MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
SHA3-384 hash: 6a016f603aef0100f1ead03cfc079c7f1e0babdc421ed03440763d7655c29e711720fc6875f5991de0a9b3fa49ac3382
SHA1 hash: d60b174c7f8372036da1eb0a955200b1bb244387
MD5 hash: 3bc84c0e8831842f2ae263789217245d
humanhash: juliet-massachusetts-low-burger
File name:3bc84c0e8831842f2ae263789217245d.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:131'072 bytes
First seen:2021-04-25 20:25:45 UTC
Last seen:2021-04-25 20:37:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1baf4ab6685a606620fe187c276b405 (1 x FickerStealer)
ssdeep 3072:K3eaeYFHKui2oZGvH+2z+80ZozzhtYR2mdvd5tH8JLmwo:XEFEPX2tltYRPtH8Jg
Threatray 164 similar samples on MalwareBazaar
TLSH 65D34B01F0C3C4B1F061253527E4AF509EBFFCA18B2D6E57238612299E3859AD939E77
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
35.203.73.169:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
35.203.73.169:80 https://threatfox.abuse.ch/ioc/9947/

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
install.rar
Verdict:
Malicious activity
Analysis date:
2021-04-23 20:49:02 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/4626e24a-1621-4c0b-b06a-7c2d7715663d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144111/
Detection(s):
SecuriteInfo.com.Variant.Razy.854061.9385.700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Reading critical registry keys
Sending a UDP request
Creating a window
Launching a process
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Delayed reading of the file
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/533925b7-4c79-4ee0-9ca9-c7cc4a705c40
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697125
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397483 Sample: RykzV2Bdm0.exe Startdate: 25/04/2021 Architecture: WINDOWS Score: 100 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 9 other signatures 2->132 10 RykzV2Bdm0.exe 25 2->10         started        15 waupdat3.exe 14 2->15         started        17 waupdat3.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 100 hirezz.com 162.144.12.143, 49711, 49719, 80 UNIFIEDLAYER-AS-1US United States 10->100 102 iplogger.org 88.99.66.31, 443, 49710 HETZNER-ASDE Germany 10->102 66 C:\Users\user\AppData\Roaming\B743.tmp.exe, PE32+ 10->66 dropped 68 C:\Users\user\AppData\Roaming\B1C4.tmp.exe, PE32 10->68 dropped 70 C:\Users\user\AppData\Local\...\file[1].exe, PE32 10->70 dropped 72 2 other malicious files 10->72 dropped 156 May check the online IP address of the machine 10->156 21 B743.tmp.exe 1 15 10->21         started        26 B1C4.tmp.exe 10->26         started        28 cmd.exe 1 10->28         started        104 185.199.111.154, 443, 49732 FASTLYUS Netherlands 15->104 106 github.xn--com-kub 15->106 110 2 other IPs or domains 15->110 158 Multi AV Scanner detection for dropped file 15->158 160 Machine Learning detection for dropped file 15->160 162 Writes to foreign memory regions 15->162 108 140.82.121.4, 443, 49734, 49741 GITHUBUS United States 17->108 112 2 other IPs or domains 17->112 164 Allocates memory in foreign processes 17->164 166 Modifies the context of a thread in another process (thread injection) 17->166 168 Injects a PE file into a foreign processes 17->168 file5 signatures6 process7 dnsIp8 88 github.com 140.82.121.3, 443, 49716, 49722 GITHUBUS United States 21->88 90 github-releases.githubusercontent.com 185.199.108.154, 443, 49717, 49735 FASTLYUS Netherlands 21->90 64 C:\Users\user\AppData\Roaming\waupdat3.exe, PE32+ 21->64 dropped 134 Multi AV Scanner detection for dropped file 21->134 136 Machine Learning detection for dropped file 21->136 138 Sets debug register (to hijack the execution of another thread) 21->138 150 4 other signatures 21->150 30 msiexec.exe 1 21->30         started        32 msiexec.exe 1 21->32         started        36 msiexec.exe 21->36         started        38 msiexec.exe 21->38         started        140 Detected unpacking (changes PE section rights) 26->140 142 Detected unpacking (overwrites its own PE header) 26->142 144 May check the online IP address of the machine 26->144 146 Contains