MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fc629fbf3a2155e080a6c65fde3db4fe84c3e818c20a3b4b9fb39242cbb2361. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fc629fbf3a2155e080a6c65fde3db4fe84c3e818c20a3b4b9fb39242cbb2361
SHA3-384 hash: e3c6631dba4000b5574e20652b8bbf46b9ac2936505fb300b835a3bf4567667b7816ee3c89c3e1d047b7e951b82f7a68
SHA1 hash: 2b421eb8c9e27b5bdd113d1f45054d8eafa48726
MD5 hash: 0e7d5f23ce2fdc3320d257a952444609
humanhash: idaho-maine-nuts-mike
File name:mixsix_20211018-121016
Download: download sample
Signature FickerStealer
Create hunting rule
File size:569'356 bytes
First seen:2021-10-18 10:21:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa28841a98fbdef9684f8dac2b470256 (1 x FickerStealer, 1 x Loki, 1 x CryptBot)
ssdeep 6144:IaqPFf30Cjo4qbLoa3+iAn9z/ax02ngRlyMnx1CByTqsV90MW0rLAb56dpLN4XQq:BqVjZq/ow+DnoS2ngRlh1CByTQMW0rw3
Threatray 265 similar samples on MalwareBazaar
TLSH T196C47D1055F45C29FAA622BC89AB735AA73E3EA09736C3C7417265F58B235D2EC70343
File icon (PE):PE icon
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter benkow_
Tags:exe Ficker FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198102/
Detection(s):
Win.Packed.Pwsx-9862513-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed spyeye
Link:
https://www.filescan.io/uploads/616d4acca9d585e6d52bc634/reports/c49485f2-75b0-4a54-ab4a-e13dfa5960fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b3d055f-b0ff-479e-b0e0-6b910fdba715
Result
Threat name:
Ficker Stealer Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872159
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Costura Assembly Loader
Yara detected Ficker Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504586 Sample: mixsix_20211018-121016 Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Yara detected Ficker Stealer 2->71 73 Yara detected Vidar stealer 2->73 75 2 other signatures 2->75 8 mixsix_20211018-121016.exe 2->8         started        11 hvytube.exe 8 2->11         started        14 hvytube.exe 2->14         started        process3 dnsIp4 93 Detected unpacking (changes PE section rights) 8->93 95 Detected unpacking (overwrites its own PE header) 8->95 97 Contains functionality to inject code into remote processes 8->97 99 Injects a PE file into a foreign processes 8->99 16 mixsix_20211018-121016.exe 17 8->16         started        57 13.227.158.34 AMAZON-02US United States 11->57 59 13.227.158.29 AMAZON-02US United States 14->59 signatures5 process6 dnsIp7 49 93.189.47.248 NTCOM-ASRU Russian Federation 16->49 51 8.8.8.8 GOOGLEUS United States 16->51 53 54.243.253.71 AMAZON-AESUS United States 16->53 35 C:\Users\user\AppData\...\1634591374560.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\...\1634591372602.exe, PE32 16->37 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->77 79 Tries to steal Instant Messenger accounts or passwords 16->79 81 Tries to harvest and steal browser information (history, passwords, etc) 16->81 83 Tries to harvest and steal Bitcoin Wallet information 16->83 21 1634591372602.exe 1 3 16->21         started        25 1634591374560.exe 16 16->25         started        file8 signatures9 process10 dnsIp11 39 C:\Users\user\AppData\Roaming\...\hvytube.exe, PE32 21->39 dropped 85 Multi AV Scanner detection for dropped file 21->85 87 Machine Learning detection for dropped file 21->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->89 28 hvytube.exe 15 116 21->28         started        55 192.168.2.1 unknown unknown 25->55 91 Tries to harvest and steal browser information (history, passwords, etc) 25->91 33 WerFault.exe 23 9 25->33         started        file12 signatures13 process14 dnsIp15 61 104.222.176.202 SEABONE-NETTELECOMITALIASPARKLESpAIT United States 28->61 63 88.99.66.31 HETZNER-ASDE Germany 28->63 67 5 other IPs or domains 28->67 41 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32+ 28->41 dropped 43 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 28->43 dropped 45 C:\Users\user\AppData\Roaming\...\xul.dll, PE32+ 28->45 dropped 47 54 other files (none is malicious) 28->47 dropped 101 Drops executable to a common third party application directory 28->101 65 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->65 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fc629fbf3a2155e080a6c65fde3db4fe84c3e818c20a3b4b9fb39242cbb2361/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 10:22:05 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7dct67tuikv4caknrs73y63j7ueypubrqqkhnfz7m4silf3enqq._file
Verdict:
malicious
Similar samples:
12bb8ed4385c0e52f3e43b54a87f1ce80c829e3de44e1586dfabfedccf67ec2b
FickerStealer
56c26a2b13759364f9cc066e2d876bcca463ea1c699b0fe63774686922029f72
FickerStealer
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
FickerStealer
7d3efc13c0e57297f93660f037219f22cc127f7d6b302a5ed8a78dbfeff98dd9
FickerStealer
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
FickerStealer
b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee
FickerStealer
cbc3b5b5bb5bb659f000bf19de99582e19df5f5fbd721e0951d2d2fa93780808
FickerStealer
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
FickerStealer
+ 255 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:fickerstealer botnet:default discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/211018-md8y8sdde3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies system certificate store
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Arkei Stealer Payload
Arkei
Fickerstealer
Malware Config
C2 Extraction:
game2030.site:80
http://gurums.online/ggate.php
Unpacked files
SH256 hash:
6fc629fbf3a2155e080a6c65fde3db4fe84c3e818c20a3b4b9fb39242cbb2361
MD5 hash:
0e7d5f23ce2fdc3320d257a952444609
SHA1 hash:
2b421eb8c9e27b5bdd113d1f45054d8eafa48726
Link:
https://www.unpac.me/results/a23e6e77-f93e-4045-8e04-0d9be327f910/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6fc629fbf3a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fc629fbf3a2155e080a6c65fde3db4fe84c3e818c20a3b4b9fb39242cbb2361

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:win_fickerstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.fickerstealer.
Rule name:win_fickerstealer_w0
Create hunting rule
Author:Ben Cohen, CyberArk
Description:Yara rule for Ficker Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
Cape
Cape
https://www.capesandbox.com/analysis/198102/

Comments