a3468d800af68ba750e7913fd12354
humanhash: hydrogen-uncle-foxtrot-black
File name:e1a3468d800af68ba750e7913fd12354.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:304'128 bytes
First seen:2021-06-24 06:15:17 UTC
Last seen:2021-06-24 06:58:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:G+mOWWMe1cQl4obR9CUOXJSXkLWcNtafvgb0Zin0eKliB2uy2BFQA46EEw+:Dm3WMe1/98UOZSXkyyaf/Zi0eKDuy2BL
Threatray 8 similar samples on MalwareBazaar
TLSH B4545B9C766072DFC85BC472CEA91D64EAA0787B930B9203A15316EDEE1D897CF150F2
Reporter abuse_ch
Tags:exe FickerStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1a3468d800af68ba750e7913fd12354.exe
Verdict:
No threats detected
Analysis date:
2021-06-24 06:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e92d88c1-41f3-419f-8eaf-ddbc5e7b6f22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167843/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37140875.22388.3273.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd9a2a7b-75e7-4143-80c6-96fd14548edb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/807174
Signature
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439587 Sample: Ulunu86YYq.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for submitted file 2->20 6 Ulunu86YYq.exe 3 2->6         started        process3 file4 18 C:\Users\user\AppData\...\Ulunu86YYq.exe.log, ASCII 6->18 dropped 22 Detected unpacking (changes PE section rights) 6->22 10 explorer.exe 6->10         started        12 explorer.exe 6->12         started        14 explorer.exe 6->14         started        16 2 other processes 6->16 signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 01:09:44 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21997a8180c9d1add6f4b7eb35d754d9a15acc614cdb5b11078eb5da661d9d3e
FickerStealer
9282d409b92e1ebf58829283933edea243f7ccf3b68456139986c7cb5949522d
FickerStealer
95961ebfe18f108918834d77940d5f7a516cabe3be4a8a799a5a80f488805d60
FickerStealer
ae0d9ff2760715f57cb6231b7ccefbfd974671e32b600207405ea419767dccb6
FickerStealer
b7fd001cc5d96be03e5f7be18a303806cea1d80fcbac831831abef4a2939dbb1
FickerStealer
ce83f302a60301e222c23e67a7525106d610c6231c23d747ad4263669c1c88c7
FickerStealer
e5fa7e3d66f99d172d3eba7af15276e7eb1958748832b8965b9eedba4cbfc90c
FickerStealer
ec06102bf93522b24afce8e7641a0182b4bf0c53861599f22b5ee257ad1ee2d8
FickerStealer
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer infostealer spyware stealer
Link:
https://tria.ge/reports/210624-qsbl7aaw92/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Core1 .NET packer
fickerstealer
Malware Config
C2 Extraction:
185.215.113.94:80
Unpacked files
SH256 hash:
2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92
MD5 hash:
e1a3468d800af68ba750e7913fd12354
SHA1 hash:
e213b328410a19cf5d7709faedf20ab14423227d
Link:
https://www.unpac.me/results/6988a91e-29f0-4bcb-b16f-e65f99ae8c33/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FickerStealer

Executable exe 2ce292291e0e0500b132b502c6ad7fc5e50317f73127c799b3b2bfa3dd387c92

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/167843/
  
URLhaus
https://urlhaus.abuse.ch/url/1372392/
  
Delivery method
Distributed via web download

Comments