MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8
SHA3-384 hash:	6b287770e7bc3050fb272d3803e8b2f6a72cd5eec300b5b22b68af2b6f5818f72900d8f11a5dc61a4700c12b01ff31ee
SHA1 hash:	a82c59683d4763347951eeaf71f94568ea3678d9
MD5 hash:	cc8e8bed26e01bd70934e3694d47539f
humanhash:	nevada-saturn-avocado-crazy
File name:	cc8e8bed26e01bd70934e3694d47539f.exe
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	376'832 bytes
First seen:	2021-02-15 07:55:03 UTC
Last seen:	2021-02-15 09:54:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	370afedd4e8e2c431858934dab986f76 (3 x FickerStealer)
ssdeep	6144:Ke7+66+IWTs/ZrTcNgQitIBhAAK6zIwxCAVcE7Oew073WmJrI1y7Nc/FvwMP:KM+6trAVcrituY/wxrKh0PJZcNv5P
Threatray	68 similar samples on MalwareBazaar
TLSH	EA84C0F1B0C39269E70A563358ACE563C05DFC31AB91C53777A0ADAD0B711E8CE6CA61
Reporter	abuse_ch
Tags:	exe FickerStealer

abuse_ch

FickerStealer C2:
144.217.66.137:81

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cc8e8bed26e01bd70934e3694d47539f.exe

Verdict:

Malicious activity

Analysis date:

2021-02-15 07:59:36 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/7f683356-57e9-41cf-89df-eee6a4c98ad0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Ficker

Link:

https://www.capesandbox.com/analysis/117143/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45729201.3116.11640.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Ficker Stealer

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/607845

Signature

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Detected unpacking (creates a PE file in dynamic memory)

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Yara detected Ficker Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-02-15 07:55:12 UTC

AV detection:

14 of 47 (29.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kxdwyqla7kxrarss5nw2e7o2k4o2jsjkdvf6fylyqxd5b7z3zpea._file

Verdict:

malicious

FickerStealer

3e1f7453aa2f3bc50b969bb46142a09ac3d68c01cec4fc3c0277fa124625d731

FickerStealer

7d9779fbd1bf96300874dfb62e5756308807a2c16a83de2a3f2edab794215946

FickerStealer

8e4f25ae17e2868391994dee1de589d93b6162b085a726f76bd5b848330dd44d

FickerStealer

94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1

FickerStealer

ad7df9c3f3da564ae38fda8bfa0324a52ed98899696e763dae3bff7dad93262b

FickerStealer

c9b2ba6f4adb6aa4bb3c15e92d6b51eaaa5c1efa14ad774be125d4d47fae7fb4

FickerStealer

e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df

FickerStealer

ee60159a403a0f52899c4b736d4a81cf8a73412e1deb6ffbe06be9e1ca221b82

FickerStealer

efc9dc681fbad59d5fb6f1a66b433d6a7a7b7144444413d78f9d71dd184039ab

FickerStealer

+ 58 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware

Link:

https://tria.ge/reports/210215-y7el99a9xs/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8

MD5 hash:

cc8e8bed26e01bd70934e3694d47539f

SHA1 hash:

a82c59683d4763347951eeaf71f94568ea3678d9

Link:

https://www.unpac.me/results/0eae1dd4-c1b4-4202-8730-69acfedd6a6e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/55c76c4160faaf104652eb6da27dda571da4c92a1d4be2e17885c7d0ff3bcbc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.