MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee
SHA3-384 hash: da0b8197bb51ec34438eef1d3db869753ff4ef3ef7cab9665fb8a9c0028d562a0373c2ecc1f1d61a2acaa8704c7d430b
SHA1 hash: 8db0758745adfa8789a5c228e14915be26c05be9
MD5 hash: d1e2fe84f7a0fef291286debd3db4ed8
humanhash: carolina-quiet-echo-hotel
File name:D1E2FE84F7A0FEF291286DEBD3DB4ED8.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:402'432 bytes
First seen:2021-07-02 05:20:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88be4c18f1a5b5e08e67d5348e0895f5 (1 x Smoke Loader, 1 x RaccoonStealer, 1 x FickerStealer)
ssdeep 6144:H2KV4HUGVUubrRcGm4wiiFCGEGh3CnF2NBldztQo7Ur47BVZzVteI:HXVqhFRcGm4wvCGE+CFGzvQoDPZz3
TLSH 41848C00E790C039F5F226F49AB99378653D7EE15B14A1CB63D52EEE5A356E0AC3031B
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
http://xeibmh42.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://xeibmh42.top/index.php https://threatfox.abuse.ch/ioc/156889/
http://mororx04.top/index.php https://threatfox.abuse.ch/ioc/156894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 16:06:29 UTC
Tags:
trojan loader evasion ficker stealer
Link:
https://app.any.run/tasks/ae9416bd-638d-4f39-8328-883ea93818d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169267/
Detection(s):
Win.Packed.Generickdz-9875188-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03db3de2-7d7f-4f1c-a12b-392dab0a7928
Result
Threat name:
Clipboard Hijacker Cryptbot Ficker Steal
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810906
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Ficker Stealer
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443317 Sample: 6eAe9FdVYL.exe Startdate: 02/07/2021 Architecture: WINDOWS Score: 100 140 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->140 142 Multi AV Scanner detection for domain / URL 2->142 144 Found malware configuration 2->144 146 14 other signatures 2->146 14 6eAe9FdVYL.exe 26 2->14         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 124 g-partners.top 159.65.63.164, 49723, 49724, 49726 DIGITALOCEAN-ASNUS United States 14->124 126 lopoga07.top 47.243.129.23, 49731, 49732, 49735 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 14->126 128 3 other IPs or domains 14->128 102 C:\Users\user\AppData\...\54336537367.exe, PE32 14->102 dropped 104 C:\Users\user\AppData\...\46792165070.exe, PE32 14->104 dropped 106 C:\Users\user\AppData\Local\...\null[1], PE32 14->106 dropped 108 3 other files (2 malicious) 14->108 dropped 134 Detected unpacking (changes PE section rights) 14->134 136 Detected unpacking (overwrites its own PE header) 14->136 138 May check the online IP address of the machine 14->138 21 cmd.exe 1 14->21         started        24 cmd.exe 1 14->24         started        26 cmd.exe 1 14->26         started        file5 signatures6 process7 signatures8 152 Submitted sample is a known malware sample 21->152 154 Obfuscated command line found 21->154 156 Uses ping.exe to sleep 21->156 158 Uses ping.exe to check the status of other devices and networks 21->158 28 46792165070.exe 21->28         started        31 conhost.exe 21->31         started        33 54336537367.exe 48 24->33         started        37 conhost.exe 24->37         started        39 taskkill.exe 1 26->39         started        41 conhost.exe 26->41         started        process9 dnsIp10 164 May check the online IP address of the machine 28->164 43 46792165070.exe 16 28->43         started        110 moraid05.top 178.62.84.251, 49751, 80 DIGITALOCEAN-ASNUS European Union 33->110 112 xeieib52.top 143.110.219.141, 49750, 80 COLLEGE-OF-ST-SCHOLASTICAUS United States 33->112 114 lopoga07.top 33->114 88 C:\Users\user\AppData\Local\Temp\PFITFD.exe, PE32 33->88 dropped 166 Detected unpacking (changes PE section rights) 33->166 168 Detected unpacking (overwrites its own PE header) 33->168 170 Machine Learning detection for dropped file 33->170 172 Tries to harvest and steal browser information (history, passwords, etc) 33->172 48 cmd.exe 1 33->48         started        50 cmd.exe 33->50         started        file11 signatures12 process13 dnsIp14 118 game2030.site 80.249.147.241, 49734, 49737, 80 SELECTELRU Russian Federation 43->118 120 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.136.132, 49733, 80 AMAZON-AESUS United States 43->120 122 2 other IPs or domains 43->122 100 C:\Users\user\AppData\...\1625235741774.exe, PE32 43->100 dropped 174 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->174 176 Tries to steal Instant Messenger accounts or passwords 43->176 178 Tries to harvest and steal browser information (history, passwords, etc) 43->178 180 Tries to harvest and steal Bitcoin Wallet information 43->180 52 1625235741774.exe 43->52         started        55 PFITFD.exe 25 48->55         started        58 conhost.exe 48->58         started        60 conhost.exe 50->60         started        62 timeout.exe 50->62         started        file15 signatures16 process17 file18 148 Multi AV Scanner detection for dropped file 52->148 92 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 55->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 55->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 55->96 dropped 98 3 other files (none is malicious) 55->98 dropped 150 Machine Learning detection for dropped file 55->150 64 vpn.exe 55->64         started        66 4.exe 55->66         started        signatures19 process20 file21 69 cmd.exe 64->69         started        90 C:\Users\user\AppData\...\SmartClock.exe, PE32 66->90 dropped 71 SmartClock.exe 66->71         started        process22 process23 73 cmd.exe 69->73         started        76 conhost.exe 69->76         started        signatures24 160 Obfuscated command line found 73->160 162 Uses ping.exe to sleep 73->162 78 PING.EXE 73->78         started        81 Accompagna.exe.com 73->81         started        83 findstr.exe 73->83         started        process25 dnsIp26 130 127.0.0.1 unknown unknown 78->130 132 192.168.2.1 unknown unknown 78->132 85 Accompagna.exe.com 81->85         started        process27 dnsIp28 116 WYEnXVSECgshKtHcubAXXu.WYEnXVSECgshKtHcubAXXu 85->116
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 11:51:24 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtmjj3d3ozqfro5cazi5eapw3qf2ae2gkprrs3v6iy2n5zm23txa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:fickerstealer family:vidar discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210702-58gvmycc3a/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
CryptBot
CryptBot Payload
Vidar
fickerstealer
Malware Config
C2 Extraction:
game2030.site:80
xeieib52.top
moraid05.top
Unpacked files
SH256 hash:
5ae7ee8f894b4acf5f4c841bc85ccd53ca04cc79a73fd84cec8ee5381ac94aff
MD5 hash:
c3931474ded1e643d4f47ad1773d4a58
SHA1 hash:
584254fe35335371cec0fbd5471322af569893f6
Link:
https://www.unpac.me/results/a1c4ef3e-cdce-4ec3-8054-23ad7db581bd/
SH256 hash:
b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee
MD5 hash:
d1e2fe84f7a0fef291286debd3db4ed8
SHA1 hash:
8db0758745adfa8789a5c228e14915be26c05be9
Link:
https://www.unpac.me/results/a1c4ef3e-cdce-4ec3-8054-23ad7db581bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4d894ec7b766058bba20651d201f6dc0ba0134653e3196ebe4634dee59adcee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169267/

Comments