MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
SHA3-384 hash: 1d61712843d96309c1060b794c2df9ccd7a848365a22ea01f63ca1345877e184c117504ee011491465daaa59f3d76790
SHA1 hash: 97c1890ab73c539056f95eafede319df774e9d38
MD5 hash: 3ae1c212119919e5fce71247286f8e0e
humanhash: sierra-violet-video-undress
File name:setup_x86_x64_install.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:3'311'225 bytes
First seen:2021-06-25 01:00:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JzW3xr+nE8OUSnhyL/34PVR3dSqJcppIrTF9UqGbmZ1:J6x6YUSnqoLt/cLS59UJmv
Threatray 73 similar samples on MalwareBazaar
TLSH 39E5339221EC41ABC05576F209324F257E6278245BF5E34B037716973F2ACC3BD8A7A9
Reporter Anonymous
Tags:exe FickerStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.251.71.195:82 https://threatfox.abuse.ch/ioc/153655/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-06-25 01:01:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fccbc7c9-840d-4ed6-8525-83cf15924f0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168187/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1611fe87-fa34-40e1-9da1-3f452e0c4ef3
Result
Threat name:
Backstage Stealer RedLine SmokeLoader Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807845
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440256 Sample: setup_x86_x64_install.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Found malware configuration 2->148 150 16 other signatures 2->150 11 setup_x86_x64_install.exe 10 2->11         started        14 svchost.exe 2->14         started        17 explorer.exe 2->17         started        19 svchost.exe 2->19         started        process3 file4 108 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->108 dropped 21 setup_installer.exe 15 11->21         started        198 System process connects to network (likely due to code injection or exploit) 14->198 200 Sets debug register (to hijack the execution of another thread) 14->200 202 Modifies the context of a thread in another process (thread injection) 14->202 25 svchost.exe 14->25         started        signatures5 process6 dnsIp7 120 192.168.2.1 unknown unknown 21->120 82 C:\Users\user\AppData\...\setup_install.exe, PE32 21->82 dropped 84 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 21->84 dropped 86 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 21->86 dropped 88 10 other files (none is malicious) 21->88 dropped 28 setup_install.exe 1 21->28         started        122 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 25->122 152 Query firmware table information (likely to detect VMs) 25->152 file8 signatures9 process10 dnsIp11 140 motiwa.xyz 172.67.193.180, 49728, 80 CLOUDFLARENETUS United States 28->140 142 127.0.0.1 unknown unknown 28->142 194 Detected unpacking (changes PE section rights) 28->194 196 Performs DNS queries to domains with low reputation 28->196 32 cmd.exe 1 28->32         started        34 cmd.exe 1 28->34         started        36 cmd.exe 1 28->36         started        38 5 other processes 28->38 signatures12 process13 process14 40 arnatic_6.exe 32->40         started        45 arnatic_2.exe 1 34->45         started        47 arnatic_1.exe 88 36->47         started        49 arnatic_3.exe 5 38->49         started        51 arnatic_4.exe 1 1 38->51         started        53 arnatic_7.exe 38->53         started        55 arnatic_5.exe 38->55         started        dnsIp15 126 jom.diregame.live 40->126 128 136.144.41.152, 49732, 80 WORLDSTREAMNL Netherlands 40->128 136 11 other IPs or domains 40->136 90 C:\Users\...\z4mkqke_HWZRVZqBhXKB2bP6.exe, PE32 40->90 dropped 92 C:\Users\...\w8aldlGLR6gBkwrIsJwpjnyE.exe, PE32 40->92 dropped 94 C:\Users\...