MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212
SHA3-384 hash: 16448e6dc591acb7d569bd99f704e273f0105e7a3abc9b27f6ee0205c26683f48b3646638b2f4eb025ac29c45f1bdae1
SHA1 hash: 1e095d72b9d39d7ed4bca06a766e8eb0c9b00b3d
MD5 hash: a2d07f48198ae3996d17627f4039f22c
humanhash: paris-fifteen-lemon-robin
File name:a2d07f48198ae3996d17627f4039f22c.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:1'764'575 bytes
First seen:2021-06-21 04:51:11 UTC
Last seen:2021-06-21 05:52:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26WQ7qKnCssv1Et9uGpckT52zedlq89Ws5uIzk5aM/phdOd:tqe3f6Z5C1SffPMWrQ0ZkI
TLSH EC85C03FF268A53EC45E1B3245B39250997BBA60A81A8C1F07FC384DCF765601E3B656
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
5.252.179.111:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.111:1203 https://threatfox.abuse.ch/ioc/137861/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2d07f48198ae3996d17627f4039f22c.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 04:54:10 UTC
Tags:
installer
Link:
https://app.any.run/tasks/120f607d-7e89-4e73-a410-1c7b744f24c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c02836ac-5e12-4373-b293-7a066f2fddb5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/805049
Signature
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Logon Scripts (UserInitMprLogonScript)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437460 Sample: vFBFs0AFN3.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 46 150 Multi AV Scanner detection for submitted file 2->150 152 Sigma detected: Logon Scripts (UserInitMprLogonScript) 2->152 11 vFBFs0AFN3.exe 2 2->11         started        14 msiexec.exe 2->14         started        17 msiexec.exe 2->17         started        20 6 other processes 2->20 process3 dnsIp4 106 C:\Users\user\AppData\...\vFBFs0AFN3.tmp, PE32 11->106 dropped 22 vFBFs0AFN3.tmp 3 24 11->22         started        108 C:\Users\user\AppData\Local\...\shi7EE9.tmp, PE32 14->108 dropped 110 C:\Users\user\AppData\Local\...\shi7E5B.tmp, PE32 14->110 dropped 160 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->160 162 Opens network shares 14->162 124 157.230.96.32 DIGITALOCEAN-ASNUS United States 17->124 126 54.226.29.2 AMAZON-AESUS United States 17->126 112 C:\Users\user\AppData\Local\...\shi9530.tmp, PE32 17->112 dropped 114 C:\Users\user\AppData\Local\...\shi94A2.tmp, PE32 17->114 dropped 26 taskkill.exe 17->26         started        128 163.172.204.15 OnlineSASFR United Kingdom 20->128 130 212.83.141.61 OnlineSASFR France 20->130 132 6 other IPs or domains 20->132 28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        file5 signatures6 process7 dnsIp8 134 144.76.17.137 HETZNER-ASDE Germany 22->134 136 8.8.8.8 GOOGLEUS United States 22->136 138 4 other IPs or domains 22->138 90 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 22->90 dropped 92 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 22->92 dropped 94 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 22->94 dropped 96 2 other files (none is malicious) 22->96 dropped 34 setup_0.exe 2 22->34         started        37 setup_2.exe 22->37         started        39 conhost.exe 26->39         started        file9 process10 file11 80 C:\Users\user\AppData\Local\...\setup_0.tmp, PE32 34->80 dropped 41 setup_0.tmp 26 22 34->41         started        82 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 37->82 dropped 84 C:\Users\user\AppData\...\Windows Updater.exe, PE32 37->84 dropped 86 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 37->86 dropped 88 4 other files (none is malicious) 37->88 dropped 45 msiexec.exe 37->45         started        process12 file13 98 C:\Users\user\AppData\...\vdi_compiler.exe, PE32 41->98 dropped 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->100 dropped 102 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 41->102 dropped 104 6 other files (none is malicious) 41->104 dropped 158 Obfuscated command line found 41->158 47 vdi_compiler.exe 1 41->47         started        50 cmd.exe 1 41->50         started        52 cmd.exe 1 41->52         started        54 2 other processes 41->54 signatures14 process15 dnsIp16 164 Detected unpacking (changes PE section rights) 47->164 166 Detected unpacking (overwrites its own PE header) 47->166 57 cmd.exe 47->57         started        168 Uses ping.exe to sleep 50->168 170 Uses ping.exe to check the status of other devices and networks 50->170 60 expand.exe 24 50->60         started        63 conhost.exe 50->63         started        65 reg.exe 1 1 52->65         started        67 conhost.exe 52->67         started        140 5.252.179.111 MIVOCLOUDMD Moldova Republic of 54->140 142 62.172.138.35 BTGB United Kingdom 54->142 69 iexplore.exe 54->69         started        71 conhost.exe 54->71         started        signatures17 process18 file19 154 Uses ping.exe to sleep 57->154 73 conhost.exe 57->73         started        75 PING.EXE 57->75         started        116 C:\...\a12809142638ea428051e73ceb94929d.tmp, PE32 60->116 dropped 118 C:\...\8058e93b6b5c0845b8ed235d1f161735.tmp, PE32 60->118 dropped 120 C:\...\7ca75394ec0e51498be61ffa3d58882f.tmp, PE32 60->120 dropped 122 5 other files (none is malicious) 60->122 dropped 156 Creates an undocumented autostart registry key 65->156 77 iexplore.exe 69->77         started        signatures20 process21 dnsIp22 144 20.190.160.74 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 77->144 146 204.79.197.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 77->146 148 2 other IPs or domains 77->148
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212/
Threat name:
Win32.Downloader.Inlog
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 00:10:42 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=36wgagq236n7xd3te4q5wlaiiypjdrlwmsl6supfndn3fjyy6ija._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210621-n3rnykg346/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/68a603ed-17ba-4561-98f1-b0db9ca58155/
SH256 hash:
bcf3a7bb9e43d1ce998f7cec69ff945eb6f3c77c0bee7e58e0715d62298ef414
MD5 hash:
800c9a7cca4bafa96739bac99d6b3649
SHA1 hash:
3c497701f8829b95f31e36eb33f3b00a2d13e0fc
Link:
https://www.unpac.me/results/68a603ed-17ba-4561-98f1-b0db9ca58155/
SH256 hash:
dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212
MD5 hash:
a2d07f48198ae3996d17627f4039f22c
SHA1 hash:
1e095d72b9d39d7ed4bca06a766e8eb0c9b00b3d
Link:
https://www.unpac.me/results/68a603ed-17ba-4561-98f1-b0db9ca58155/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments