MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FickerStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8
SHA3-384 hash: 36ab4215d1021f0b45fd8c79b489b4c3af47810de34dbbbc1a514f1511c07f12a168c2b2d345248e5778f6e6026a888e
SHA1 hash: 5f041464895c49dc9fe0c3e156f0fb0511e6ad77
MD5 hash: 858df84cee719d555d9c0e734e85e134
humanhash: low-purple-alpha-india
File name:fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exe
Download: download sample
Signature FickerStealer
Create hunting rule
File size:495'630 bytes
First seen:2023-01-23 15:40:36 UTC
Last seen:2023-01-23 22:04:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b79b7ff25f59aa8cfc04296091d52f5c (8 x Smoke Loader, 2 x CoinMiner, 2 x Tofsee)
ssdeep 6144:cLD0cELbVdOkFuWupKYAbRjXXRQGOQ1k5W/HJXAiTACzKIugCoZsBf7jO5+:cn0b/VdJgKflXXRX/JQiTpnug6OQ
Threatray 232 similar samples on MalwareBazaar
TLSH T1EDB4D03267E0B940D729CA33CD1ADAD4F6BEB954FF04762B1E38625F19B01A0C52F295
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 287c240494a484c0 (1 x FickerStealer)
Reporter abuse_ch
Tags:exe FickerStealer


Avatar
abuse_ch
FickerStealer C2:
90.156.230.53:8080

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 15:45:58 UTC
Tags:
installer evasion trojan ficker stealer
Link:
https://app.any.run/tasks/5878fdbc-0075-4517-8c1f-16ca10fe6b73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355929/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit mikey overlay packed
Link:
https://www.filescan.io/uploads/63ceaa8f528134caf043167e/reports/b27e833a-3bbd-4aa8-9bbe-5dcce87fdbb7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fdb7c67f-dac6-4692-b89f-6687ee6dff49
Result
Threat name:
Ficker Stealer, Rusty Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157189
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected Ficker Stealer
Yara detected Rusty Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8/
Threat name:
Win32.Trojan.RaStealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 21:21:49 UTC
File Type:
PE (Exe)
Extracted files:
91
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nrd6sxe3svaa7fmins2uphbgutk4mvzj4wzx7s36w3pnihdo24a._file
Verdict:
malicious
Similar samples:
087e07ea636995a1249f0196c4cf9e228c8112e44171d5fdcda61fcbc72ac39a
FickerStealer
2452b076ea5c2677bc20fb79b21f52fe5f85168c6115955e51b8a0c73dc72e2a
FickerStealer
31d722331a9890b3ac394bf19fa6246397fbf79b37f23bc3fdde850afbc319ae
FickerStealer
51837ac7f938c666b56d73e1e38f8d75dae2c6116ec2bc49fd992fa6aeab6546
FickerStealer
c292e86c72bcfc610e735fb8eae67990cc834892e4a199a4b20b3e0de5eb14d1
FickerStealer
fc583f0b1db0e61fd38fa6d02280554a392550ea905e2f1054602aba3aca42f9
FickerStealer
+ 222 additional samples on MalwareBazaar
Result
Malware family:
fickerstealer
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer discovery infostealer spyware stealer
Link:
https://tria.ge/reports/230123-s4rqjaea22/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Reads local data of messenger clients
Reads user/profile data of web browsers
Fickerstealer
Malware Config
C2 Extraction:
wejqwed.link:8080
Unpacked files
SH256 hash:
605452b78ac36d20aa7cb67a19912066b1e3cafadcbd0679831cecb697be3f28
MD5 hash:
322c1860cb78f051164ccbf93f7eaa29
SHA1 hash:
90501ea39344859e1ba9558764299a96abb53e0b
Detections:
win_fickerstealer_w0
Create hunting rule
win_fickerstealer_a0
Create hunting rule
Link:
https://www.unpac.me/results/fcfe48f7-3923-48cc-8b32-7a1231072519/
SH256 hash:
fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8
MD5 hash:
858df84cee719d555d9c0e734e85e134
SHA1 hash:
5f041464895c49dc9fe0c3e156f0fb0511e6ad77
Link:
https://www.unpac.me/results/fcfe48f7-3923-48cc-8b32-7a1231072519/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb623f4ae4dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:Windows_Trojan_Fickerstealer_f2159bec
Create hunting rule
Author:Elastic Security
Rule name:win_fickerstealer_w0
Create hunting rule
Author:Ben Cohen, CyberArk
Description:Yara rule for Ficker Stealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FickerStealer

Executable exe fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9bfe5bf5b6f6a0e376b8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/355929/
  
URLhaus
https://urlhaus.abuse.ch/url/2516473/
  
Delivery method
Distributed via web download

Comments