MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848
SHA3-384 hash: a5c089683ba7a0af3e90137feecfea3795ef19e75bc68ee4fb799bbd24bc9a349e6537c7b8c7fe1692d80a4dad2518f8
SHA1 hash: 5e0f468d9e9a9d14eef11caf54dafbe384303be4
MD5 hash: 4988a43a98b7d9c6aa7e71b8a8919fd6
humanhash: delaware-stairway-illinois-bacon
File name:mixshop_20210825-181122(1)
Download: download sample
Signature FickerStealer
Create hunting rule
File size:523'595 bytes
First seen:2021-08-25 18:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d03ad9b9e9a9068c266e5f5e715b4b7 (4 x Smoke Loader, 2 x RaccoonStealer, 1 x FickerStealer)
ssdeep 12288:eXSX3CPuJE0/PRm3HAURSEy0OiISPSpoKT1EW0rF3:pCPuSpRSoUpoMy3
Threatray 235 similar samples on MalwareBazaar
TLSH T15AB48E3065F45C25FE9622BC45AB835AA73E7E605B32D3C7427625B58B232D6FC70382
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter benkow_
Tags:exe FickerStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
47.254.170.221:80 https://threatfox.abuse.ch/ioc/195071/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mixshop_20210825-181122(1)
Verdict:
Malicious activity
Analysis date:
2021-08-25 18:08:12 UTC
Tags:
evasion trojan ficker stealer
Link:
https://app.any.run/tasks/8b19fd2b-13be-4b44-ba8a-3ef75a8ea9bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182383/
Detection(s):
Win.Packed.Pwsx-9862513-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2295371a-42e5-48f8-99f8-86d561dd0d8f
Result
Threat name:
Ficker Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839276
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Ficker Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 18:06:03 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opjuz3wfpva4vmxewiqencmlkmp6bnm2wfwfgpd65y5ffsxstbea._file
Verdict:
malicious
Similar samples:
3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f
FickerStealer
508453fada299cf0300c709a42a613a86f8f728fa5fae070f600e5fa2400d73d
FickerStealer
7f724f72bd40d3d1c746f5ae218b9330698ef56a7e684918236c8dd722442442
FickerStealer
847dcc504fe7f23641351d16f3d05672981d91127fc0452e59dca640ddbedabd
FickerStealer
8a0772d0b96be2e3ea63320f194961906560ea9b6bedef47239aaa0faa52816a
FickerStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
FickerStealer
9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
FickerStealer
a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b
FickerStealer
a990f23cc27493dc2ad2d71e2b6b0fea99678e75356bf55c36e4643bffeadff3
FickerStealer
+ 225 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210825-g8lwlsn66s/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Reads local data of messenger clients
Reads user/profile data of web browsers
Fickerstealer
Malware Config
C2 Extraction:
mistral3.xyz:80
Unpacked files
SH256 hash:
73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848
MD5 hash:
4988a43a98b7d9c6aa7e71b8a8919fd6
SHA1 hash:
5e0f468d9e9a9d14eef11caf54dafbe384303be4
Link:
https://www.unpac.me/results/f56ed6b7-57e4-4c83-9bbd-8e202ebbb00a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/73d34ceec57d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
gcleaner
Cape
Cape
https://www.capesandbox.com/analysis/182383/

Comments