MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1
SHA3-384 hash:	aba4394c073ad2c561eeb9e1dc402ac98d31e8b2ee14a5f9bad2c22a43e4fcf6ebff7bcf2754b7659b250d6f84e66e0e
SHA1 hash:	924de616d5d427686ef1e1e08a8881a64af2f943
MD5 hash:	10a3db9846445b8e1715802da3fa6d91
humanhash:	papa-india-crazy-item
File name:	10A3DB9846445B8E1715802DA3FA6D91.exe
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	272'398 bytes
First seen:	2021-07-15 16:16:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cb664df5fa904736e15ac44ff006d780 (10 x FickerStealer)
ssdeep	6144:uUP5lpW1LtuRLsEvLwkhRMSWQPd9urM6q4fjmL:Xlp+Y1zhOsPdOqL
Threatray	204 similar samples on MalwareBazaar
TLSH	T1F244290AFD418964C87ABA3124FFE239C6359E1C441B512BDFAF9E04EA7F3909D4D246
Reporter	abuse_ch
Tags:	exe FickerStealer

abuse_ch

FickerStealer C2:
80.249.131.115:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.249.131.115:80	https://threatfox.abuse.ch/ioc/160680/

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

10A3DB9846445B8E1715802DA3FA6D91.exe

Verdict:

Malicious activity

Analysis date:

2021-07-15 16:20:16 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/f77d8e9d-fc28-4c23-91d3-d601269ae737

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Ficker

Link:

https://www.capesandbox.com/analysis/172043/

Detection(s):

Win.Trojan.FickerStealer-9805476-1

Win.Malware.Jaik-9822962-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FickerStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6892e12d-f9fd-4221-92ce-2f2b6a6462ef

Result

Threat name:

Ficker Stealer

Detection:

malicious

Classification:

phis.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/817048

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Yara detected Ficker Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1/

Threat name:

Win32.Spyware.Fickerstealer

Status:

Malicious

First seen:

2021-07-13 02:14:08 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=re37w5kfzmeb3dkqqztr43hz2qjjlymrz4n7v5g5oaucyblmphiq._file

Verdict:

malicious

FickerStealer

3d132b91ad83f720371df1bc4e5879fffe0e7bd24aafb374f9f3eeb752f7441f

FickerStealer

508453fada299cf0300c709a42a613a86f8f728fa5fae070f600e5fa2400d73d

FickerStealer

7919bd3d8ee49fb1803f25bd73682f5fde4164ad6523069054a0ecbfb48fdb81

FickerStealer

7d9779fbd1bf96300874dfb62e5756308807a2c16a83de2a3f2edab794215946

FickerStealer

94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1

FickerStealer

9f34fa05d64045ba9833a00884d71bbbbdf4702b4417c15fc35c6308ea918a08

FickerStealer

ad7df9c3f3da564ae38fda8bfa0324a52ed98899696e763dae3bff7dad93262b

FickerStealer

e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df

FickerStealer

efc9dc681fbad59d5fb6f1a66b433d6a7a7b7144444413d78f9d71dd184039ab

FickerStealer

+ 194 additional samples on MalwareBazaar

Result

Malware family:

fickerstealer

Score:

10/10

Tags:

family:fickerstealer discovery spyware stealer

Link:

https://tria.ge/reports/210715-ydv4rtj4g6/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads local data of messenger clients

Reads user/profile data of web browsers

Malware Config

C2 Extraction:

fickotstuk.space:80

Unpacked files

SH256 hash:

8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1

MD5 hash:

10a3db9846445b8e1715802da3fa6d91

SHA1 hash:

924de616d5d427686ef1e1e08a8881a64af2f943

Detections:

win_fickerstealer_auto

Link:

https://www.unpac.me/results/0469b8cb-e8d7-4f72-9a1d-aca4c0fd8820/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Ficker Create hunting rule
Author:	ditekSHen
Description:	Detects Ficker infostealer

Rule name:	win_fickerstealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.fickerstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/172043/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample