MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
SHA3-384 hash:	35f013da84747f6d0dfbaf0a9f02efc5477a5457f9d1ec3a45470b7ea6a6ef34f22658511fc3ee00ef42b078d3519d49
SHA1 hash:	10b43504bef3b004ade71f99784b3bde4e324e8d
MD5 hash:	c4384a44c4f624cfb9b52fbf8116b786
humanhash:	freddie-speaker-minnesota-shade
File name:	6729001591617_1.bin
Download:	download sample
File size:	247'296 bytes
First seen:	2021-01-28 11:55:25 UTC
Last seen:	2021-01-28 13:58:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61dcf3f3f2df075558084e69dd8649b1
ssdeep	6144:t4ED8BJLtyIDLkyofnXGxc1O3V3CbAZn:t4EDcJJyOv2gc1O3VybA
Threatray	33 similar samples on MalwareBazaar
TLSH	29346A1136F1C476E3F36A368931C7B45E7BB8726836958F6AC40B790F25AC29E1131B
Reporter	JAMESWT_WT

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FickerStealer.exe

Verdict:

Malicious activity

Analysis date:

2021-01-28 10:53:05 UTC

Tags:

evasion trojan ficker stealer

Link:

https://app.any.run/tasks/f4fed4a9-48b2-44e0-8d23-b174f4f04854

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114218/

Detection(s):

SecuriteInfo.com.Variant.Midie.78691.5484.27728.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/592822

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disables Windows Defender (via service or powershell)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Removes signatures from Windows Defender

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-01-28 11:56:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

malicious

076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710

385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb

3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9

5ee56cc6b8fc9118909aa63bb763c0b3cf8a4c6ea45dfae9fad092cacb61a4cd

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

83946c44e144416c6c321a02db9482c7de37073f1a1814a5525504794af402bc

90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14

9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b

f5e4f8cf4a6691806c1fa4f0718cae9d5ff5ad41088b57a4cbcdabed09dcba2e

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion ransomware trojan

Link:

https://tria.ge/reports/210128-e38pntdv4j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Modifies Windows Firewall

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Modifies security service

Unpacked files

SH256 hash:

e247a221014fd4a925cafdec6bafcddee98401cea6456abcce2854d593bcc406

MD5 hash:

99374aeeb9dc3fb49b2e41d85bdb0aa1

SHA1 hash:

85046c1f05a40ba11a4e2414a37b9175149c64f8

Link:

https://www.unpac.me/results/51643ea8-8f26-49a2-bb12-fa51238f2f66/

SH256 hash:

ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

MD5 hash:

c4384a44c4f624cfb9b52fbf8116b786

SHA1 hash:

10b43504bef3b004ade71f99784b3bde4e324e8d

Link:

https://www.unpac.me/results/51643ea8-8f26-49a2-bb12-fa51238f2f66/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/JAMESWT_MHT/status/1354745815458308100?s=20

Cape

https://www.capesandbox.com/analysis/114218/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample