BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
63
Global rank
72 infographic chevron month
Month rank
79
Week rank
339
IOCs

Ficker Stealer is a malware that steals passwords, files, credit card details, and other types of sensitive information on Windows systems. It is most often distributed via phishing emails and can perform keylogging, process injection, and browser tracking.

Stealer
Type
ex-USSR
Origin
10 August, 2020
First seen
25 March, 2024
Last seen

How to analyze Ficker Stealer with ANY.RUN

Type
ex-USSR
Origin
10 August, 2020
First seen
25 March, 2024
Last seen

IOCs

IP addresses
80.87.192.115
45.137.149.167
37.0.8.225
Hashes
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
9fc4c09d4cb89762626fce008d9840abb128c99ec3cd162eed684c67418149d7
5264cba383d033b281e0d9c097225f350fa4cb4aa910621638e79c8659ac4035
95db6418da0c11842b06ec98495f327dca6428ce7575798d2c3a36eecac508a2
3ba446e8536427d61e5a46027cf0b60603cc9875fd91df2f3603e6ade817c33f
405b4e79bf4af05c56d6528b4579e41164e164f837ef42d6f0d6c893149bee84
f65f33a2f6741ca3049842949fe4c52a850bb326447c91ec4ed577eb931e9dfe
456e86c827d3b4018aa9d78ad50ef6a301d512c92fc3e1dc8a6c9fa1ea6cfbfd
73d34ceec57d41cab2e4b22046898b531fe0b59ab16c533c7eee3a52caf29848
1dc71b031a0b1656329498a627d49a6f566b76eaeba05fc0e46c0e5d7cf08910
b5f23be5b1dc9d750f22b4fe616dfaf657c0424f40f100fa5b4bf6448537c12d
fde86687975a5ad9475f7a794077bcb8e2404cc70e1662930be15384d3a6edda
b351d9c203058e53b29af03537881b7793d88303bd98874bf07fcd767fe150b8
c5f622cae8634c8605286bf6094c59c0037e22d1bd9cb91042260a6cef36e239
fd4b6264161f112a08c9fe50daa5a3db93be4c1621eecf32b5698dac5daa13bb
664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479
f91270accf55c937b2892fd1238217680ec529838d440abefe6eb6fbd911d5f7
a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6
47181981ad6157b93ba5eb32bd2712035205df94a5977afa549efab6677fdb95
9c7b166c818edf7bda6a112376c7bb20dd704ac9eb74be1d387af077a82dc620
Domains
sweyblidian.com
fasdas.link
lukkeze.club
wejqwed.link
jfdewff.link
ed2efjw.link
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 156
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Ficker Stealer malware?

Ficker Stealer is a type of malicious software written in the Rust programming language, which is openly sold on the internet via the Malware-as-a-Service (MaaS) model. Its primary function is to extract confidential data from computers running Windows operating systems. Due to its modular design, the malware can be easily configured to steal specific forms of data. For instance, some of the common types of information targeted by it include passwords, Windows Credential Manager data, crypto wallets, credit card details, and email and chat content.

The malware has been active since 2020 and continues to receive full support from its developers to this day. In fact, it possesses the capability of self-updating, allowing it to automatically get fresh updates from the C2 server. Although the original creators of Ficker Stealer remain unidentified, it is likely that they hail from one of the ex-USSR countries.

Technical details of the Ficker Stealer malicious software

Ficker Stealer sets itself apart from other stealers such as RedLine or Arkei by utilizing Rust, a programming language that offers improved performance and safety features compared to its predecessors such as C++. Rust's efficiency helps criminals develop more complex malicious programs, while its built-in safety mechanisms prevent various vulnerabilities within the code. As a result, identifying and combating Rust-based malware can be a tall order for researchers.

Ficker Stealer is engineered to illicitly extract confidential data from a victim's computing system. Once executed, it deploys an array of sophisticated techniques to collect sensitive information, including:

  • Keylogging: It records the victim's keyboard input to obtain passwords and other confidential data.
  • Browser tracking: it is capable of tracking users’ browser activities and harvesting information such as login credentials, autocomplete data, cookies, and browsing history.
  • Process injection: Ficker can inject itself into legitimate processes within the victim's system, gaining access to protected parts of the system.
  • File extraction: The malware can be configured to gather various files from the compromised machine.
  • Loader functionality: Attackers can utilize the malware to drop and execute other malicious programs.

Additionally, to safeguard the data transferred to its C2 from being intercepted, Ficker Stealer utilizes encryption. What’s more, it reports back to the attackers following each successful operation, leaving no records or logs on the target computer. Subsequently, tracking Ficker's activities can be an intricate task. It also operates without the need for any extra DLLs to be downloaded or loaded at runtime, which enhances its stealth and efficiency.

Execution process of Ficker Stealer

The malicious behavior of Ficker Stealer can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Ficker Stelaler in ANY.RUN Ficker Stelaler in ANY.RUN

Ficker is a typical representative of the stealer malware family. It creates as little noise as possible in the infected system. The main idea: make its way into the system, start execution, steal information and credentials and try to stay invisible without alerting security solutions about the threat for as long as possible.

Ficker Stelaler configuration extracted in ANY.RUN Ficker Stelaler configuration extracted in ANY.RUN

Like other malware families, this particular family may alter execution flows, but it will do so in a way that remains plain and simple. Stealers usually attempt to be less visible, so you may notice reduced activity during the execution of the Ficker, compared to what you might typically expect. After all the information is stolen, the malware may halt its execution and delete itself from the infected system. However, this behavior can vary across different versions and settings.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the Ficker Stealer malware

Ficker Stealer can end up on a victim’s PC in several ways:

  • Attackers may implant malicious code into websites’ infrastructure, which then gets automatically downloaded onto the devices of visitors. Such websites may look legitimate and, as a result, users may execute these downloaded files, while not being aware that their device has been compromised.
  • Yet, the most common way Ficker Stealer reaches target computers is through phishing email campaigns. Attackers may exploit social engineering techniques to get people to download a file containing malicious macros. It has been observed that in many instances Ficker Stealer relies on the Hancitor loader for delivery.

Conclusion

Ficker Stealer is a serious threat to MS Windows users. To protect your system from this malware, you must exercise caution when accessing your email inbox. If you come across an email from an unfamiliar sender or if its contents appear suspicious, it is in your best interest to refrain from opening it or clicking on any links.

Instead, you can analyze these samples in the ANY.RUN malware analysis sandbox to promptly discover whether your file or URL is malicious or not. The platform lets you interact with malware in a safe VM environment in real time. Thanks to ANY.RUN, you can get an exhaustive overview of any threat’s behavior and gain insight into its IOCs, TTPs, and other crucial details.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy