SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fickerstealer (Back to overview)

Ficker Stealer

VTCollection    

According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

References
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-08-12BlackberryBlackBerry Research & Intelligence Team
Threat Thursday: Ficker Infostealer Malware
Ficker Stealer
2021-07-19CyberArkBen Cohen
FickerStealer: A New Rust Player in the Market
Ficker Stealer
2021-06-17Binary DefenseBrandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-04-22SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-20Bleeping ComputerLawrence Abrams
Fake Microsoft Store, Spotify sites spread info-stealing malware
Ficker Stealer
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-01-18Medium csis-techblogBenoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-10-27Twitter (@3xp0rtblog)3xp0rt
Tweet on Ficker Stealer
Ficker Stealer
Yara Rules
[TLP:WHITE] win_fickerstealer_auto (20260504 | Detects win.fickerstealer.)
rule win_fickerstealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.fickerstealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c70201000000 894a08 894204 eb0e 8b4df0 89d8 2b45ec }
            // n = 7, score = 200
            //   c70201000000         | mov                 dword ptr [edx], 1
            //   894a08               | mov                 dword ptr [edx + 8], ecx
            //   894204               | mov                 dword ptr [edx + 4], eax
            //   eb0e                 | jmp                 0x10
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   89d8                 | mov                 eax, ebx
            //   2b45ec               | sub                 eax, dword ptr [ebp - 0x14]

        $sequence_1 = { 83a4240802000000 e8???????? 6a08 58 8b4d08 e9???????? 8d842418020000 }
            // n = 7, score = 200
            //   83a4240802000000     | and                 dword ptr [esp + 0x208], 0
            //   e8????????           |                     
            //   6a08                 | push                8
            //   58                   | pop                 eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   8d842418020000       | lea                 eax, [esp + 0x218]

        $sequence_2 = { 8919 895104 894108 e8???????? 894604 31c0 895608 }
            // n = 7, score = 200
            //   8919                 | mov                 dword ptr [ecx], ebx
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   894108               | mov                 dword ptr [ecx + 8], eax
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   31c0                 | xor                 eax, eax
            //   895608               | mov                 dword ptr [esi + 8], edx

        $sequence_3 = { 5e 5d c3 89c1 52 56 e8???????? }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   89c1                 | mov                 ecx, eax
            //   52                   | push                edx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_4 = { 0d0000f07f 660f6ec0 e9???????? 8b4d0c 89c6 89ca 21da }
            // n = 7, score = 200
            //   0d0000f07f           | or                  eax, 0x7ff00000
            //   660f6ec0             | movd                xmm0, eax
            //   e9????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   89c6                 | mov                 esi, eax
            //   89ca                 | mov                 edx, ecx
            //   21da                 | and                 edx, ebx

        $sequence_5 = { f20f1000 f20f104808 8d45e4 09f1 8d75d4 894d94 89f1 }
            // n = 7, score = 200
            //   f20f1000             | movsd               xmm0, qword ptr [eax]
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   09f1                 | or                  ecx, esi
            //   8d75d4               | lea                 esi, [ebp - 0x2c]
            //   894d94               | mov                 dword ptr [ebp - 0x6c], ecx
            //   89f1                 | mov                 ecx, esi

        $sequence_6 = { e8???????? 50 e8???????? 5e 5d c3 55 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_7 = { 8d8c2400010000 e8???????? 8d8c2444010000 e8???????? 897c2408 89742404 31ff }
            // n = 7, score = 200
            //   8d8c2400010000       | lea                 ecx, [esp + 0x100]
            //   e8????????           |                     
            //   8d8c2444010000       | lea                 ecx, [esp + 0x144]
            //   e8????????           |                     
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   31ff                 | xor                 edi, edi

        $sequence_8 = { 8b4dec e8???????? eb2a 31d2 eb18 85c9 7412 }
            // n = 7, score = 200
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   eb2a                 | jmp                 0x2c
            //   31d2                 | xor                 edx, edx
            //   eb18                 | jmp                 0x1a
            //   85c9                 | test                ecx, ecx
            //   7412                 | je                  0x14

        $sequence_9 = { a820 b900000000 0f45fe 0f45f1 247f 3c40 0f43f9 }
            // n = 7, score = 200
            //   a820                 | test                al, 0x20
            //   b900000000           | mov                 ecx, 0
            //   0f45fe               | cmovne              edi, esi
            //   0f45f1               | cmovne              esi, ecx
            //   247f                 | and                 al, 0x7f
            //   3c40                 | cmp                 al, 0x40
            //   0f43f9               | cmovae              edi, ecx

    condition:
        7 of them and filesize < 598016
}
[TLP:WHITE] win_fickerstealer_w0   (20210726 | Yara rule for Ficker Stealer)
rule win_fickerstealer_w0 {
  meta: 
    author = "Ben Cohen, CyberArk"
    date = "22-02-2021"
    version = "1.0"
    hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6"
    source = "https://github.com/cyberark/malware-research/blob/master/FickerStealer/Ficker_Stealer.yar"
    description = "Yara rule for Ficker Stealer"
    malpedia_rule_date = "20210726"
    malpedia_hash = ""
    malpedia_version = "20210726"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
  
  strings:
    //$decryption_pattern = { 89 ?? C1 ?? ?? 31 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? C1 ?? ?? 31 }
    $c2_const = { 0C 00 0F 0A [0-4] 0B 0A 0B 0A }

    $s1 = "kindmessage"
    $s2 = "SomeNone"
    $s3 = ".Kind"

  condition:
    //$decryption_pattern and
    $c2_const and
    (1 of ($s*)) and
    uint16(0) == 0x5A4D
}
Download all Yara Rules