popup

Report - 270c3859591599642bd15167765246e3.exe

Ficker Stealer UPX PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.13 18:11 Machine s1_win7_x6401
Filename 270c3859591599642bd15167765246e3.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score
5
 Behavior Score
8.8
ZERO API file : malware
VT API (file) 60 detected (Zudochka, malicious, high confidence, Doina, GenericRXMH, Unsafe, Save, Eldorado, FickerStealer, Ficker, iqqcxe, TrojanX, Malware@#23yxbayqoakan, SMTH, Score, bjchm, ASMalwS, kcloud, R352614, ZexaF, qGX@aOESqXf, ai score=100, BScope, Hooq, 822ndTsjxTI, Static AI, Suspicious PE, susgen, GdSda, confidence, 100%, HgIASWUA)
md5 270c3859591599642bd15167765246e3
sha256 dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019
ssdeep 6144:Rxa4Hg2gf0jOrkOWnNwZvbMoq2T4qi+AHPHrr:JHg727Nwyo9Av/
imphash cb664df5fa904736e15ac44ff006d780
impfuzzy 48:C1lxEXJGQjkoqtyuQ0cgugV9vlmcVu04rzCF/:C1lxGJGKRqtyxSugV3mcV2g
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 60 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
notice Looks up the external IP address
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (4cnts)

Level Name Description Collection
danger Ficker_Stealer_Zero Ficker Stealer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://api.ipify.org/?format=xml
whois
US AMAZON-AES 23.21.173.155 clean
api.ipify.org
whois
US AMAZON-AES 23.21.173.155 clean
pospvisis.com
whois
RU OOO Network of data-centers Selectel 95.213.179.67 mailcious
50.19.100.233
whois
US AMAZON-AES 50.19.100.233 clean
95.213.179.67
whois
RU OOO Network of data-centers Selectel 95.213.179.67 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4452b4 GetCurrentProcess
 0x4452b8 GetCurrentProcessId
 0x4452bc GetCurrentThreadId
 0x4452c0 GetTickCount
 0x4452c4 QueryPerformanceCounter
 0x4452c8 TerminateProcess
 0x4452cc UnhandledExceptionFilter
 0x4452d0 VirtualProtect
 0x4452d4 VirtualQuery
msvcrt.dll
 0x4452dc __getmainargs
 0x4452e0 __initenv
 0x4452e4 __lconv_init
 0x4452e8 __p__acmdln
 0x4452ec __p__fmode
 0x4452f0 __set_app_type
 0x4452f4 __setusermatherr
 0x4452f8 _amsg_exit
 0x4452fc _cexit
 0x445300 _fmode
 0x445304 _fpreset
 0x445308 _initterm
 0x44530c _iob
 0x445310 _onexit
 0x445314 abort
 0x445318 calloc
 0x44531c exit
 0x445320 fprintf
 0x445324 free
 0x445328 fwrite
 0x44532c malloc
 0x445330 memcmp
 0x445334 memcpy
 0x445338 memmove
 0x44533c memset
 0x445340 signal
 0x445344 strlen
 0x445348 strncmp
 0x44534c vfprintf
WS2_32.dll
 0x445354 WSACleanup
 0x445358 WSAGetLastError
 0x44535c WSASocketW
 0x445360 WSAStartup
 0x445364 closesocket
 0x445368 connect
 0x44536c freeaddrinfo
 0x445370 getaddrinfo
 0x445374 ioctlsocket
 0x445378 recv
 0x44537c send
 0x445380 setsockopt
 0x445384 shutdown
ADVAPI32.dll
 0x44538c RegCloseKey
 0x445390 RegEnumKeyExW
 0x445394 RegOpenKeyExW
 0x445398 RegQueryInfoKeyW
 0x44539c RegQueryValueExW
CRYPT32.dll
 0x4453a4 CryptUnprotectData
GDI32.dll
 0x4453ac BitBlt
 0x4453b0 CreateCompatibleDC
 0x4453b4 CreateDIBSection
 0x4453b8 DeleteObject
 0x4453bc GetCurrentObject
 0x4453c0 GetObjectW
 0x4453c4 SelectObject
KERNEL32.dll
 0x4453cc CloseHandle
 0x4453d0 CreateDirectoryW
 0x4453d4 CreateFileW
 0x4453d8 CreateProcessA
 0x4453dc CreateToolhelp32Snapshot
 0x4453e0 DeleteCriticalSection
 0x4453e4 DeviceIoControl
 0x4453e8 EnterCriticalSection
 0x4453ec FindClose
 0x4453f0 FindFirstFileW
 0x4453f4 FindNextFileW
 0x4453f8 FormatMessageW
 0x4453fc GetComputerNameW
 0x445400 GetConsoleMode
 0x445404 GetEnvironmentVariableW
 0x445408 GetFileInformationByHandle
 0x44540c GetLastError
 0x445410 GetLocaleInfoW
 0x445414 GetModuleFileNameW
 0x445418 GetModuleHandleW
 0x44541c GetProcAddress
 0x445420 GetProcessHeap
 0x445424 GetStartupInfoA
 0x445428 GetStdHandle
 0x44542c GetSystemInfo
 0x445430 GetSystemTimeAsFileTime
 0x445434 GetTempPathW
 0x445438 GetTimeZoneInformation
 0x44543c GetUserDefaultLocaleName
 0x445440 GlobalMemoryStatusEx
 0x445444 HeapAlloc
 0x445448 HeapFree
 0x44544c HeapReAlloc
 0x445450 InitializeCriticalSection
 0x445454 LeaveCriticalSection
 0x445458 LoadLibraryA
 0x44545c LocalFree
 0x445460 Process32First
 0x445464 Process32Next
 0x445468 ReadFile
 0x44546c SetFilePointerEx
 0x445470 SetHandleInformation
 0x445474 SetLastError
 0x445478 SetUnhandledExceptionFilter
 0x44547c Sleep
 0x445480 TlsAlloc
 0x445484 TlsGetValue
 0x445488 TlsSetValue
 0x44548c WriteConsoleW
 0x445490 WriteFile
USER32.dll
 0x445498 EnumDisplayDevicesW
 0x44549c GetDC
 0x4454a0 GetDesktopWindow
 0x4454a4 GetKeyboardLayoutList
 0x4454a8 GetSystemMetrics
 0x4454ac GetWindowRect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure