MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3cfbb058c0ecbd7da7f5bdd740fa729f7b0d9cf61f93b32750ce06745abc24c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FickerStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	b3cfbb058c0ecbd7da7f5bdd740fa729f7b0d9cf61f93b32750ce06745abc24c
SHA3-384 hash:	c6f29a5116dd6b9008f71066dadd45cbf83dfa8747feab3e37a02530d31a874b26addad3e0a67c64dc62ccbd45e18726
SHA1 hash:	b9f2cac95510c1199083504e0ae57fd14bf559d5
MD5 hash:	9ada122303e6dee1c0f0171bf2e59253
humanhash:	helium-summer-saturn-north
File name:	SecuriteInfo.com.Trojan.Packed2.42600.30573.20195
Download:	download sample
Signature	FickerStealer Create hunting rule
File size:	274'184 bytes
First seen:	2020-10-30 18:11:41 UTC
Last seen:	2020-11-03 07:53:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2477ba8c2dc064f789fcbd8415a238d8 (4 x FickerStealer, 1 x CoinMiner.XMRig)
ssdeep	6144:Hx4jIZoempRlGePtMQ3TmzyaFMce5gofZsXYXGD4oF:RKI0P8sMzyUMfsXz4c
Threatray	7 similar samples on MalwareBazaar
TLSH	B644390AED429D64C87ABA3129FFE235CA305A1C401B906BEFAF6F44EA3F3505D5D146
Reporter	SecuriteInfoCom
Tags:	FickerStealer

Code Signing Certificate

Organisation:	Tramplink LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Sep 18 00:00:00 2020 GMT
Valid to:	Sep 18 23:59:59 2021 GMT
Serial number:	5FB6BAE8834EDD8D3D58818EDC86D7D7
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	026868BBC22C6A37094851E0C6F372DA90A8776B01F024BADB03033706828088
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

4

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ficker

Link:

https://www.capesandbox.com/analysis/81341/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42600.30573.20195.UNOFFICIAL

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending an HTTP GET request

Creating a file

Sending a custom TCP request

Reading critical registry keys

Delayed reading of the file

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

phis.troj.spyw

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/517267

Signature

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3cfbb058c0ecbd7da7f5bdd740fa729f7b0d9cf61f93b32750ce06745abc24c/

Threat name:

Win32.Trojan.Udochka

Status:

Malicious

First seen:

2020-10-30 03:08:00 UTC

File Type:

PE (Exe)

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wph3wbmmb3f5pwt7lpoxid5hfh33bwopmh4twmtvbtqgornlyjga._file

Verdict:

unknown

Similar samples:

31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067

3b547e3bd5f3040c824ea497f265bf355483cce29c4e059d16e04fba20325498

81476a0591455602ec96e76fd76d781dc2da872e3c1909b58bda58a1851f6099

a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0

c9b2ba6f4adb6aa4bb3c15e92d6b51eaaa5c1efa14ad774be125d4d47fae7fb4

dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c

dc7f971af6d534662501decd86d0cb8d58392149a0cf06a236f6aec2490808aa

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware

Link:

https://tria.ge/reports/201030-tbhc9m8nee/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Jaik

Score:

0.40

Link:

https://yomi.yoroi.company/submissions/b3cfbb058c0ecbd7da7f5bdd740fa729f7b0d9cf61f93b32750ce06745abc24c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b3cfbb058c0ecbd7da7f5bdd740fa729f7b0d9cf61f93b32750ce06745abc24c

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/81341/

URLhaus

https://urlhaus.abuse.ch/url/769692/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample