MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd
SHA3-384 hash: 1a4d7bdb8092fbdd658c7edfb5ee16ae12c478f404c13fbe66001f7ccf513d6c5796879ddc7dcf8c2bc9f29151f3f69a
SHA1 hash: 5381f5f1c201316bfded47f6ec24a02888c2b629
MD5 hash: 00bffd00fa0b7b0a5e923f3e2978cab3
humanhash: wolfram-summer-hawaii-helium
File name:tyxCV1ouryr7.bin
Download: download sample
Signature FickerStealer
Create hunting rule
File size:107'520 bytes
First seen:2021-02-03 02:22:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:hnKgL3ii5NCdMPojfJEGcLIFQsBJLZ1/u:hPDDCeQjf1W0LZ1
Threatray 293 similar samples on MalwareBazaar
TLSH 0CB3292429FA601AF173EFB95FE4B9DBDA6FB3633703645D105003864A23A81DED2539
Reporter vm001cn
Tags:FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tyxCV1ouryr7.exe
Verdict:
Malicious activity
Analysis date:
2021-02-02 21:45:41 UTC
Tags:
evasion trojan ficker stealer copperstealer copper
Link:
https://app.any.run/tasks/f6f8fc93-059b-4a1e-a73a-a06c02ebfdb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115244/
Detection(s):
SecuriteInfo.com.Variant.Razy.836612.1232.6240.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/597393
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to a URL shortener service
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Registers a new ROOT certificate
Sample or dropped binary is a compiled AutoHotkey binary
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 347732 Sample: tyxCV1ouryr7.bin Startdate: 03/02/2021 Architecture: WINDOWS Score: 100 118 8e0c89b9e4f8eee7.xyz 2->118 120 lukkeze.best 2->120 122 43 other IPs or domains 2->122 162 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->162 164 Multi AV Scanner detection for domain / URL 2->164 166 Malicious sample detected (through community Yara rule) 2->166 170 15 other signatures 2->170 11 tyxCV1ouryr7.exe 1 5 2->11         started        15 Microsoft7Bcnl38USxpMimYG1GzyTW8FUpdater.exe 2->15         started        17 msiexec.exe 2->17         started        signatures3 168 May check the online IP address of the machine 118->168 process4 file5 108 Microsoft7Bcnl38US...1GzyTW8FUpdater.exe, PE32 11->108 dropped 110 Microsoft7Bcnl38US...exe:Zone.Identifier, ASCII 11->110 dropped 112 C:\Users\user\...\tyxCV1ouryr7.exe.log, ASCII 11->112 dropped 190 Creates multiple autostart registry keys 11->190 192 Writes to foreign memory regions 11->192 194 Allocates memory in foreign processes 11->194 19 RegAsm.exe 15 12 11->19         started        114 MicrosoftLHJmY5CGe...ZkgYeeghUpdater.exe, PE32 15->114 dropped 196 Injects a PE file into a foreign processes 15->196 24 RegAsm.exe 15->24         started        signatures6 process7 dnsIp8 124 www.westfc.com 103.155.92.70, 49741, 49769, 80 TWIDC-AS-APTWIDCLimitedHK unknown 19->124 126 ltu.kaunieni.ru 81.177.165.241, 443, 49743, 49772 RTCOMM-ASRU Russian Federation 19->126 132 6 other IPs or domains 19->132 78 vbRDr2LMFwO3aExwyk...SOYNgQKUGcRPzPd.exe, PE32 19->78 dropped 80 lqHWXY1DMWisUone8D...aOfekWrIWVVuqYo.exe, PE32 19->80 dropped 82 il790aOdjVDiZOFy0q...SfkrG0SB4J9EKqa.exe, PE32 19->82 dropped 90 5 other malicious files 19->90 dropped 172 Drops PE files to the document folder of the user 19->172 26 LVqJ1HsWla377343kcpKyqXfPOhSjQiHMWFbsHWujJ9QM3UH9PZmefme8K4mkZwU1wulydLcG5lorGTV4ZST06nrulchMtJJWoZaJsTgE7gi47w11jsLGdd5IC0MAnPW.exe 1 2 19->26         started        31 