MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df
SHA3-384 hash: 912f946ca4dc5fd745f486855193f7c3c06547ec481dcd39868d4e1365a875d98667ceb21e0b77368bfa9e120bf0b843
SHA1 hash: 43579cd61f557c0582b85c92f3b6b612afe3dfb7
MD5 hash: 2928d8f4bb8f83c7bc265b459c7647b8
humanhash: quiet-mars-item-tennis
File name:2928d8f4bb8f83c7bc265b459c7647b8.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:811'792 bytes
First seen:2021-02-12 08:38:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 026cf4546ef25ed562257a6f87c8e6cf (11 x Conti, 5 x BazaLoader, 1 x TrickBot)
ssdeep 24576:CjFDORvv33uXTxdd8q815j+eiyESoe3lMXwtr6mzw6BX:Mmzw6R
Threatray 67 similar samples on MalwareBazaar
TLSH 0005BE23AA11B438F3B540F65AFA647F981A583153091AF378E7A065F1203E5BFF5C62
Reporter abuse_ch
Tags:exe FickerStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32_64_ver_2_bit.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 20:51:58 UTC
Tags:
trojan amadey evasion ficker stealer
Link:
https://app.any.run/tasks/a3c7bf21-0757-4dd0-94d9-97d3406a9079

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116890/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36319031.25667.5103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
DNS request
Launching a process
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Creating a window
Delayed reading of the file
Sending a UDP request
Connection attempt
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey Ficker Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606593
Signature
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Yara detected Ficker Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 352328 Sample: 7G5RoevPnu.exe Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 74 nagano-19599.herokussl.com 2->74 76 elb097307-934924932.us-east-1.elb.amazonaws.com 2->76 78 api.ipify.org 2->78 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Antivirus detection for dropped file 2->122 124 12 other signatures 2->124 11 7G5RoevPnu.exe 2->11         started        14 118fik1crbiz.exe 2->14         started        16 118fir2crtg.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 162 Detected unpacking (changes PE section rights) 11->162 164 Detected unpacking (overwrites its own PE header) 11->164 166 Contains functionality to inject code into remote processes 11->166 20 7G5RoevPnu.exe 4 11->20         started        168 Injects a PE file into a foreign processes 14->168 23 118fik1crbiz.exe 14->23         started        27 118fir2crtg.exe 16->27         started        29 118fik1crbiz.exe 18->29         started        31 118fir2crtg.exe 18->31         started        process6 dnsIp7 64 C:\ProgramData\50a53a0901\rween.exe, PE32 20->64 dropped 33 rween.exe 20->33         started        92 23.21.126.66, 49885, 80 AMAZON-AESUS United States 23->92 94 nagano-19599.herokussl.com 23->94 100 2 other IPs or domains 23->100 136 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->136 138 Tries to steal Instant Messenger accounts or passwords 23->138 140 Tries to harvest and steal browser information (history, passwords, etc) 23->140 96 54.235.83.248, 49770, 80 AMAZON-AESUS United States 27->96 98 nagano-19599.herokussl.com 27->98 102 2 other IPs or domains 27->102 142 Tries to harvest and steal Bitcoin Wallet information 27->142 file8 signatures9 process10 signatures11 110 Multi AV Scanner detection for dropped file 33->110 112 Detected unpacking (changes PE section rights) 33->112 114 Detected unpacking (overwrites its own PE header) 33->114 116 2 other signatures 33->116 36 rween.exe 28 33->36         started        process12 dnsIp13 86 moneypotlol.com 8.208.100.129, 49724, 49725, 49734 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 36->86 88 cdn.discordapp.com 162.159.129.233, 443, 49727, 49728 CLOUDFLARENETUS United States 36->88 90 192.168.2.1 unknown unknown 36->90 66 C:\Users\user\AppData\...