MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17
SHA3-384 hash: a89fe9af7fa294c22e62666f068ec54d02842ed2f363d8c9c91dd76ffa2df14eb60dae8eab9f8107967199fad80bccc9
SHA1 hash: 6c5a80d1c3c44b837249f22bf502f9da8ace5c17
MD5 hash: ba473f80bece49da1c8547b78e24c632
humanhash: aspen-hawaii-autumn-don
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.63308.20752.29873
Download: download sample
Signature FickerStealer
Create hunting rule
File size:254'478 bytes
First seen:2021-03-22 11:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 85f939c55583646131cc7198cf6cddea (1 x DanaBot, 1 x FickerStealer)
ssdeep 6144:QCnLdH0Y0ch44poupoUFkp4Fo1D1uMbASRw601hMV59:QOyYW4poupokkpcE1ugA42i9
Threatray 81 similar samples on MalwareBazaar
TLSH 1344F116BF91D473C483297029B0C2A9963A35331A75F447BB9C1FBE2EF02E16725762
Reporter SecuriteInfoCom
Tags:FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab4303595c64f141969428611b0c8c6b.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 09:56:34 UTC
Tags:
loader evasion trojan ficker stealer
Link:
https://app.any.run/tasks/8bdc4f95-3046-4edd-954d-a03023432cb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125898/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.63308.20752.29873.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-9846132-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Sending a UDP request
Reading critical registry keys
Delayed reading of the file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d4b6be0-0ed0-40f8-83ed-8834489d42ae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647689
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-21 01:48:25 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
33 of 47 (70.21%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iffolgqs3muzqzvlvs3omxi5flwsn3ers6ljqip6o65vfste5ulq._file
Verdict:
malicious
Similar samples:
0decfc6bc9d5edf330d4bd96fe56d2350c3065305b2f99d70e3ffd6b2ae78308
FickerStealer
4c1e67f48961f4ed80ee2c64d32022d8d2e9b16ac1d84b2ca571d02318ad3a2b
FickerStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
FickerStealer
8c83844722c5a6efc00ae36bf0a8548d3257e088d1547362227541f57ee98980
FickerStealer
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
FickerStealer
aed38ba366e382ed5d83fabe10195028a22dcc050ad3399048fc240421e4aad4
FickerStealer
c2d614dcb12132a96b1d0663513e67bb624771a0bb1070d2e8482f8c774a41ac
FickerStealer
e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd
FickerStealer
e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df
FickerStealer
ee60159a403a0f52899c4b736d4a81cf8a73412e1deb6ffbe06be9e1ca221b82
FickerStealer
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210322-r8bxdcd7zx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Reads local data of messenger clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17
MD5 hash:
ba473f80bece49da1c8547b78e24c632
SHA1 hash:
6c5a80d1c3c44b837249f22bf502f9da8ace5c17
Link:
https://www.unpac.me/results/54aeaaa7-ced1-47e4-87ad-aa665354db9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FickerStealer

Executable exe 414ae59a12db299866abacb6e65d1d2aed26ec9197969821fe77bb52ca64ed17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083323/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/125898/

Comments