SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fickerstealer (Back to overview)

Ficker Stealer


According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

References
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-08-12BlackberryBlackBerry Research & Intelligence Team
@online{team:20210812:threat:254ba6c, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Ficker Infostealer Malware}}, date = {2021-08-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware}, language = {English}, urldate = {2021-08-17} } Threat Thursday: Ficker Infostealer Malware
Ficker Stealer
2021-07-19CyberArkBen Cohen
@online{cohen:20210719:fickerstealer:6d57700, author = {Ben Cohen}, title = {{FickerStealer: A New Rust Player in the Market}}, date = {2021-07-19}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market}, language = {English}, urldate = {2021-07-26} } FickerStealer: A New Rust Player in the Market
Ficker Stealer
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-20Bleeping ComputerLawrence Abrams
@online{abrams:20210420:fake:fca82a4, author = {Lawrence Abrams}, title = {{Fake Microsoft Store, Spotify sites spread info-stealing malware}}, date = {2021-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/}, language = {English}, urldate = {2021-06-16} } Fake Microsoft Store, Spotify sites spread info-stealing malware
Ficker Stealer
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-10-27Twitter (@3xp0rtblog)3xp0rt
@online{3xp0rt:20201027:ficker:b890340, author = {3xp0rt}, title = {{Tweet on Ficker Stealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2021-12-17} } Tweet on Ficker Stealer
Ficker Stealer
Yara Rules
[TLP:WHITE] win_fickerstealer_auto (20230125 | Detects win.fickerstealer.)
rule win_fickerstealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.fickerstealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8dbc24a4040000 f3ab 8d8424a4040000 8d8c24a0040000 f20f108424001d0000 f20f108c24081d0000 f20f118888000000 }
            // n = 7, score = 200
            //   8dbc24a4040000       | lea                 edi, [esp + 0x4a4]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8d8424a4040000       | lea                 eax, [esp + 0x4a4]
            //   8d8c24a0040000       | lea                 ecx, [esp + 0x4a0]
            //   f20f108424001d0000     | movsd    xmm0, qword ptr [esp + 0x1d00]
            //   f20f108c24081d0000     | movsd    xmm1, qword ptr [esp + 0x1d08]
            //   f20f118888000000     | movsd               qword ptr [eax + 0x88], xmm1

        $sequence_1 = { 5d e9???????? 5d c3 55 89e5 8b4104 }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   e9????????           |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]

        $sequence_2 = { ff7008 e8???????? 58 5e 5d c3 55 }
            // n = 7, score = 200
            //   ff7008               | push                dword ptr [eax + 8]
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_3 = { 53 57 56 50 8b4104 8955f0 89cf }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   89cf                 | mov                 edi, ecx

        $sequence_4 = { e8???????? 83c414 8b07 8b5704 8d65f8 5e 5f }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b5704               | mov                 edx, dword ptr [edi + 4]
            //   8d65f8               | lea                 esp, [ebp - 8]
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_5 = { e9???????? 55 89e5 51 e8???????? 5d c3 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   e8????????           |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_6 = { 894108 f20f1101 6a05 5a e8???????? 832600 83660400 }
            // n = 7, score = 200
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   f20f1101             | movsd               qword ptr [ecx], xmm0
            //   6a05                 | push                5
            //   5a                   | pop                 edx
            //   e8????????           |                     
            //   832600               | and                 dword ptr [esi], 0
            //   83660400             | and                 dword ptr [esi + 4], 0

        $sequence_7 = { e8???????? 8b4e04 89d7 8945f0 85c9 7414 8b16 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   89d7                 | mov                 edi, edx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85c9                 | test                ecx, ecx
            //   7414                 | je                  0x16
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_8 = { 8d949480150000 33048a 89f1 8d5601 21fe 21d9 8d8c8c80150000 }
            // n = 7, score = 200
            //   8d949480150000       | lea                 edx, [esp + edx*4 + 0x1580]
            //   33048a               | xor                 eax, dword ptr [edx + ecx*4]
            //   89f1                 | mov                 ecx, esi
            //   8d5601               | lea                 edx, [esi + 1]
            //   21fe                 | and                 esi, edi
            //   21d9                 | and                 ecx, ebx
            //   8d8c8c80150000       | lea                 ecx, [esp + ecx*4 + 0x1580]

        $sequence_9 = { f20f104808 f20f114610 f20f114e08 f20f1116 56 e8???????? 59 }
            // n = 7, score = 200
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   f20f114610           | movsd               qword ptr [esi + 0x10], xmm0
            //   f20f114e08           | movsd               qword ptr [esi + 8], xmm1
            //   f20f1116             | movsd               qword ptr [esi], xmm2
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 598016
}
[TLP:WHITE] win_fickerstealer_w0   (20210726 | Yara rule for Ficker Stealer)
rule win_fickerstealer_w0 {
  meta: 
    author = "Ben Cohen, CyberArk"
    date = "22-02-2021"
    version = "1.0"
    hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6"
    source = "https://github.com/cyberark/malware-research/blob/master/FickerStealer/Ficker_Stealer.yar"
    description = "Yara rule for Ficker Stealer"
    malpedia_rule_date = "20210726"
    malpedia_hash = ""
    malpedia_version = "20210726"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
  
  strings:
    //$decryption_pattern = { 89 ?? C1 ?? ?? 31 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? C1 ?? ?? 31 }
    $c2_const = { 0C 00 0F 0A [0-4] 0B 0A 0B 0A }

    $s1 = "kindmessage"
    $s2 = "SomeNone"
    $s3 = ".Kind"

  condition:
    //$decryption_pattern and
    $c2_const and
    (1 of ($s*)) and
    uint16(0) == 0x5A4D
}
Download all Yara Rules