MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9be708950c3554df320ee4f9089db6c41d2511e1c6fcde4846d620e7e04cb347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9be708950c3554df320ee4f9089db6c41d2511e1c6fcde4846d620e7e04cb347
SHA3-384 hash: 80af398bba88c43b66e9b19b2d809de3b343c3c174a2b8acbf771b03a8d4f22847e040e567a4b9cb48f1b5a2a202a501
SHA1 hash: 91535e34c0e846aa48cdf8dabdf8c1f4a831a811
MD5 hash: 29373b06e66bff3a24453f138695cc97
humanhash: georgia-single-indigo-avocado
File name:29373b06e66bff3a24453f138695cc97.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:363'534 bytes
First seen:2022-11-15 00:20:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f26be34d80d272fbd2608db39d5c8add (10 x Amadey, 7 x Smoke Loader, 6 x Tofsee)
ssdeep 6144:ipK8JqpJLlARQvSOcxvjo+bFO5YDLqqQ2Dd4yik6Is:iptwJ5ARQvSOcBJkcGqQSdLXo
Threatray 572 similar samples on MalwareBazaar
TLSH T19A74F1113881C4B1C1D2A9348D18C6A4AABBBCB269B8454777EC3F6D7FB12D16A7D313
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 25ac137831939b91 (12 x Smoke Loader, 8 x Amadey, 2 x Loki)
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
45.91.8.125:8080

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
29373b06e66bff3a24453f138695cc97.exe
Verdict:
Malicious activity
Analysis date:
2022-11-15 00:22:01 UTC
Tags:
evasion trojan ficker stealer
Link:
https://app.any.run/tasks/a81aa327-7701-4a69-a35a-02d32bc2d761

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333991/
Detection(s):
Win.Packed.Botx-9977544-0
Create hunting rule

Win.Packed.Botx-9977546-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult ficker greyware lockbit overlay packed
Link:
https://www.filescan.io/uploads/6372db6ef75d59fef0b96623/reports/017c11fc-4076-4ab3-9db1-3abca6de50ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fe18085-a557-426a-9148-0debf484bc57
Result
Threat name:
Rusty Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1113377
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Rusty Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9be708950c3554df320ee4f9089db6c41d2511e1c6fcde4846d620e7e04cb347/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 15:21:32 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tptqrfimgvkn6mqo4t4qrhnwyqoskepby36n4scg2yqopycmwndq._file
Verdict:
malicious
Similar samples:
58433f617218ea615f48b5670b6ac8cbbe579e6c71cbb9a4a127f02d8ccb52e6
FickerStealer
6df186c3d5c563f492abed3e125ba4603f726bd1d257d4343f59d1584c0736db
FickerStealer
95db6418da0c11842b06ec98495f327dca6428ce7575798d2c3a36eecac508a2
FickerStealer
a82d27f251f423a8016520aafce59827c39c4101d655dc85b01cd39e0b2f61a6
FickerStealer
c2c563df059b1b4cb5e81bcee436fe2236efecbc428152353e649488972f75c4
FickerStealer
e9b7110334eeff9ee59b644a4cbc8f0bd8e90c5cdb7c6b0c6426cbbd4567176d
FickerStealer
+ 562 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer discovery infostealer spyware stealer
Link:
https://tria.ge/reports/221115-anbp9sec47/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Reads local data of messenger clients
Reads user/profile data of web browsers
Fickerstealer
Malware Config
C2 Extraction:
fickitd.link:8080
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/579a0621-7a0a-46c9-be4f-76ecba8421cd
Unpacked files
SH256 hash:
9be708950c3554df320ee4f9089db6c41d2511e1c6fcde4846d620e7e04cb347
MD5 hash:
29373b06e66bff3a24453f138695cc97
SHA1 hash:
91535e34c0e846aa48cdf8dabdf8c1f4a831a811
Link:
https://www.unpac.me/results/8b6e1db7-96ec-460f-bc80-03e7d03f86e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9be708950c35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9be708950c3554df320ee4f9089db6c41d2511e1c6fcde4846d620e7e04cb347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/333991/

Comments