SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fickerstealer (Back to overview)

Ficker Stealer

VTCollection    

According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

References
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-08-12BlackberryBlackBerry Research & Intelligence Team
Threat Thursday: Ficker Infostealer Malware
Ficker Stealer
2021-07-19CyberArkBen Cohen
FickerStealer: A New Rust Player in the Market
Ficker Stealer
2021-06-17Binary DefenseBrandon George
Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-04-22SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-20Bleeping ComputerLawrence Abrams
Fake Microsoft Store, Spotify sites spread info-stealing malware
Ficker Stealer
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-01-18Medium csis-techblogBenoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-10-27Twitter (@3xp0rtblog)3xp0rt
Tweet on Ficker Stealer
Ficker Stealer
Yara Rules
[TLP:WHITE] win_fickerstealer_auto (20230808 | Detects win.fickerstealer.)
rule win_fickerstealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.fickerstealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55c8 897150 895154 8b75cc 8b55d0 897158 89515c }
            // n = 7, score = 200
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   897150               | mov                 dword ptr [ecx + 0x50], esi
            //   895154               | mov                 dword ptr [ecx + 0x54], edx
            //   8b75cc               | mov                 esi, dword ptr [ebp - 0x34]
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   897158               | mov                 dword ptr [ecx + 0x58], esi
            //   89515c               | mov                 dword ptr [ecx + 0x5c], edx

        $sequence_1 = { ba???????? 0f2840f0 0f2808 0f298424a0040000 0f294910 0f2901 6a00 }
            // n = 7, score = 200
            //   ba????????           |                     
            //   0f2840f0             | movaps              xmm0, xmmword ptr [eax - 0x10]
            //   0f2808               | movaps              xmm1, xmmword ptr [eax]
            //   0f298424a0040000     | movaps              xmmword ptr [esp + 0x4a0], xmm0
            //   0f294910             | movaps              xmmword ptr [ecx + 0x10], xmm1
            //   0f2901               | movaps              xmmword ptr [ecx], xmm0
            //   6a00                 | push                0

        $sequence_2 = { c1e104 85c0 f20f10840b90000000 f20f108c0b98000000 f20f118c2488000000 f20f11842480000000 f20f10442450 }
            // n = 7, score = 200
            //   c1e104               | shl                 ecx, 4
            //   85c0                 | test                eax, eax
            //   f20f10840b90000000     | movsd    xmm0, qword ptr [ebx + ecx + 0x90]
            //   f20f108c0b98000000     | movsd    xmm1, qword ptr [ebx + ecx + 0x98]
            //   f20f118c2488000000     | movsd    qword ptr [esp + 0x88], xmm1
            //   f20f11842480000000     | movsd    qword ptr [esp + 0x80], xmm0
            //   f20f10442450         | movsd               xmm0, qword ptr [esp + 0x50]

        $sequence_3 = { c1ea04 85d2 0f44d1 0f44f0 89d1 c1e902 6afe }
            // n = 7, score = 200
            //   c1ea04               | shr                 edx, 4
            //   85d2                 | test                edx, edx
            //   0f44d1               | cmove               edx, ecx
            //   0f44f0               | cmove               esi, eax
            //   89d1                 | mov                 ecx, edx
            //   c1e902               | shr                 ecx, 2
            //   6afe                 | push                -2

        $sequence_4 = { 8b3e e8???????? 84c0 7404 c6470401 8b06 8b08 }
            // n = 7, score = 200
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7404                 | je                  6
            //   c6470401             | mov                 byte ptr [edi + 4], 1
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_5 = { 89d3 8954241c 897c2420 c744241801000000 89f1 e8???????? 3c0f }
            // n = 7, score = 200
            //   89d3                 | mov                 ebx, edx
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   897c2420             | mov                 dword ptr [esp + 0x20], edi
            //   c744241801000000     | mov                 dword ptr [esp + 0x18], 1
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     
            //   3c0f                 | cmp                 al, 0xf

        $sequence_6 = { f20f114d9c f20f115594 7514 31d2 8d4ddc 42 e8???????? }
            // n = 7, score = 200
            //   f20f114d9c           | movsd               qword ptr [ebp - 0x64], xmm1
            //   f20f115594           | movsd               qword ptr [ebp - 0x6c], xmm2
            //   7514                 | jne                 0x16
            //   31d2                 | xor                 edx, edx
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   42                   | inc                 edx
            //   e8????????           |                     

        $sequence_7 = { e9???????? 8d7c2448 89f9 e8???????? 833f01 0f85ed000000 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   8d7c2448             | lea                 edi, [esp + 0x48]
            //   89f9                 | mov                 ecx, edi
            //   e8????????           |                     
            //   833f01               | cmp                 dword ptr [edi], 1
            //   0f85ed000000         | jne                 0xf3

        $sequence_8 = { 56 53 57 ff750c 50 e8???????? 83c424 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24

        $sequence_9 = { 898d40feffff 89f9 8985d4feffff 8b8570ffffff 8985d8feffff 8b4588 8985dcfeffff }
            // n = 7, score = 200
            //   898d40feffff         | mov                 dword ptr [ebp - 0x1c0], ecx
            //   89f9                 | mov                 ecx, edi
            //   8985d4feffff         | mov                 dword ptr [ebp - 0x12c], eax
            //   8b8570ffffff         | mov                 eax, dword ptr [ebp - 0x90]
            //   8985d8feffff         | mov                 dword ptr [ebp - 0x128], eax
            //   8b4588               | mov                 eax, dword ptr [ebp - 0x78]
            //   8985dcfeffff         | mov                 dword ptr [ebp - 0x124], eax

    condition:
        7 of them and filesize < 598016
}
[TLP:WHITE] win_fickerstealer_w0   (20210726 | Yara rule for Ficker Stealer)
rule win_fickerstealer_w0 {
  meta: 
    author = "Ben Cohen, CyberArk"
    date = "22-02-2021"
    version = "1.0"
    hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6"
    source = "https://github.com/cyberark/malware-research/blob/master/FickerStealer/Ficker_Stealer.yar"
    description = "Yara rule for Ficker Stealer"
    malpedia_rule_date = "20210726"
    malpedia_hash = ""
    malpedia_version = "20210726"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer"
  
  strings:
    //$decryption_pattern = { 89 ?? C1 ?? ?? 31 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? C1 ?? ?? 31 }
    $c2_const = { 0C 00 0F 0A [0-4] 0B 0A 0B 0A }

    $s1 = "kindmessage"
    $s2 = "SomeNone"
    $s3 = ".Kind"

  condition:
    //$decryption_pattern and
    $c2_const and
    (1 of ($s*)) and
    uint16(0) == 0x5A4D
}
Download all Yara Rules