MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
SHA3-384 hash:	44458f253ffcc4c079a3eba412b83951c4efcebd1a7c265b9ab75966c6cf6fa039f82360c18a59854893d794a536d038
SHA1 hash:	a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556
MD5 hash:	5f6a71ec27ed36a11d17e0989ffb0382
humanhash:	solar-indigo-nitrogen-six
File name:	keygen-step-4.exe
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	6'638'002 bytes
First seen:	2021-03-06 07:30:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep	196608:KyhB8xfEGWAFRb5+9AfDCCrt36D4I2ma4Z1E/:QffBomtrt3ctZ1s
Threatray	13 similar samples on MalwareBazaar
TLSH	C6663365A0C0B9F2F66215788DDCA2705A38FD2407349BAF7298672C5E341D07A70BFB
Reporter	Anonymous
Tags:	FickerStealer

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

keygen-step-4.exe

Verdict:

Malicious activity

Analysis date:

2021-03-06 07:30:52 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/89bdae88-2529-43a3-a751-07fa34a2fcad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122605/

Detection(s):

Win.Trojan.Mikey-9838724-0

Win.Malware.Razy-9789744-0

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Malware.Spyagent-9830839-0

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Sending a UDP request

Creating a file in the %AppData% directory

Reading critical registry keys

Deleting a recently created file

Delayed reading of the file

Running batch commands

Creating a process with a hidden window

Launching a process

Sending an HTTP POST request

Adding a root certificate

Connecting to a non-recommended domain

Creating a file in the Windows subdirectories

Stealing user critical data

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-02 17:42:57 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvdkd4sxlbpc6tajhwzlp3vwie5dct73cklns76tdubwh2bhzrsq._file

Verdict:

malicious

FickerStealer

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

FickerStealer

344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255

FickerStealer

3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092

FickerStealer

6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456

FickerStealer

772062075a6ce77768bd462428eb6554ccaefec146f2f79cf22032614364d800

FickerStealer

7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071

FickerStealer

a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

FickerStealer

cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

FickerStealer

e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd

FickerStealer

+ 3 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:elysiumstealer family:plugx family:redline family:vidar family:xmrig bootkit discovery evasion infostealer macro miner persistence spyware stealer themida trojan xlm

Link:

https://tria.ge/reports/210306-btpn6kk5xa/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies system certificate store

Runs .reg file with regedit

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks for any installed AV software in registry

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

Writes to the Master Boot Record (MBR)

Checks BIOS information in registry

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

themida

Executes dropped EXE

Suspicious Office macro

Checks for common network interception software

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Nirsoft

XMRig Miner Payload

ElysiumStealer

ElysiumStealer Payload

ElysiumStealer Support DLL

PlugX

RedLine

RedLine Payload

Vidar

xmrig

Unpacked files

SH256 hash:

e6a3570ea14cbc2f36f75b03645aab474d6afc100dd1a54ba744e6ac8c072264

MD5 hash:

7422d119c43a9cc09dc0039b977891b6

SHA1 hash:

6cbe89463673835477ec75105d6ab4e458f8afd3

Link:

https://www.unpac.me/results/04f583a6-e46c-4791-b4cc-d94052e1d9d6/

SH256 hash:

5bafe6a5ff592bb24539c3de541888eb26862b9bfa3bc4c980b81e22547e8e29

MD5 hash:

84ac004e89a48500633b2187c5f107e1

SHA1 hash:

6b40fba4824b807186ff0f50896c53b1e029c5e2

Link:

https://www.unpac.me/results/04f583a6-e46c-4791-b4cc-d94052e1d9d6/

SH256 hash:

a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

MD5 hash:

5f6a71ec27ed36a11d17e0989ffb0382

SHA1 hash:

a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

Link:

https://www.unpac.me/results/04f583a6-e46c-4791-b4cc-d94052e1d9d6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/122605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample