MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 13


Intelligence 13 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161
SHA3-384 hash: 9de91ca1cbd30313d91600821fefec2ca022949606e94bbd539f433770c2a281f3d249eec0d9394cc70d7b48e9e99a98
SHA1 hash: bc1c2daa091163b2eceaad6a05e87b322e9432ad
MD5 hash: 83f1c80dc896c5bccd92ed9e0e102d0e
humanhash: cold-alabama-north-muppet
File name:83f1c80dc896c5bccd92ed9e0e102d0e.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:299'520 bytes
First seen:2021-11-23 18:36:00 UTC
Last seen:2021-11-23 20:43:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 62f526399c5bc6ba1d2354b3cc3131f3 (2 x Gozi, 1 x FickerStealer, 1 x Smoke Loader)
ssdeep 6144:gPmp8YskyHxcune9fUGVSXuZet0yyePD35lrguR8Vz1b:gPzrM9fnVSXuZet0yyeb7guR8j
Threatray 5'633 similar samples on MalwareBazaar
TLSH T116549E00A7A0C439F5B716F899B9D3B96A3F7EA16B3890CF52D466EA06356D0DD30307
File icon (PE):PE icon
dhash icon e0f8c8e8aa66a499 (5 x RaccoonStealer, 2 x RedLineStealer, 1 x FickerStealer)
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
65.108.4.86:21391

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.108.4.86:21391 https://threatfox.abuse.ch/ioc/253393/
194.85.248.229:30260 https://threatfox.abuse.ch/ioc/253504/
185.159.80.90:38655 https://threatfox.abuse.ch/ioc/253665/

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
83f1c80dc896c5bccd92ed9e0e102d0e.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-23 18:43:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f285192-6c81-4885-9a52-7b898ae5b297

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Jaik.49513.17364.18906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619d3496b71ceed4152d5636/reports/2ab5ce2b-686b-410a-8dbd-4bb3666ef200/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f94bb217-22c4-49e2-9820-ba9e60503b96
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894964
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527442 Sample: Fm9bT1UlKI.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 89 quadoil.ru 85.143.175.153, 443, 49813, 49865 TRADERSOFTRU Russian Federation 2->89 91 microsoft-com.mail.protection.outlook.com 40.93.207.1, 25, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->91 93 185.159.80.90, 38655, 49860 HOSTING-SOLUTIONSUS Netherlands 2->93 105 Multi AV Scanner detection for domain / URL 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 18 other signatures 2->111 11 Fm9bT1UlKI.exe 2->11         started        13 ejsgsra 2->13         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 21 Fm9bT1UlKI.exe 11->21         started        137 Machine Learning detection for dropped file 13->137 24 ejsgsra 13->24         started        139 Changes security center settings (notifications, updates, antivirus, firewall) 16->139 95 127.0.0.1 unknown unknown 18->95 97 192.168.2.1 unknown unknown 18->97 signatures6 process7 signatures8 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->113 115 Maps a DLL or memory area into another process 21->115 117 Checks if the current machine is a virtual machine (disk enumeration) 21->117 119 Creates a thread in another existing process (thread injection) 21->119 26 explorer.exe 14 21->26 injected process9 dnsIp10 99 brutuilionust.com 26->99 101 amogohuigotuli.at 26->101 103 15 other IPs or domains 26->103 79 C:\Users\user\AppData\Roaming\wtsgsra, PE32 26->79 dropped 81 C:\Users\user\AppData\Roaming\ejsgsra, PE32 26->81 dropped 83 C:\Users\user\AppData\Local\Temp\F808.exe, PE32 26->83 dropped 85 6 other malicious files 26->85 dropped 129 System process connects to network (likely due to code injection or exploit) 26->129 131 Benign windows process drops PE files 26->131 133 Deletes itself after installation 26->133 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->135 31 F808.exe 26->31         started        34 D57.exe 2 26->34         started        37 CC3B.exe 26->37         started        39 2 other processes 26->39 file11 signatures12 process13 file14 141 Machine Learning detection for dropped file 31->141 143 Contains functionality to inject code into remote processes 31->143 145 Injects a PE file into a foreign processes 31->145 41 F808.exe 31->41         started        75 C:\Users\user\AppData\Local\...\zsnzdsd.exe, PE32 34->75 dropped 147 Detected unpacking (changes PE section rights) 34->147 149 Detected unpacking (overwrites its own PE header) 34->149 151 Uses netsh to modify the Windows network and firewall settings 34->151 153 Modifies the windows firewall 34->153 44 cmd.exe 34->44         started        47 cmd.exe 34->47         started        49 sc.exe 34->49         started        59 2 other processes 34->59 155 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->155 157 Maps a DLL or memory area into another process 37->157 165 2 other signatures 37->165 77 9a869e6c-719b-488f-b4f8-c11e51474b4d.exe, PE32 39->77 dropped 159 Antivirus detection for dropped file 39->159 161 Multi AV Scanner detection for dropped file 39->161 163 Adds a directory exclusion to Windows Defender 39->163 51 powershell.exe 39->51         started        53 9a869e6c-719b-488f-b4f8-c11e51474b4d.exe 39->53         started        55 conhost.exe 39->55         started        57 2267.exe 39->57         started        signatures15 process16 file17 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->121 123 Maps a DLL or memory area into another process 41->123 125 Checks if the current machine is a virtual machine (disk enumeration) 41->125 127 Creates a thread in another existing process (thread injection) 41->127 87 C:\Windows\SysWOW64\...\zsnzdsd.exe (copy), PE32 44->87 dropped 61 conhost.exe 44->61         started        63 conhost.exe 47->63         started        65 conhost.exe 49->65         started        67 conhost.exe 51->67         started        69 9a869e6c-719b-488f-b4f8-c11e51474b4d.exe 53->69         started        71 conhost.exe 59->71         started        73 conhost.exe 59->73         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 18:36:07 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
30 of 44 (68.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yo6a2osobigctxfqtthxh6nzbvfas4xrtyxerjr4opnzbn7wwfqq._file
Verdict:
malicious
Similar samples:
33e40835a9c6e471ece9819aa162eab8327e17967d5952468e33ecdebad7c3b0
FickerStealer
364e6eb302ea9226c69d3efc8485f827e61bab6e2ea34fb85c8a87a604e3ed5c
FickerStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
FickerStealer
47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
FickerStealer
56b5c8eac3ee5f3d8da478b56ef2262f37f877d6a626596dbb6e1a9aec217cc5
FickerStealer
c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7
FickerStealer
d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
FickerStealer
+ 5'623 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:tofsee family:xmrig botnet:@123 botnet:badman2020 botnet:firefox backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211123-w8xn5abaam/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
XMRig Miner Payload
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
xmrig
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
quadoil.ru
lakeflex.ru
185.159.80.90:38655
141.95.82.50:63652
194.127.179.0:42417
147.124.208.247:34932
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/42e6f3d4-9b9e-472d-85a7-55ddc3102ec3/
SH256 hash:
c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161
MD5 hash:
83f1c80dc896c5bccd92ed9e0e102d0e
SHA1 hash:
bc1c2daa091163b2eceaad6a05e87b322e9432ad
Link:
https://www.unpac.me/results/42e6f3d4-9b9e-472d-85a7-55ddc3102ec3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c3bc0d3a4e0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FickerStealer

Executable exe c3bc0d3a4e0a0c29dcb09ccf73f9b90d4a0972f19e2e48a63c73db90b7f6b161

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1800988/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208780/

Comments