MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 592f1e6cc028a11073b5cd4194f45ac945e8b630b45672a2c9cce359877e0c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 592f1e6cc028a11073b5cd4194f45ac945e8b630b45672a2c9cce359877e0c69
SHA3-384 hash: 01b82c54bf43ac37a2e30a08e6e7b120c877b8d5f19e3c9f4ad366d9b9e6840ab713f64fb3a7c6b0f724e473787750bd
SHA1 hash: 96d9fd13312c32c7b94e7709ad37890ed6f7c059
MD5 hash: fa91a18e923d81088c83ac59165a8e0a
humanhash: high-river-bluebird-cat
File name:rwl.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:866'304 bytes
First seen:2021-09-07 06:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:+AHnh+eWsN3skA4RV1Hom2KXMmHagUO5:ph+ZkldoPK8YagB
Threatray 5'224 similar samples on MalwareBazaar
TLSH T198058B0273D1C036FFABA2739B6AF64156BC79254133852F13981DB9BD701B2263E663
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter JAMESWT_WT
Tags:bitbucket.org exe FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rwl.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-07 07:03:20 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/3e0f15f0-6302-4a8c-b4fe-33362bb958b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185902/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Searching for analyzing tools
Searching for the window
Deleting a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e925fe4b-d325-43c9-90f4-ae7fc6e97df2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846380
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478808 Sample: rwl.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 8 other signatures 2->74 9 rwl.exe 14 2->9         started        14 RealtekSb.exe 2->14         started        16 RealtekSb.exe 2->16         started        process3 dnsIp4 62 bitbucket.org 104.192.141.1, 443, 49684 AMAZON-02US United States 9->62 64 s3-w.us-east-1.amazonaws.com 52.217.205.137, 443, 49685 AMAZON-02US United States 9->64 66 2 other IPs or domains 9->66 48 C:\Users\user\...\download_file_24[1].exe, PE32 9->48 dropped 50 C:\ProgramData\download_file_24.exe, PE32 9->50 dropped 98 Binary is likely a compiled AutoIt script file 9->98 18 download_file_24.exe 22 9->18         started        100 Hides threads from debuggers 14->100 102 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->102 file5 signatures6 process7 file8 40 C:\Users\user\AppData\...\BidHence_68.exe, PE32 18->40 dropped 42 C:\Users\user\AppData\...\OptionHence_29.exe, PE32 18->42 dropped 44 C:\Users\user\AppData\...behaviorgraphladHence_92.exe, PE32 18->44 dropped 46 2 other files (none is malicious) 18->46 dropped 76 Multi AV Scanner detection for dropped file 18->76 22 GladHence_92.exe 8 18->22         started        26 BidHence_68.exe 4 18->26         started        29 OptionHence_29.exe 15 18->29         started        signatures9 process10 dnsIp11 54 194.147.115.117, 49692, 80 MIRHOSTINGRU unknown 22->54 78 Antivirus detection for dropped file 22->78 80 Multi AV Scanner detection for dropped file 22->80 82 Detected unpacking (changes PE section rights) 22->82 84 Potentially malicious time measurement code found 22->84 31 cmd.exe 1 22->31         started        52 C:\Users\user\AppData\...\RealtekSb.exe, PE32 26->52 dropped 86 Machine Learning detection for dropped file 26->86 88 Tries to evade analysis by execution special instruction which cause usermode exception 26->88 90 Tries to detect virtualization through RDTSC time measurements 26->90 34 RealtekSb.exe 26->34         started        56 45.67.231.4, 80 SERVERIUS-ASNL Moldova Republic of 29->56 58 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.119.155, 49689, 80 AMAZON-AESUS United States 29->58 60 2 other IPs or domains 29->60 92 May check the online IP address of the machine 29->92 94 Hides threads from debuggers 29->94 96 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->96 file12 signatures13 process14 signatures15 104 Uses ping.exe to sleep 31->104 106 Uses ping.exe to check the status of other devices and networks 31->106 36 conhost.exe 31->36         started        38 PING.EXE 1 31->38         started        108 Hides threads from debuggers 34->108 110 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->110 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/592f1e6cc028a11073b5cd4194f45ac945e8b630b45672a2c9cce359877e0c69/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2020-10-03 12:37:09 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
20 of 43 (46.51%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
03b209015fc672da7e08359236d6fd0197f53e4ef9ccfc690380cf422961106a
FickerStealer
1a3e09c9e55edd4048813fe5a20a87e840cb96039f199a0f6f960f315a61486f
FickerStealer
1ba569c631438a0fb356441838ff328835d607e7cdb217cc444923c1ec58337b
FickerStealer
30e374185ded5944c1ff0b2150cdaf2af9decb76a41089351cd21db2c3d1afae
FickerStealer
4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e
FickerStealer
9986d7d421e26cce5a64a65a7f72b757043cbe7dfe2dd0b32f66d25203922415
FickerStealer
b75f742ad569048f45c0898e017dfcc56e1ac7f98c40249a444fc1dad6ebb49c
FickerStealer
c34a85e738b7c8fa703aaa447cd24d17ff08baae5d4b44b7c2131c5df164b9a3
FickerStealer
fccd7d5301e46046f199343583a436d0869f49ae668aeedd41b76d75c403701e
FickerStealer
ffb27074c9ab066faecbaa1ad2e2824ba16553f0cf56fc658e62bc137db50c63
FickerStealer
+ 5'214 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer evasion infostealer
Link:
https://tria.ge/reports/210907-g68laafcer/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Fickerstealer
Malware Config
C2 Extraction:
45.67.231.4:80
Unpacked files
SH256 hash:
592f1e6cc028a11073b5cd4194f45ac945e8b630b45672a2c9cce359877e0c69
MD5 hash:
fa91a18e923d81088c83ac59165a8e0a
SHA1 hash:
96d9fd13312c32c7b94e7709ad37890ed6f7c059
Link:
https://www.unpac.me/results/47a93420-7018-4d0d-8d74-ea6e1c3de4c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/592f1e6cc028a11073b5cd4194f45ac945e8b630b45672a2c9cce359877e0c69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185902/

Comments