Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
101
Global rank
79 infographic chevron month
Month rank
64 infographic chevron week
Week rank
0
IOCs

Ficker Stealer is a malware that steals passwords, files, credit card details, and other types of sensitive information on Windows systems. It is most often distributed via phishing emails and can perform keylogging, process injection, and browser tracking.

Stealer
Type
ex-USSR
Origin
10 August, 2020
First seen
22 September, 2025
Last seen

How to analyze Ficker Stealer with ANY.RUN

Type
ex-USSR
Origin
10 August, 2020
First seen
22 September, 2025
Last seen

IOCs

IP addresses
45.137.149.167
80.87.192.115
37.0.8.225
Hashes
3b7e0dfc0458a7bb06d000443867568755ea3e75f3aa851a83388f41503580ff
0d5f0f98e95a6b98b124b7381919507da8ec537ed4e7fec343cb7932ba1be43b
0f27673044ea04da7fada3fe5fbaceddac90071525426ee6dbbdae9c2ba03d57
12a7fa081db7ec58b5ea6c233b34bc99ff96c0ba8b3920e1c60edf961b9ff941
ef59190aa24e0d0465908a47bfcc8986f74735efa6aecdccd76f5dcc7bafe80a
7d3c69da83feb540c00c82545765547e601fceb5174c477df62a8309cc312f2b
e2734c9e6a607c1e2b4e4975c39651aa47050bbd931bc752957cbba23ba344ab
9dd00ac3e37c7177eee6649831a6191a7432423d28b530a463c5637d2f28ff49
6fbdd08701ec0cd15c53ec11ddf5df86348e2c3515b5fef45cd051c44e7fd590
8937fb7545cb081d8d5086671e6cf9d41295e191cf1bfaf4dd70282c056c79d1
2fbe9b55c293c3428a9cdf476ef094e1235e27cab28055aca0c5258840b03c4e
75f9c11cc0b6abe945b177e9ab7f72f8f0382bfc7be192b59402449c143c753a
d6c2079d2b546e84a748c3bebb384894a03bc0feeb9c2c2b5002e028edf79120
1b0d0f003df8be87a301f86b808fec6dde0a17e408c7ffc2a40a66e11e949f50
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
54ea507673e1725ad5b65401dc80f092c6381241383cf70f25e039fe10958315
4cd8ab246b7b9db59e04c82b058f9f100837371a2203094b7d01bde1eae7b0cd
087e07ea636995a1249f0196c4cf9e228c8112e44171d5fdcda61fcbc72ac39a
439921d5e0cca07971f19b2fdef05af044d218b67c1c0efb2e5ac33c82835997
cf5a6890fe2be267912d805a524dd00f4a7402c4d72077577346a3bc72ad7ff1
Domains
sweyblidian.com
lukkeze.club
jfdewff.link
ed2efjw.link
wejqwed.link
fasdas.link
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 563
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 661
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4086
comments 0

What is Ficker Stealer malware?

Ficker Stealer is a type of malicious software written in the Rust programming language, which is openly sold on the internet via the Malware-as-a-Service (MaaS) model. Its primary function is to extract confidential data from computers running Windows operating systems. Due to its modular design, the malware can be easily configured to steal specific forms of data. For instance, some of the common types of information targeted by it include passwords, Windows Credential Manager data, crypto wallets, credit card details, and email and chat content.

The malware has been active since 2020 and continues to receive full support from its developers to this day. In fact, it possesses the capability of self-updating, allowing it to automatically get fresh updates from the C2 server. Although the original creators of Ficker Stealer remain unidentified, it is likely that they hail from one of the ex-USSR countries.

Technical details of the Ficker Stealer malicious software

Ficker Stealer sets itself apart from other stealers such as RedLine or Arkei by utilizing Rust, a programming language that offers improved performance and safety features compared to its predecessors such as C++. Rust's efficiency helps criminals develop more complex malicious programs, while its built-in safety mechanisms prevent various vulnerabilities within the code. As a result, identifying and combating Rust-based malware can be a tall order for researchers.

Ficker Stealer is engineered to illicitly extract confidential data from a victim's computing system. Once executed, it deploys an array of sophisticated techniques to collect sensitive information, including:

  • Keylogging: It records the victim's keyboard input to obtain passwords and other confidential data.
  • Browser tracking: it is capable of tracking users’ browser activities and harvesting information such as login credentials, autocomplete data, cookies, and browsing history.
  • Process injection: Ficker can inject itself into legitimate processes within the victim's system, gaining access to protected parts of the system.
  • File extraction: The malware can be configured to gather various files from the compromised machine.
  • Loader functionality: Attackers can utilize the malware to drop and execute other malicious programs.

Additionally, to safeguard the data transferred to its C2 from being intercepted, Ficker Stealer utilizes encryption. What’s more, it reports back to the attackers following each successful operation, leaving no records or logs on the target computer. Subsequently, tracking Ficker's activities can be an intricate task. It also operates without the need for any extra DLLs to be downloaded or loaded at runtime, which enhances its stealth and efficiency.

Execution process of Ficker Stealer

The malicious behavior of Ficker Stealer can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Ficker Stelaler in ANY.RUN Ficker Stelaler in ANY.RUN

Ficker is a typical representative of the stealer malware family. It creates as little noise as possible in the infected system. The main idea: make its way into the system, start execution, steal information and credentials and try to stay invisible without alerting security solutions about the threat for as long as possible.

Ficker Stelaler configuration extracted in ANY.RUN Ficker Stelaler configuration extracted in ANY.RUN

Like other malware families, this particular family may alter execution flows, but it will do so in a way that remains plain and simple. Stealers usually attempt to be less visible, so you may notice reduced activity during the execution of the Ficker, compared to what you might typically expect. After all the information is stolen, the malware may halt its execution and delete itself from the infected system. However, this behavior can vary across different versions and settings.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the Ficker Stealer malware

Ficker Stealer can end up on a victim’s PC in several ways:

  • Attackers may implant malicious code into websites’ infrastructure, which then gets automatically downloaded onto the devices of visitors. Such websites may look legitimate and, as a result, users may execute these downloaded files, while not being aware that their device has been compromised.
  • Yet, the most common way Ficker Stealer reaches target computers is through phishing email campaigns. Attackers may exploit social engineering techniques to get people to download a file containing malicious macros. It has been observed that in many instances Ficker Stealer relies on the Hancitor loader for delivery.

Conclusion

Ficker Stealer is a serious threat to MS Windows users. To protect your system from this malware, you must exercise caution when accessing your email inbox. If you come across an email from an unfamiliar sender or if its contents appear suspicious, it is in your best interest to refrain from opening it or clicking on any links.

Instead, you can analyze these samples in the ANY.RUN malware analysis sandbox to promptly discover whether your file or URL is malicious or not. The platform lets you interact with malware in a safe VM environment in real time. Thanks to ANY.RUN, you can get an exhaustive overview of any threat’s behavior and gain insight into its IOCs, TTPs, and other crucial details.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More