MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1be37a12486b79888a0e17aaa2c8430c2a11eb224483c60d21a36a46bb4ccfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 7


Maldoc score: 11


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1be37a12486b79888a0e17aaa2c8430c2a11eb224483c60d21a36a46bb4ccfb
SHA3-384 hash: 815a9408aad0b80cfe0391a94bc9ae0b56d5b2d01ffe6cb3cff77f9c1a8f97aa3150b211a6532a7612a997a4259d77c4
SHA1 hash: 26975ec1eb975af90ffeb149f1eeaa9c5911a43f
MD5 hash: e4da712966aafc609ffa18be7d2b7cc6
humanhash: glucose-maine-zulu-potato
File name:Response_to_Motion_to_Vacate.doc
Download: download sample
Signature FickerStealer
Create hunting rule
File size:636'416 bytes
First seen:2020-11-23 16:23:13 UTC
Last seen:2020-11-25 16:36:53 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 12288:ouE0gXPByyt4+DSpl9maf9wV2yeYsazBVBkT+Ij5:ou3gXPQ246Spl9cVV5/9bu+y
TLSH E0D4E113B795CC33D0679B346EA6C6A57B3DBC019E24A1DF31853B4E2F722A19A21707
Reporter ffforward
Tags:doc FickerStealer Hancitor

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 35 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2280 bytesDocumentSummaryInformation
3436 bytesSummaryInformation
48420 bytes1Table
5129481 bytesData
6630 bytesMacros/PROJECT
7143 bytesMacros/PROJECTwm
897 bytesMacros/UserForm1/CompObj
9296 bytesMacros/UserForm1/VBFrame
10127 bytesMacros/UserForm1/f
11144 bytesMacros/UserForm1/o
123718 bytesMacros/VBA/Module1
135077 bytesMacros/VBA/Module2
142049 bytesMacros/VBA/Module4
153537 bytesMacros/VBA/ThisDocument
161454 bytesMacros/VBA/UserForm1
175068 bytesMacros/VBA/_VBA_PROJECT
184838 bytesMacros/VBA/__SRP_0
19390 bytesMacros/VBA/__SRP_1
201406 bytesMacros/VBA/__SRP_2
21156 bytesMacros/VBA/__SRP_3
222072 bytesMacros/VBA/__SRP_4
23220 bytesMacros/VBA/__SRP_5
24614 bytesMacros/VBA/__SRP_6
25106 bytesMacros/VBA/__SRP_7
261994 bytesMacros/VBA/__SRP_8
27270 bytesMacros/VBA/__SRP_9
28596 bytesMacros/VBA/__SRP_a
29170 bytesMacros/VBA/__SRP_b
301028 bytesMacros/VBA/dir
3176 bytesObjectPool/_1667604229/CompObj
32437174 bytesObjectPool/_1667604229/Ole10Native
334968 bytesObjectPool/_1667604229/EPRINT
346 bytesObjectPool/_1667604229/ObjInfo
354096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
IOCW0rd.dllExecutable file name
IOC32.exeExecutable file name
SuspiciousShellMay run an executable file or a system command
SuspiciousShellExecuteMay run an executable file or a system command
SuspiciousShell32May run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
4
# of downloads :
565
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Moving a file to the %AppData% subdirectory
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Launching a process
Creating a file
Sending a custom TCP request
Reading critical registry keys
Launching a service
Stealing user critical data
Launching a process by exploiting the app vulnerability
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Hancitor
Create hunting rule
Detection:
malicious
Classification:
expl.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545362
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321773 Sample: Response_to_Motion_to_Vacate.doc Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 10 other signatures 2->41 7 WINWORD.EXE 169 53 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\ya.wav, PE32 7->21 dropped 51 Document exploit detected (process start blacklist hit) 7->51 11 rundll32.exe 12 7->11         started        15 splwow64.exe 7->15         started        signatures5 process6 dnsIp7 29 wheresharrison.com 47.254.169.80, 49768, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 11->29 31 pulbilood.com 185.133.40.192, 49767, 49769, 49771 ADMAN-ASRU Russian Federation 11->31 33 3 other IPs or domains 11->33 53 System process connects to network (likely due to code injection or exploit) 11->53 55 Contains functionality to inject threads in other processes 11->55 57 Writes to foreign memory regions 11->57 59 2 other signatures 11->59 17 svchost.exe 16 11->17         started        signatures8 process9 dnsIp10 23 cussoricti.com 185.18.52.47, 49772, 49783, 80 WORLDSTREAMNL Spain 17->23 25 54.235.142.93, 49770, 80 AMAZON-AESUS United States 17->25 27 4 other IPs or domains 17->27 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->45 47 Tries to steal Instant Messenger accounts or passwords 17->47 49 2 other signatures 17->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1be37a12486b79888a0e17aaa2c8430c2a11eb224483c60d21a36a46bb4ccfb/
Threat name:
Document-Office.Trojan.Fickerstealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 16:24:07 UTC
File Type:
Document
Extracted files:
47
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g7dpijeq23zrcfa4f5kuleegdbkchvseredyygsdi3ki25uzt5q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro spyware
Link:
https://tria.ge/reports/201123-rt6vg1tc8e/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1be37a12486b79888a0e17aaa2c8430c2a11eb224483c60d21a36a46bb4ccfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments