MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
SHA3-384 hash: c56c1ca088d3323d2c330b1bdbb6e62f22826f510ddc15d7dd837673bfbf5d97efb2ff48f3e2460be3876fcc054bf6ad
SHA1 hash: e4690b831ca8ca12ee09a06387040f2699d51ad0
MD5 hash: 616ab8e5638bd8deca55efecd78f93c2
humanhash: emma-arkansas-bulldog-spaghetti
File name:e15820902d036f76c33cd6e8b2efdf4aed6e43a434680.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:8'192 bytes
First seen:2021-03-25 03:46:51 UTC
Last seen:2021-03-25 05:44:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 96:aiP4DkFFCulazMI27XlqWgzJ47SDrG4++64c1OP9tqtA9DW1LV9QhzNt:ngIC+L71Ji47gd+h4+OPPqi9DW1LVWj
Threatray 228 similar samples on MalwareBazaar
TLSH C7F1C814F3D88536F9FB0A76AC6382915334BB46DC93DB9E15C8618BAE2271409B2332
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
http://ciaociaoline.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ciaociaoline.com/ https://threatfox.abuse.ch/ioc/5151/

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
U3HJIoUqyyn166m6GAmyxeMw.exe
Verdict:
Malicious activity
Analysis date:
2021-03-24 17:22:15 UTC
Tags:
evasion opendir loader trojan stealer rat redline
Link:
https://app.any.run/tasks/f17cd994-1f25-4cce-b936-13db21dfba95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader38.9663.23860.14289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75903850-1723-4a50-9027-c03f1a53940e
Result
Threat name:
Ficker Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653297
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Ficker Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 375590 Sample: e15820902d036f76c33cd6e8b2e... Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 128 lukkeze.space 2->128 130 hSYCPCvcEgidFAWdNhqmCquLJMCTO.hSYCPCvcEgidFAWdNhqmCquLJMCTO 2->130 132 12 other IPs or domains 2->132 154 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->154 156 Multi AV Scanner detection for domain / URL 2->156 158 Antivirus detection for URL or domain 2->158 160 8 other signatures 2->160 9 e15820902d036f76c33cd6e8b2efdf4aed6e43a434680.exe 22 11 2->9         started        14 kCf7jPUKcENx2qpLngghZmeM.exe 2->14         started        signatures3 process4 dnsIp5 134 whatitis.site 193.38.55.33, 49683, 49685, 49688 SERVERIUS-ASNL Russian Federation 9->134 136 hacking101.net 64.120.89.238, 49682, 80 LEASEWEB-APAC-HKG-10LeasewebAsiaPacificpteltdHK Singapore 9->136 138 2 other IPs or domains 9->138 94 C:\Users\...\wo3QafeZuTX0I5hgIU9vVLVO.exe, PE32 9->94 dropped 96 C:\Users\...\ntJF09PaASdPN8ZyEO1TfOH7.exe, PE32 9->96 dropped 98 C:\Users\...\n1TCs9dVxggUVB8CvlPq1Z8t.exe, PE32 9->98 dropped 102 5 other malicious files 9->102 dropped 176 Drops PE files to the document folder of the user 9->176 178 Creates multiple autostart registry keys 9->178 16 kCf7jPUKcENx2qpLngghZmeM.exe 15 9->16         started        21 N0Dcu2aK7ofJBUNuETfDvjKK.exe 9->21         started        23 wo3QafeZuTX0I5hgIU9vVLVO.exe 28 9->23         started        31 5 other processes 9->31 100 C:\Users\user\Documents\nigger.exe, PE32 14->100 dropped 25 nigger.exe 14->25         started        27 conhost.exe 14->27         started        29 kCf7jPUKcENx2qpLngghZmeM.exe 14->29         started        file6 signatures7 process8 dnsIp9 104 whatitis.site 16->104 64 C:\Users\user\Desktop\nigger.exe, PE32 16->64 dropped 66 C:\Users\user\AppData\Local\...\mixinte[1], PE32 16->66 dropped 140 Drops PE files to the document folder of the user 16->140 142 Contains functionality to inject code into remote processes 16->142 33 nigger.exe 16->33         started        38 kCf7jPUKcENx2qpLngghZmeM.exe 16->38         started        40 conhost.exe 16->40         started        144 Detected unpacking (changes PE section rights) 21->144 146 Detected unpacking (overwrites its own PE header) 21->146 148 May check the online IP address of the machine 21->148 42 N0Dcu2aK7ofJBUNuETfDvjKK.exe 21->42         started        106 gclean.in 23->106 108 iplogger.org 88.99.66.31 HETZNER-ASDE Germany 23->108 110 akwer03.top 23->110 68 C:\Users\user\AppData\...\84460856411.exe, PE32 23->68 dropped 70 C:\Users\user\AppData\...\44282623471.exe, PE32 23->70 dropped 76 4 other files (3 malicious) 23->76 dropped 44 WerFault.exe 23->44         started        112 gclean.in 25->112 78 2 other files (1 malicious) 25->78 dropped 114 gclean.in 31->114 116 3 other IPs or domains 31->116 72 C:\Users\user\AppData\...\26402504402.exe, PE32 31->72 dropped 74 C:\Users\user\AppData\Local\...\file[1].exe, PE32 31->74 dropped 80 2 other files (1 malicious) 31->80 dropped 150 Machine Learning detection for dropped file 31->150 152 Contains functionality to register a low level keyboard hook 31->152 46 nigger.exe 31->46         started        48 aG6tT3PqzAiyMMVgA6xBNeTR.exe 31->48         started        50 cmd.exe 31->50         started        52 6 other processes 31->52 file10 signatures11 process12 dnsIp13 118 gclean.in 33->118 82 C:\Users\user\AppData\...\78980300460.exe, PE32 33->82 dropped 84 C:\Users\user\AppData\Local\...\null[1], PE32 33->84 dropped 86 C:\Users\user\AppData\Local\...\null[1], PE32 33->86 dropped 162 Detected unpacking (changes PE section rights) 33->162 164 Detected unpacking (overwrites its own PE header) 33->164 166 Machine Learning detection for dropped file 33->166 54 WerFault.exe 38->54         started        120 lukkeze.space 62.113.117.9, 49687, 49701, 80 VDSINA-ASRU Russian Federation 42->120 122 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.83.248, 49686, 80 AMAZON-AESUS United States 42->122 126 2 other IPs or domains 42->126 168 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->168 170 Tries to steal Instant Messenger accounts or passwords 42->170 172 Tries to harvest and steal browser information (history, passwords, etc) 42->172 174 Tries to harvest and steal Bitcoin Wallet information 42->174 124 gclean.in 46->124 88 C:\Users\user\AppData\...\64464910406.exe, PE32 46->88 dropped 90 C:\Users\user\AppData\Local\...\null[2], PE32 46->90 dropped 92 C:\Users\user\AppData\Local\...\null[2], PE32 46->92 dropped 56 WerFault.exe 48->56         started        58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        62 conhost.exe 52->62         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 14:03:05 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fmcbebnanxxnqz423ulf367jlww4q5egruagifkpk5b77fc5qlq._file
Verdict:
malicious
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
FickerStealer
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
FickerStealer
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
FickerStealer
7c902b5da243bec90b83e4d68e4e8c097d1e36e9d9508c5095023f801440d977
FickerStealer
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
FickerStealer
941d3312f126a5104966af87ce58d9be63bbaf63216723508d9dd2d2f241fea7
FickerStealer
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
FickerStealer
cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8
FickerStealer
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
FickerStealer
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
FickerStealer
+ 218 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer
Link:
https://tria.ge/reports/210325-nfvxcwmpc6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Unpacked files
SH256 hash:
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
MD5 hash:
616ab8e5638bd8deca55efecd78f93c2
SHA1 hash:
e4690b831ca8ca12ee09a06387040f2699d51ad0
Link:
https://www.unpac.me/results/088cc7fd-7a88-4b33-88ad-027340aef7ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments