MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a
SHA3-384 hash: 8af6dc90a02566a87a9e3a15584b2f4594ea2aefdaa6c477abdd43f297fbcdf230273679e29a41249e3321e1d79d402f
SHA1 hash: 6954b0d7afbc34086dda788bd92eb206032b9728
MD5 hash: 7912addad41057e4fd93ca599aef6b22
humanhash: edward-magnesium-undress-lemon
File name:7912addad41057e4fd93ca599aef6b22
Download: download sample
Signature FickerStealer
Create hunting rule
File size:4'747'408 bytes
First seen:2021-09-17 19:57:28 UTC
Last seen:2021-09-17 22:52:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9721750b3ba7a6e9d244574b387cb77d (2 x FickerStealer)
ssdeep 98304:57AsIlb8NWY5mIaBJHW++kYal61OGHAwFcfn4mpaM5A1FE/cP:5Ms2KWJ2mrl60HFpP5RkP
Threatray 139 similar samples on MalwareBazaar
TLSH T1802612E3AF50315AE0D0CC39B6177EFEB2F32E76AA42947865E7F6D501361A19607803
dhash icon 7ac323b9cee4fe07 (1 x FickerStealer)
Reporter zbetcheckin
Tags:32 exe FickerStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7912addad41057e4fd93ca599aef6b22
Verdict:
Malicious activity
Analysis date:
2021-09-17 19:59:46 UTC
Tags:
evasion trojan ficker stealer
Link:
https://app.any.run/tasks/adc45bc4-4558-4041-ba1f-a1558dc535d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ficker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188841/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46972018.20417.12771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/481e2882-76b4-44d2-bb2e-8808be2ba6dc
Result
Threat name:
SERVHELPER Ficker Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853012
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Found many strings related to Crypto-Wallets (likely being stolen)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Yara detected Ficker Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485440 Sample: Z3CkP5Pboa Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 74 zd.map.fastly.net 2->74 76 www.speedtest.net 2->76 78 8 other IPs or domains 2->78 88 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->88 90 Antivirus detection for dropped file 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 12 other signatures 2->94 12 Z3CkP5Pboa.exe 16 2->12         started        17 cmd.exe 2->17         started        19 rdpdr.sys 2->19         started        signatures3 process4 dnsIp5 80 86.107.197.85, 49741, 49742, 80 MOD-EUNL Romania 12->80 82 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.247.117, 49740, 80 AMAZON-AESUS United States 12->82 84 2 other IPs or domains 12->84 72 C:\Users\user\AppData\...\1631948308758.exe, PE32+ 12->72 dropped 110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->110 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->112 114 May check the online IP address of the machine 12->114 116 4 other signatures 12->116 21 1631948308758.exe 4 12->21         started        24 net.exe 17->24         started        26 conhost.exe 17->26         started        file6 signatures7 process8 signatures9 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->96 98 Bypasses PowerShell execution policy 21->98 100 Queries memory information (via WMI often done to detect virtual machines) 21->100 28 powershell.exe 47 21->28         started        32 net1.exe 24->32         started        process10 file11 66 C:\Windows\Branding\mediasvc.png, PE32+ 28->66 dropped 68 C:\Windows\Branding\mediasrv.png, PE32+ 28->68 dropped 70 C:\Users\user\AppData\...\l31tz3li.cmdline, UTF-8 28->70 dropped 102 Detected SERVHELPER 28->102 104 Uses cmd line tools excessively to alter registry or file data 28->104 106 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 28->106 108 2 other signatures 28->108 34 reg.exe 28->34         started        37 cmd.exe 28->37         started        39 cmd.exe 28->39         started        41 8 other processes 28->41 signatures12 process13 file14 86 Creates a Windows Service pointing to an executable in C:\Windows 34->86 44 cmd.exe 37->44         started        46 cmd.exe 39->46         started        64 C:\Users\user\AppData\Local\...\l31tz3li.dll, PE32 41->64 dropped 48 cvtres.exe 41->48         started        50 conhost.exe 41->50         started        52 conhost.exe 41->52         started        54 2 other processes 41->54 signatures15 process16 process17 56 net.exe 44->56         started        58 net.exe 46->58         started        process18 60 net1.exe 56->60         started        62 net1.exe 58->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 07:16:33 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ysdjuv72g45su3bruf6josefyzbbobbk5nodmojpltkuvnohffa._file
Verdict:
malicious
Similar samples:
043d74057370b18ec933764ae5c0fa80be90af1d41761c0a2f34f9d8c56542e5
FickerStealer
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
FickerStealer
266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
FickerStealer
5c7e8b5ecf30c04a3a6e3726328c37eccfc8f0656797894d71e2ac7c27c20c9d
FickerStealer
77207663d42c90aeeb0724391087ebeb2cdb6134ce1fe731ef908c8a961083fe
FickerStealer
80271a13696df77f092c3b6abce154f98e83f5840c64b610af7ae83cfe711482
FickerStealer
857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
FickerStealer
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
FickerStealer
f4adc9d5df2c5543d17faa940efced9980a87b98a8858ccc3547fb51e154ecaa
FickerStealer
fe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d
FickerStealer
+ 129 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210917-yptt8sbcal/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Fickerstealer
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Malware Config
C2 Extraction:
86.107.197.85:80
Unpacked files
SH256 hash:
fdbef10bba1a0348012b5902acf83275e306a544e3fd4c35d6f632d5da922f59
MD5 hash:
8571da439e979345c8e743fdc277ca13
SHA1 hash:
73d005aa165f9d8710e1c77bd0c826a79e09c8a1
Detections:
win_fickerstealer_a0
Create hunting rule
win_fickerstealer_w0
Create hunting rule
Link:
https://www.unpac.me/results/25a5f94b-8ebf-4864-af4c-1f188c368318/
SH256 hash:
f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a
MD5 hash:
7912addad41057e4fd93ca599aef6b22
SHA1 hash:
6954b0d7afbc34086dda788bd92eb206032b9728
Link:
https://www.unpac.me/results/25a5f94b-8ebf-4864-af4c-1f188c368318/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FickerStealer

Executable exe f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1628492/
Cape
Cape
https://www.capesandbox.com/analysis/188841/

Comments


Avatar
zbet commented on 2021-09-17 19:57:29 UTC

url : hxxp://103.169.90.205/blog/upload/go_stil.exe