ScreenShot
| Created | 2021.06.02 10:14 | Machine | s1_win7_x6401 |
| Filename | 6ha8ua.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 57 detected (malicious, high confidence, GenericKD, Zudochka, GenericRXNQ, Unsafe, Save, ZexaF, qGX@amUves, PEUM, Attribute, HighConfidence, FICKERSTEALER, THBAFBA, TrojanX, ijmhtg, Gencirc, Malware@#30vyhmhgld3p, R + Troj, Delp, aypeq, ASMalwS, kcloud, score, R352614, BScope, ai score=100, 7OffOs1e, Static AI, Suspicious PE, susgen, GdSda, confidence, 100%) | ||
| md5 | 77be0dd6570301acac3634801676b5d7 | ||
| sha256 | 94e60de577c84625da69f785ffe7e24c889bfa6923dc7b017c21e8a313e4e8e1 | ||
| ssdeep | 6144:VMWdTMYHqhElscw4liVM1LDtG8esyh3hNn+:TdTJqWrEVcDYxN+ | ||
| imphash | cb664df5fa904736e15ac44ff006d780 | ||
| impfuzzy | 48:C1lxEXJGQjkoqtyuQ0cgugV9vlmcVu04rzCF/:C1lxGJGKRqtyxSugV3mcV2g | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ficker_Stealer_Zero | Ficker Stealer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
ET MALWARE Win32/Ficker Stealer Activity M3
ET POLICY External IP Lookup (ipify .org)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4452b4 GetCurrentProcess
0x4452b8 GetCurrentProcessId
0x4452bc GetCurrentThreadId
0x4452c0 GetTickCount
0x4452c4 QueryPerformanceCounter
0x4452c8 TerminateProcess
0x4452cc UnhandledExceptionFilter
0x4452d0 VirtualProtect
0x4452d4 VirtualQuery
msvcrt.dll
0x4452dc __getmainargs
0x4452e0 __initenv
0x4452e4 __lconv_init
0x4452e8 __p__acmdln
0x4452ec __p__fmode
0x4452f0 __set_app_type
0x4452f4 __setusermatherr
0x4452f8 _amsg_exit
0x4452fc _cexit
0x445300 _fmode
0x445304 _fpreset
0x445308 _initterm
0x44530c _iob
0x445310 _onexit
0x445314 abort
0x445318 calloc
0x44531c exit
0x445320 fprintf
0x445324 free
0x445328 fwrite
0x44532c malloc
0x445330 memcmp
0x445334 memcpy
0x445338 memmove
0x44533c memset
0x445340 signal
0x445344 strlen
0x445348 strncmp
0x44534c vfprintf
WS2_32.dll
0x445354 WSACleanup
0x445358 WSAGetLastError
0x44535c WSASocketW
0x445360 WSAStartup
0x445364 closesocket
0x445368 connect
0x44536c freeaddrinfo
0x445370 getaddrinfo
0x445374 ioctlsocket
0x445378 recv
0x44537c send
0x445380 setsockopt
0x445384 shutdown
ADVAPI32.dll
0x44538c RegCloseKey
0x445390 RegEnumKeyExW
0x445394 RegOpenKeyExW
0x445398 RegQueryInfoKeyW
0x44539c RegQueryValueExW
CRYPT32.dll
0x4453a4 CryptUnprotectData
GDI32.dll
0x4453ac BitBlt
0x4453b0 CreateCompatibleDC
0x4453b4 CreateDIBSection
0x4453b8 DeleteObject
0x4453bc GetCurrentObject
0x4453c0 GetObjectW
0x4453c4 SelectObject
KERNEL32.dll
0x4453cc CloseHandle
0x4453d0 CreateDirectoryW
0x4453d4 CreateFileW
0x4453d8 CreateProcessA
0x4453dc CreateToolhelp32Snapshot
0x4453e0 DeleteCriticalSection
0x4453e4 DeviceIoControl
0x4453e8 EnterCriticalSection
0x4453ec FindClose
0x4453f0 FindFirstFileW
0x4453f4 FindNextFileW
0x4453f8 FormatMessageW
0x4453fc GetComputerNameW
0x445400 GetConsoleMode
0x445404 GetEnvironmentVariableW
0x445408 GetFileInformationByHandle
0x44540c GetLastError
0x445410 GetLocaleInfoW
0x445414 GetModuleFileNameW
0x445418 GetModuleHandleW
0x44541c GetProcAddress
0x445420 GetProcessHeap
0x445424 GetStartupInfoA
0x445428 GetStdHandle
0x44542c GetSystemInfo
0x445430 GetSystemTimeAsFileTime
0x445434 GetTempPathW
0x445438 GetTimeZoneInformation
0x44543c GetUserDefaultLocaleName
0x445440 GlobalMemoryStatusEx
0x445444 HeapAlloc
0x445448 HeapFree
0x44544c HeapReAlloc
0x445450 InitializeCriticalSection
