MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f
SHA3-384 hash:	42813814f843c2a9b4344e830894578aeda84f5d5ad325e9f94ccd3a3ea1878e3c6aa5ad2f7b999dab00144744d95a7c
SHA1 hash:	24ca2f9c749ffe60931fd1f61ebf0cf7bedda9fe
MD5 hash:	ae5b742f72d184d0a8ad1df948368344
humanhash:	july-winter-lithium-pasta
File name:	ae5b742f72d184d0a8ad1df948368344.exe
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	509'440 bytes
First seen:	2021-03-16 19:31:56 UTC
Last seen:	2021-03-16 21:31:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7f9f3f4681e672c59c53a0b16cf9e28 (2 x FickerStealer)
ssdeep	12288:K+jd/FYmTo+RSeQHTaDHPnhOJuDyOM2lSwJwCT7qQ:K+p/+0ZRSe1vhOgDyz2lSqwCK
Threatray	76 similar samples on MalwareBazaar
TLSH	5BB4AE4FFED49CE9C5935C3529A3771C83E2685F0572848BDE48436C462A8A8467FBBC
Reporter	abuse_ch
Tags:	exe FickerStealer

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ae5b742f72d184d0a8ad1df948368344.exe

Verdict:

Malicious activity

Analysis date:

2021-03-16 20:04:33 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/96d30bfa-0544-4faf-817e-4d2c5eed82e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Ficker

Link:

https://www.capesandbox.com/analysis/124431/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.63008.17786.31543.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a51cb9c-527b-4bdf-9d76-540b7c7bd80c

Result

Threat name:

Ficker Stealer

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/641329

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Yara detected Ficker Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f/

Threat name:

Win32.Trojan.Malrep

Status:

Malicious

First seen:

2021-03-16 19:32:07 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

FickerStealer

0a05acba81358c991a65bec090a8d8be970ac43b60105736ae73ccc2ace00490

FickerStealer

55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8

FickerStealer

7d9779fbd1bf96300874dfb62e5756308807a2c16a83de2a3f2edab794215946

FickerStealer

7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1

FickerStealer

8e4f25ae17e2868391994dee1de589d93b6162b085a726f76bd5b848330dd44d

FickerStealer

94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1

FickerStealer

a6af404cb4c891c28895a5f311f6ead7c4007a5eb16b3be8c77630998a08895f

FickerStealer

ad7df9c3f3da564ae38fda8bfa0324a52ed98899696e763dae3bff7dad93262b

FickerStealer

e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df

FickerStealer

+ 66 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210316-xseb8j1jmn/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads local data of messenger clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f

MD5 hash:

ae5b742f72d184d0a8ad1df948368344

SHA1 hash:

24ca2f9c749ffe60931fd1f61ebf0cf7bedda9fe

Link:

https://www.unpac.me/results/b7a2f9e4-6dd3-4215-9124-4626ca753144/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.