\118fir2crtg.exe, PE32 36->66 dropped 68 C:\Users\user\AppData\...\118fik1crbiz.exe, PE32 36->68 dropped 70 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 36->70 dropped 72 5 other malicious files 36->72 dropped 40 118fik1crbiz.exe 36->40         started        43 rundll32.exe 36->43         started        46 118fir2crtg.exe 36->46         started        48 4 other processes 36->48 file14 process15 dnsIp16 144 Detected unpacking (changes PE section rights) 40->144 146 Detected unpacking (overwrites its own PE header) 40->146 148 Machine Learning detection for dropped file 40->148 150 Injects a PE file into a foreign processes 40->150 50 118fik1crbiz.exe 15 40->50         started        104 192.168.2.3, 443, 49342, 49361 unknown unknown 43->104 106 moneypotlol.com 43->106 152 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->152 154 Tries to steal Instant Messenger accounts or passwords 43->154 156 Tries to steal Mail credentials (via file access) 43->156 158 Tries to harvest and steal ftp login credentials 43->158 54 118fir2crtg.exe 46->54         started        108 moneypotlol.com 48->108 160 System process connects to network (likely due to code injection or exploit) 48->160 56 reg.exe 1 48->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        signatures17 process18 dnsIp19 80 86.107.197.118, 49741, 49743, 49772 MOD-EUNL Romania 50->80 82 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.96.218, 49740, 80 AMAZON-AESUS United States 50->82 84 2 other IPs or domains 50->84 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->126 128 Tries to steal Instant Messenger accounts or passwords 50->128 130 Tries to harvest and steal browser information (history, passwords, etc) 50->130 132 Tries to harvest and steal Bitcoin Wallet information 50->132 134 Creates an undocumented autostart registry key 56->134 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 14:26:14 UTC
AV detection:
32 of 47 (68.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cig3363tnvwmshs2ojurvfskdmatsyp4pktw4fm4sv6ecina3pq._file
Verdict:
malicious
Similar samples:
3165b8d9ba511ac3f03f759a1cd159f268bbe7600eb9949cfd60142acecb25eb
FickerStealer
5134951dfe74a2803ae255e7ba55e765fb16b1f212ecaa957aa612e304423ecd
FickerStealer
793d134cdb4bcba47e1f678d052c4d7747b93ea4199714efb8b614321b58dca7
FickerStealer
7cf248bdae62a6ff5bbc41566eba5c85b3eaf6f5b22cdf46e56d2cb63a69ccba
FickerStealer
8dabac2e9e7f3d5535d5913b8c52f5210013f5de6fa362bab4f893385c69c39f
FickerStealer
94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1
FickerStealer
e5c312e69b5ab774e0735fd31f97841364bac992ce084c530e6eaae44b9fa5c2
FickerStealer
ecf30574d0f05ecb1294f7579bc4c35b0ec9df921c0a15ec50b585994b98d14d
FickerStealer
ee60159a403a0f52899c4b736d4a81cf8a73412e1deb6ffbe06be9e1ca221b82
FickerStealer
fbd4d497f7eb0a43abc98382f843872f75173d8fdb8f06799198b0e1164c0e95
FickerStealer
+ 57 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery spyware trojan
Link:
https://tria.ge/reports/210212-xltknxwp36/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Amadey
Unpacked files
SH256 hash:
56909bde913738eb3b677ce14e82620dc7a49ac449d7b954bee3ea416ee9af61
MD5 hash:
e9ef6ab27d52732939b3f60a59eb1646
SHA1 hash:
9525c7b20ea0b448c9438e049f1977cbfbee6b3a
Link:
https://www.unpac.me/results/05db06b9-3b5e-4266-9237-a19dfbc059a6/
SH256 hash:
e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df
MD5 hash:
2928d8f4bb8f83c7bc265b459c7647b8
SHA1 hash:
43579cd61f557c0582b85c92f3b6b612afe3dfb7
Link:
https://www.unpac.me/results/05db06b9-3b5e-4266-9237-a19dfbc059a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8906defdb9b6b6648f2d39348d4b250d809cb0fe3d53b70ace4abe2090d06df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116890/

Comments