il790aOdjVDiZOFy0qLQLC8ZvP8cL2S258XUGr5t03wjtzKHZAChsNqgniOlcvSqCLmb0vsJucaRPYq5F1DL0uJrS1qhdURElFgiNsQnR3wQxYRO2SfkrG0SB4J9EKqa.exe 19->31         started        33 oUv9vEgTC5NJUlKOVUOMOOGubhBcoVEeVTj1vSWkapHGfbIT0lNkTn5ZOAiNCEpq1tyBBScD8ovjH9PAZsmCIeLrXKnuuIhW9aPwnGShIKlo1VSOvhyUbmiWhGn1osT0.exe 19->33         started        39 3 other processes 19->39 128 www.westfc.com 24->128 130 hub5u.sandai.net 24->130 134 2 other IPs or domains 24->134 84 tXyGXAhF2wt0VANJ36...20s3mehDV0QqVhp.exe, PE32 24->84 dropped 86 nAzqv44w3XYxh6IQy8...VZvdo9dzOcZpk6w.exe, PE32 24->86 dropped 88 h4eNVNxLpHuVj20ubY...FundINrOPqacUqS.exe, PE32 24->88 dropped 92 5 other malicious files 24->92 dropped 35 7XdpPaEyfizbkKHg4xisueIsW8Pu1CFAVgYPqHCCA5I5TvHDHJgow7hdOuTRLT6ccyFDv2zxvfszWNZk0LnrgaNY85A6yu1r9pceqDSPTs3RPsGBVsb9qO5BlrEz139A.exe 24->35         started        37 h4eNVNxLpHuVj20ubY0MgfrHEPlM19A9WMtTY7kuNLPvO94mFrgmcmfCNXJFmkTqGu9WIhWexF9VP53EV9GKdYguqrFBxeIm1jpdAhdiVByWmKwSdFundINrOPqacUqS.exe 24->37         started        file9 174 May check the online IP address of the machine 128->174 signatures10 process11 dnsIp12 150 8e0c89b9e4f8eee7.xyz 172.67.219.224, 49748, 80 CLOUDFLARENETUS United States 26->150 116 C:\Users\user\...\6907BCE26EDB568D.exe, PE32 26->116 dropped 198 Installs new ROOT certificates 26->198 218 6 other signatures 26->218 41 6907BCE26EDB568D.exe 26->41         started        46 6907BCE26EDB568D.exe 26->46         started        48 cmd.exe 26->48         started        50 msiexec.exe 26->50         started        200 Detected unpacking (changes PE section rights) 31->200 202 Detected unpacking (overwrites its own PE header) 31->202 220 2 other signatures 31->220 52 il790aOdjVDiZOFy0qLQLC8ZvP8cL2S258XUGr5t03wjtzKHZAChsNqgniOlcvSqCLmb0vsJucaRPYq5F1DL0uJrS1qhdURElFgiNsQnR3wQxYRO2SfkrG0SB4J9EKqa.exe 16 31->52         started        152 is.gd 104.25.234.53, 443, 49752 CLOUDFLARENETUS United States 33->152 154 bitbucket.org 104.192.141.1, 443, 49755 AMAZON-02US United States 33->154 204 Query firmware table information (likely to detect VMs) 33->204 206 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->206 208 Creates HTML files with .exe extension (expired dropper behavior) 33->208 222 2 other signatures 33->222 210 Sample uses process hollowing technique 35->210 54 conhost.exe 37->54         started        156 iplogger.org 88.99.66.31, 443, 49740, 49753 HETZNER-ASDE Germany 39->156 158 www.cncode.pw 149.28.244.249, 49744, 49773, 80 AS-CHOOPAUS United States 39->158 160 192.168.2.1 unknown unknown 39->160 212 Contains functionality to bypass UAC (CMSTPLUA) 39->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->214 216 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->216 56 T8TxpNNva60aGLu8GYiis9Epz2GQvfpHDf8WgGAfFd7Rp0EIWeK1RqvU4n7wH695QtXkNXb9YCdOBw99x74QUxzWuoc3JNYIdCA5ce59DLdOMgSHo78JCtkd4Azj4izK.exe 39->56         started        58 conhost.exe 39->58         started        60 WerFault.exe 39->60         started        file13 signatures14 process15 dnsIp16 136 8e0c89b9e4f8eee7.xyz 41->136 94 C:\Users\user\AppData\...\Secure Preferences, UTF-8 41->94 dropped 96 C:\Users\user\AppData\Local\...\Preferences, ASCII 41->96 dropped 62 cmd.exe 41->62         started        64 cmd.exe 41->64         started        144 3 other IPs or domains 46->144 98 C:\Users\user\AppData\...