MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
SHA3-384 hash: 020b4b0b2da815374ccb13ecd0540cf40c33f151df8b8606f9099945ec6e37103f47ea8fcedff92c88316c7efdc90230
SHA1 hash: b64ab3f50c337b0de0df01c388889fd4d6065fdc
MD5 hash: 22a92a568fc21beb4ede99712fb38c80
humanhash: west-potato-potato-muppet
File name:22A92A568FC21BEB4EDE99712FB38C80.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:295'424 bytes
First seen:2021-05-06 20:46:44 UTC
Last seen:2021-05-06 21:50:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30bed5e9d92bd8de5e13f2991927fa2e (1 x FickerStealer)
ssdeep 6144:DKXsLMIPq8wc9DD4RPLFcumXHiTIGCBrz0H/8v7zc:DK8AAq8FIPLKumXHg8z
Threatray 501 similar samples on MalwareBazaar
TLSH 2E54D00179D0C476C492767A4C12DBB58EFEB861A9620E8F7BD80ABD5F147D1E72230B
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
http://morlrq04.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morlrq04.top/index.php https://threatfox.abuse.ch/ioc/30619/

Intelligence

File Origin
# of uploads :
3
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151940/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.17006.2765.12719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Sending a UDP request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Delayed reading of the file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Ficker Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/714822
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Cryptbot
Yara detected Evader
Yara detected Ficker Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406343 Sample: K4ze1ZXV0W.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 11 other signatures 2->90 8 K4ze1ZXV0W.exe 30 2->8         started        process3 dnsIp4 74 g-clean.in 8.209.75.180, 49728, 49729, 49732 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->74 76 iplogger.org 88.99.66.31, 443, 49756, 49757 HETZNER-ASDE Germany 8->76 78 2 other IPs or domains 8->78 52 C:\Users\user\AppData\...\85312036611.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\...\80150071144.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\...\38150650345.exe, PE32 8->56 dropped 58 6 other malicious files 8->58 dropped 120 Detected unpacking (changes PE section rights) 8->120 122 Detected unpacking (overwrites its own PE header) 8->122 124 May check the online IP address of the machine 8->124 13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 cmd.exe 8->19         started        file5 signatures6 process7 process8 21 85312036611.exe 13->21         started        24 conhost.exe 13->24         started        26 80150071144.exe 27 15->26         started        28 conhost.exe 15->28         started        30 38150650345.exe 15 17->30         started        33 conhost.exe 17->33         started        35 conhost.exe 19->35         started        37 taskkill.exe 19->37         started        dnsIp9 92 Antivirus detection for dropped file 21->92 94 Multi AV Scanner detection for dropped file 21->94 96 Detected unpacking (changes PE section rights) 21->96 110 2 other signatures 21->110 39 85312036611.exe 15 21->39         started        98 Detected unpacking (overwrites its own PE header) 26->98 100 Machine Learning detection for dropped file 26->100 102 Tries to harvest and steal browser information (history, passwords, etc) 26->102 43 WerFault.exe 20 9 26->43         started        46 WerFault.exe 26->46         started        48 WerFault.exe 26->48         started        50 WerFault.exe 26->50         started        80 nailedpizza.top 30->80 82 iplogger.org 30->82 104 May check the online IP address of the machine 30->104 106 Creates HTML files with .exe extension (expired dropper behavior) 30->106 108 Sample or dropped binary is a compiled AutoHotkey binary 30->108 signatures10 process11 dnsIp12 68 truzen.site 62.113.117.9, 49745, 49755, 80 VDSINA-ASRU Russian Federation 39->68 70 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.154.178, 49743, 80 AMAZON-AESUS United States 39->70 72 2 other IPs or domains 39->72 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->112 114 Tries to steal Instant Messenger accounts or passwords 39->114 116 Tries to harvest and steal browser information (history, passwords, etc) 39->116 118 Tries to harvest and steal Bitcoin Wallet information 39->118 60 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 43->60 dropped 62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 46->62 dropped 64 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 48->64 dropped 66 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 50->66 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 11:22:15 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qd2ogxmcl7gsqfw6xfnqujuueazdrn3jzp3cm7omvdiq23qtstca._file
Verdict:
malicious
Similar samples:
0c0f298ef912b9bcd172a997fd89829b4917e91e92dfbda6135b16a0464229e6
FickerStealer
15c65f4a42518ca6cb19fbab258b09ed43f79d111e20af2efb69bf855637909b
FickerStealer
475fb56e0d04331b71ef82cd98e61b377a8ece08a57345f18806fd367718bbc2
FickerStealer
9f3059cd216e4310893b76812fac2bd3b203a592e5604347472b71ada0150855
FickerStealer
b2e0c72237dbad9cbd82ec93814b1b078779d3016d4e7d18b7bd5ff2cdeb9c68
FickerStealer
b479768bf30303be4d80d2ec21ea1a5cb116307e7c637a562b28c019acd515fa
FickerStealer
b666325729d0aa8e49292441558e945d0075439d6e6a544181fe708864835383
FickerStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
FickerStealer
ec51c1a42099d2ebcb00e68608346ac14013c57f5a87713f6ab41b17c305b537
FickerStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
FickerStealer
+ 491 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:fickerstealer discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210506-eswq5p9fws/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Suspicious use of NtCreateProcessExOtherParentProcess
fickerstealer
Malware Config
C2 Extraction:
truzen.site:80
Unpacked files
SH256 hash:
08373002f5dfd4af54963c6a1b700b57019bbca99abc7de51edc82d11fc43d38
MD5 hash:
39514fa5c79f59e09954934f7bf897b2
SHA1 hash:
286885bf61043e56785ce8bbc6856dce08067db1
Link:
https://www.unpac.me/results/16835e64-4547-4e7f-bae7-b7b8a29f2ca4/
SH256 hash:
80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
MD5 hash:
22a92a568fc21beb4ede99712fb38c80
SHA1 hash:
b64ab3f50c337b0de0df01c388889fd4d6065fdc
Link:
https://www.unpac.me/results/16835e64-4547-4e7f-bae7-b7b8a29f2ca4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151940/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 21:00:50 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
7) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
8) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process