0x445454 LeaveCriticalSection
0x445458 LoadLibraryA
0x44545c LocalFree
0x445460 Process32First
0x445464 Process32Next
0x445468 ReadFile
0x44546c SetFilePointerEx
0x445470 SetHandleInformation
0x445474 SetLastError
0x445478 SetUnhandledExceptionFilter
0x44547c Sleep
0x445480 TlsAlloc
0x445484 TlsGetValue
0x445488 TlsSetValue
0x44548c WriteConsoleW
0x445490 WriteFile
USER32.dll
0x445498 EnumDisplayDevicesW
0x44549c GetDC
0x4454a0 GetDesktopWindow
0x4454a4 GetKeyboardLayoutList
0x4454a8 GetSystemMetrics
0x4454ac GetWindowRect
EAT(Export Address Table) is none
KERNEL32.dll
0x4452b4 GetCurrentProcess
0x4452b8 GetCurrentProcessId
0x4452bc GetCurrentThreadId
0x4452c0 GetTickCount
0x4452c4 QueryPerformanceCounter
0x4452c8 TerminateProcess
0x4452cc UnhandledExceptionFilter
0x4452d0 VirtualProtect
0x4452d4 VirtualQuery
msvcrt.dll
0x4452dc __getmainargs
0x4452e0 __initenv
0x4452e4 __lconv_init
0x4452e8 __p__acmdln
0x4452ec __p__fmode
0x4452f0 __set_app_type
0x4452f4 __setusermatherr
0x4452f8 _amsg_exit
0x4452fc _cexit
0x445300 _fmode
0x445304 _fpreset
0x445308 _initterm
0x44530c _iob
0x445310 _onexit
0x445314 abort
0x445318 calloc
0x44531c exit
0x445320 fprintf
0x445324 free
0x445328 fwrite
0x44532c malloc
0x445330 memcmp
0x445334 memcpy
0x445338 memmove
0x44533c memset
0x445340 signal
0x445344 strlen
0x445348 strncmp
0x44534c vfprintf
WS2_32.dll
0x445354 WSACleanup
0x445358 WSAGetLastError
0x44535c WSASocketW
0x445360 WSAStartup
0x445364 closesocket
0x445368 connect
0x44536c freeaddrinfo
0x445370 getaddrinfo
0x445374 ioctlsocket
0x445378 recv
0x44537c send
0x445380 setsockopt
0x445384 shutdown
ADVAPI32.dll
0x44538c RegCloseKey
0x445390 RegEnumKeyExW
0x445394 RegOpenKeyExW
0x445398 RegQueryInfoKeyW
0x44539c RegQueryValueExW
CRYPT32.dll
0x4453a4 CryptUnprotectData
GDI32.dll
0x4453ac BitBlt
0x4453b0 CreateCompatibleDC
0x4453b4 CreateDIBSection
0x4453b8 DeleteObject
0x4453bc GetCurrentObject
0x4453c0 GetObjectW
0x4453c4 SelectObject
KERNEL32.dll
0x4453cc CloseHandle
0x4453d0 CreateDirectoryW
0x4453d4 CreateFileW
0x4453d8 CreateProcessA
0x4453dc CreateToolhelp32Snapshot
0x4453e0 DeleteCriticalSection
0x4453e4 DeviceIoControl
0x4453e8 EnterCriticalSection
0x4453ec FindClose
0x4453f0 FindFirstFileW
0x4453f4 FindNextFileW
0x4453f8 FormatMessageW
0x4453fc GetComputerNameW
0x445400 GetConsoleMode
0x445404 GetEnvironmentVariableW
0x445408 GetFileInformationByHandle
0x44540c GetLastError
0x445410 GetLocaleInfoW
0x445414 GetModuleFileNameW
0x445418 GetModuleHandleW
0x44541c GetProcAddress
0x445420 GetProcessHeap
0x445424 GetStartupInfoA
0x445428 GetStdHandle
0x44542c GetSystemInfo
0x445430 GetSystemTimeAsFileTime
0x445434 GetTempPathW
0x445438 GetTimeZoneInformation
0x44543c GetUserDefaultLocaleName
0x445440 GlobalMemoryStatusEx
0x445444 HeapAlloc
0x445448 HeapFree
0x44544c HeapReAlloc
0x445450 InitializeCriticalSection
0x445454 LeaveCriticalSection
0x445458 LoadLibraryA
0x44545c LocalFree
0x445460 Process32First
0x445464 Process32Next
0x445468 ReadFile
0x44546c SetFilePointerEx
0x445470 SetHandleInformation
0x445474 SetLastError
0x445478 SetUnhandledExceptionFilter
0x44547c Sleep
0x445480 TlsAlloc
0x445484 TlsGetValue
0x445488 TlsSetValue
0x44548c WriteConsoleW
0x445490 WriteFile
USER32.dll
0x445498 EnumDisplayDevicesW
0x44549c GetDC
0x4454a0 GetDesktopWindow
0x4454a4 GetKeyboardLayoutList
0x4454a8 GetSystemMetrics
0x4454ac GetWindowRect
EAT(Export Address Table) is none