\uYPmRxzrzJb_oP68Zgx8eVU0.exe, PE32 40->94 dropped 104 27 other files (24 malicious) 40->104 dropped 174 Drops PE files to the document folder of the user 40->174 176 May check the online IP address of the machine 40->176 178 Performs DNS queries to domains with low reputation 40->178 180 Disable Windows Defender real time protection (registry) 40->180 57 gI6NvV0H3qvaaGYg32q6AL0z.exe 40->57         started        60 93XrS6OF98B6nmHRealOVqIU.exe 40->60         started        63 b__d3ivAfEOjcZbeFyjGaJa8.exe 40->63         started        71 12 other processes 40->71 96 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 45->96 dropped 182 DLL reload attack detected 45->182 184 Renames NTDLL to bypass HIPS 45->184 186 Checks if the current machine is a virtual machine (disk enumeration) 45->186 130 159.69.20.131, 49767, 80 HETZNER-ASDE Germany 47->130 132 sergeevih43.tumblr.com 74.114.154.18, 443, 49766 AUTOMATTICUS Canada 47->132 106 12 other files (none is malicious) 47->106 dropped 188 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->188 190 Tries to steal Crypto Currency Wallets 47->190 98 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 49->98 dropped 65 rundll32.exe 49->65         started        134 ip-api.com 208.95.112.1, 49729, 80 TUT-ASUS United States 51->134 138 3 other IPs or domains 51->138 100 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 51->100 dropped 67 jfiag3g_gg.exe 51->67         started        74 2 other processes 51->74 192 Injects a PE file into a foreign processes 53->192 69 arnatic_7.exe 53->69         started        76 2 other processes 53->76 102 C:\Users\user\AppData\Roaming\8858983.exe, PE32 55->102 dropped file16 signatures17 process18 dnsIp19 154 Query firmware table information (likely to detect VMs) 57->154 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 57->156 158 Hides threads from debuggers 57->158 110 C:\Program Files (x86)\...\md8_8eus.exe, PE32 60->110 dropped 112 C:\Program Files (x86)\Company\...\jooyu.exe, PE32 60->112 dropped 114 C:\Program Files (x86)\...\jingzhang.exe, PE32 60->114 dropped 118 2 other files (1 malicious) 60->118 dropped 160 Tries to detect sandboxes / dynamic malware analysis system (registry check) 63->160 162 Writes to foreign memory regions 65->162 164 Allocates memory in foreign processes 65->164 124 ip-api.com 71->124 116 C:\Users\user\AppData\Local\...\System.dll, PE32 71->116 dropped 166 May check the online IP address of the machine 71->166 168 Tries to harvest and steal browser information (history, passwords, etc) 71->168 170 Sample uses process hollowing technique 71->170 172 Injects a PE file into a foreign processes 71->172 78 conhost.exe 71->78         started        80 conhost.exe 71->80         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 01:01:19 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdbpemhfianuwhvi7nbf3lpu4rjvoweega5z7iqgnzvjdbm7afxa._file
Verdict:
unknown
Similar samples:
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
FickerStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
FickerStealer
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
FickerStealer
5492e3416a525e99e343354634250dd8d9c0620547803e67b3831fd3193bec3e
FickerStealer
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
FickerStealer
9ab3974177adbac89ee70f9ca1eb8d9a1db104243bb87e41245c26518177613b
FickerStealer
c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67
FickerStealer
d09cb69744c809f1e48fda7e9ab5623852a42fc6f2cf79547ecc3329871e84ca
FickerStealer
e9f1bfdfb6c8229f57b9bec5149d4dc3af2c148ffb694d8ae32ceeca1530d1fe
FickerStealer
f3c2f58838f82805e8b2fad088523958db89bc6c34b1e27760f881d8d1bcc36e
FickerStealer