\1612319106062.exe, PE32 46->98 dropped 100 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 46->100 dropped 102 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 46->102 dropped 106 7 other files (none is malicious) 46->106 dropped 176 Detected unpacking (creates a PE file in dynamic memory) 46->176 178 Machine Learning detection for dropped file 46->178 66 1612319106062.exe 46->66         started        138 127.0.0.1 unknown unknown 48->138 180 Uses ping.exe to sleep 48->180 104 C:\Users\user\AppData\Local\...\MSI6294.tmp, PE32 50->104 dropped 140 lukkeze.best 5.53.125.155, 49747, 49754, 49777 SELECTELRU Russian Federation 52->140 146 3 other IPs or domains 52->146 182 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->182 184 Tries to steal Instant Messenger accounts or passwords 52->184 186 Tries to harvest and steal browser information (history, passwords, etc) 52->186 188 Tries to harvest and steal Bitcoin Wallet information 52->188 142 api.ip.sb 56->142 148 4 other IPs or domains 56->148 68 conhost.exe 58->68         started        70 PING.EXE 58->70         started        file17 signatures18 process19 process20 72 conhost.exe 62->72         started        74 taskkill.exe 62->74         started        76 conhost.exe 64->76         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 02:22:07 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k3wnjpgstqp2v2w54lixpk3inxrxk5c5c3uynlnxvxq4yyyjpoq._file
Verdict:
malicious
Similar samples:
0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
FickerStealer
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
FickerStealer
344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
FickerStealer
5b2f060f1512100a0d500312fa579cdad9d3ea101778838173aa7215cd39700a
FickerStealer
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
FickerStealer
6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
FickerStealer
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
FickerStealer
8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
FickerStealer
a1df8fda42b6b799d3abb21d18a29ce4c770680ca6efce7acf68ce7e53e2f662
FickerStealer
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
FickerStealer
+ 283 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:metasploit family:plugx family:raccoon family:smokeloader family:tofsee backdoor bootkit discovery evasion macro persistence ransomware spyware stealer trojan xlm
Link:
https://tria.ge/reports/210203-4hr3be23ds/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Control Panel
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Creates new service(s)
Disables Task Manager via registry modification
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Suspicious Office macro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Tofsee
Windows security bypass
Deletes Windows Defender Definitions
Djvu Ransomware
MetaSploit
PlugX
Raccoon
SmokeLoader
Malware Config
C2 Extraction:
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
92482b3fec778a6d7bc75fc8af424fb56246a3003a266d5de0079772932b93a6
MD5 hash:
86d5a4be31ba723920ff087a88dd0a89
SHA1 hash:
25518f028f089e3c5940cbae01888888da92fec0
Link:
https://www.unpac.me/results/ed7bf17f-b502-42b6-b280-5ddb84ca3ee5/
SH256 hash:
e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd
MD5 hash:
00bffd00fa0b7b0a5e923f3e2978cab3
SHA1 hash:
5381f5f1c201316bfded47f6ec24a02888c2b629
Link:
https://www.unpac.me/results/ed7bf17f-b502-42b6-b280-5ddb84ca3ee5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115244/

Comments