MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b
SHA3-384 hash: 7e5bdae3ad83bd77fcca9cd92c4eeb0cf809d7f0f3ed3cd096ec180a9484dbfe2d99dce1e61d5ab2225a640cf737b752
SHA1 hash: 1bcf9173514ab4ea13a1ab3e2ad558291c6ded2b
MD5 hash: ad8c445fd05b715107137e34425996e0
humanhash: massachusetts-hawaii-zebra-winter
File name:ad8c445fd05b715107137e34425996e0.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:353'792 bytes
First seen:2021-05-15 10:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e76d9d27af2d4a5a330aabb1a41731d (1 x FickerStealer)
ssdeep 6144:G41sWl8h2ORgVhCpcuXohXgE0xyuS7f5LpivZQLIb8VR6OObvfuBs:vsWl024AhC+HaEAyuSr5sZQLIb8VRE
Threatray 624 similar samples on MalwareBazaar
TLSH 7574AE30B680C035F9B722FC49BA937CA63D7EA16B6091CB52D525FE56346E5AC30387
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
http://remmzp62.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://remmzp62.top/index.php https://threatfox.abuse.ch/ioc/42841/
http://mortlk06.top/index.php https://threatfox.abuse.ch/ioc/42842/

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad8c445fd05b715107137e34425996e0.exe
Verdict:
Malicious activity
Analysis date:
2021-05-15 10:29:40 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/46726f38-d9ff-4831-b5c7-04c41321d27f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/157346/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/782740
Signature
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415136 Sample: fz2pNHI3l7.exe Startdate: 15/05/2021 Architecture: WINDOWS Score: 76 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Machine Learning detection for sample 2->45 47 Country aware sample found (crashes after keyboard check) 2->47 7 fz2pNHI3l7.exe 2 2->7         started        process3 dnsIp4 37 g-clean.in 8.209.75.180, 49731, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 7->37 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (overwrites its own PE header) 7->51 11 WerFault.exe 9 7->11         started        15 WerFault.exe 9 7->15         started        17 WerFault.exe 9 7->17         started        19 4 other processes 7->19 signatures5 process6 dnsIp7 39 192.168.2.1 unknown unknown 11->39 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->35 dropped 21 taskkill.exe 1 19->21         started        23 conhost.exe 19->23         started        file8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 04:24:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd3dxgv4c5dzlfe76pgcjghveytspcbf755xjiyejob33arfhinq._file
Verdict:
malicious
Similar samples:
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
FickerStealer
80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
FickerStealer
8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435
FickerStealer
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
FickerStealer
ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786
FickerStealer
bd7c41dee6aba2b2d13e5ae39169242ed463a43366eec28a438f74db717d15f4
FickerStealer
d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
FickerStealer
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
FickerStealer
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
FickerStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
FickerStealer
+ 614 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210515-lm78g7jtgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8f63b9abc174795949ff3cc2498f52627278825ff7b74a3044b83bd82253a1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157346/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-15 11:01:02 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0045] File System Micro-objective::Copy File
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0033] Operating System Micro-objective::Console
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0040] Process Micro-objective::Allocate Thread Local Storage
15) [C0043] Process Micro-objective::Check Mutex
16) [C0042] Process Micro-objective::Create Mutex
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process