functionality to inject code into remote processes 26->146 40 B1C4.tmp.exe 15 26->40         started        92 127.0.0.1 unknown unknown 28->92 148 Uses ping.exe to check the status of other devices and networks 28->148 42 conhost.exe 28->42         started        44 PING.EXE 1 28->44         started        file9 signatures10 process11 dnsIp12 46 conhost.exe 30->46         started        74 94.23.23.52, 49729, 8080 OVHFR France 32->74 82 2 other IPs or domains 32->82 114 Query firmware table information (likely to detect VMs) 32->114 48 conhost.exe 32->48         started        76 91.121.140.167, 49742, 8080 OVHFR France 36->76 84 2 other IPs or domains 36->84 50 conhost.exe 36->50         started        52 conhost.exe 38->52         started        78 sodaandcoke.top 35.203.73.169, 49727, 49730, 80 GOOGLEUS United States 40->78 80 elb097307-934924932.us-east-1.elb.amazonaws.com 107.22.233.72, 49724, 80 AMAZON-AESUS United States 40->80 86 2 other IPs or domains 40->86 116 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->116 118 Tries to steal Instant Messenger accounts or passwords 40->118 120 Tries to harvest and steal browser information (history, passwords, etc) 40->120 122 Tries to harvest and steal Bitcoin Wallet information 40->122 signatures13 124 Detected Stratum mining protocol 76->124 process14 process15 54 msiexec.exe 46->54         started        58 msiexec.exe 1 46->58         started        dnsIp16 94 94.23.247.226, 49736, 8080 OVHFR France 54->94 96 pool.supportxmr.com 54->96 98 pool-fr.supportxmr.com 54->98 152 Query firmware table information (likely to detect VMs) 54->152 60 conhost.exe 54->60         started        62 conhost.exe 58->62         started        signatures17 154 Detected Stratum mining protocol 94->154 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824/
Threat name:
Win32.Ransomware.LockBit
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 09:16:04 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ov7hyjljzrjmtyldt66ka3uvps2a6525lsy2rkx2m4atdnrlbasa._file
Verdict:
malicious
Similar samples:
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
FickerStealer
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
FickerStealer
3f11a6c481b433ce5fa625ae1c43558335c9d281d203f3d5a0653bd2d6053940
FickerStealer
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
FickerStealer
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
FickerStealer
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
FickerStealer
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
FickerStealer
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
FickerStealer
b0fbbee768b77e2fe719f38622b54a01efd763255048374ab0340d56a430325f
FickerStealer
d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc
FickerStealer
+ 154 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:fickerstealer family:xmrig discovery infostealer miner persistence rat spyware stealer
Link:
https://tria.ge/reports/210425-vavv7m9982/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
DcRat
fickerstealer
xmrig
Malware Config
C2 Extraction:
sodaandcoke.top:80
Unpacked files
SH256 hash:
6e1bff69c7d6a9a001480ccb713911836681d78d3be1585df0424f8e965b805c
MD5 hash:
a6000c14bcba72f66de21ead48c9f31f
SHA1 hash:
c2f829adc8388b54286bedaff482554b0ea311f6
Link:
https://www.unpac.me/results/156169ae-d96b-4a92-8585-674a59ee4899/
SH256 hash:
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
MD5 hash:
3bc84c0e8831842f2ae263789217245d
SHA1 hash:
d60b174c7f8372036da1eb0a955200b1bb244387
Link:
https://www.unpac.me/results/156169ae-d96b-4a92-8585-674a59ee4899/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144111/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-25 21:01:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0026.002] Data Micro-objective::XOR::Encode Data
3) [C0052] File System Micro-objective::Writes File
4) [C0007] Memory Micro-objective::Allocate Memory
5) [C0040] Process Micro-objective::Allocate Thread Local Storage
6) [C0041] Process Micro-objective::Set Thread Local Storage Value
7) [C0018] Process Micro-objective::Terminate Process