+ 63 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer family:plugx family:redline family:smokeloader family:vidar botnet:servani aspackv2 backdoor evasion infostealer persistence stealer themida trojan upx
Link:
https://tria.ge/reports/210625-ywl2j76c4x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
PlugX
RedLine
RedLine Payload
SmokeLoader
Vidar
fickerstealer
Malware Config
C2 Extraction:
87.251.71.195:82
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
bukkva.club:80
Unpacked files
SH256 hash:
f25fc786c068e7fb8d328a6d0314d448a455cc40d4bae93b850bd7921a92565a
MD5 hash:
9e5af49adebd237165adc274659a751a
SHA1 hash:
558087e9f632c5b7863f3e88f05fa5dec178915d
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
Parent samples :
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
f6d25c588a08bae0577a41212e0ae6c89391b805f5e8ff009775173ade59c0da
MD5 hash:
ba35b246d111ac6fa01478a7a88b418d
SHA1 hash:
1532612b5c9ac38e946a581492f06f494e191908
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
b2ef7dac2d68017eae17a9b88f436da6a1ad224554c168ec9e3677c7b32da1d2
MD5 hash:
fb0ea2ade163f517d9d7e11c7f8d1971
SHA1 hash:
08385aed6cc34442b6e6d8aafa7e21a424167b50
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
6696ed1ab80058f119a09fbc65443bcce0c9ca2c7699f50968fe0814321fada3
MD5 hash:
f546e44cf51be39faf187f848ecce8c8
SHA1 hash:
06eb55e8588a4eb9ad6e10f9fa33842a91332b52
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
664003cbe6a433ee57676929e973a5efe2644429ceeb348323ff70ed93e94d1e
MD5 hash:
890a74f18cc8b987518fe98e44c7b486
SHA1 hash:
af1381401d6ff9a3c7469ffad2fd5838890a4d95
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
796e9d8fb1b6857dccc422e0e1d40b365f87bc2cd15cd2a9c0b76a129fe9766d
MD5 hash:
21660edd8eb4141e734f65d0fe6e513a
SHA1 hash:
caa11e8c2a45c7dcc79f642bd5d97b59a0de67a0
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
Parent samples :
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053
SH256 hash:
d53e77fc97f36b6f9c74381bf93ca86f139eb923a49c7711842136aa54456dd6
MD5 hash:
385c4a728381449569c8d07683d5fbd3
SHA1 hash:
5a48f16c63d1762c03a47cb757d8e995a898e58d
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
MD5 hash:
5668cb771643274ba2c375ec6403c266
SHA1 hash:
dd78b03428b99368906fe62fc46aaaf1db07a8b9
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
MD5 hash:
c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1 hash:
d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
9057ba81960258a882dee4335d947f499adabfc59bfd99e2b5f56b508a01fbe2
MD5 hash:
b0486bfc2e579b49b0cacee12c52469c
SHA1 hash:
ac6eb40cc66eddd0589eb940e6a6ce06b00c7d30
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
99117569330d3694ed281e0c5414c23aa33a5eb370494febb267925dd4a62208
MD5 hash:
a957a80658f31c8fc864755deb2a0ca7
SHA1 hash:
8692ad674194f0901ee776ba99704f061babda95
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
475d0beeadca13ecdfd905c840297e53ad87731dc911b324293ee95b3d8b700b
MD5 hash:
a0b06be5d5272aa4fcf2261ed257ee06
SHA1 hash:
596c955b854f51f462c26b5eb94e1b6161aad83c
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
de427ec4cbf5ced1935dfc885e1c7fd3899ebc9d5465a5fcfa213556a5fd2e67
MD5 hash:
f4a6ad0d61120257614f97a62c7d812a
SHA1 hash:
db7bd48b5400233d440dfe9c556aab938b6f75f4
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
d0f39e8358b2b3268ffcedb9713968c81cfe2c7e8047e8498a74ecaf87f65ba8
MD5 hash:
8d8f90f66903e71eddaed693935b6c34
SHA1 hash:
b6e1361983e5ab049330fd3c29044e69d744b26a
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
SH256 hash:
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
MD5 hash:
3ae1c212119919e5fce71247286f8e0e
SHA1 hash:
97c1890ab73c539056f95eafede319df774e9d38
Link:
https://www.unpac.me/results/cc860c7d-4566-496e-874c-b6af6cf052fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168187/

Comments