Over the last week (26th of July 2021), CERT-AGID observed a malspam campaign whose intent was to spread the FickerStealer malware via the Hancitor loader to steal the credentials present on the victim’s machine. The emails, themed “Pagamenti“, contained an attached Word or Excel document, within which macros were recorded for downloading and executing the malware.


Hancitor is a loader, that is, malware whose task is to download (or extract) and execute a second malware to control the machine. In the case of Hancitor, several research teams have identified FickerStealer, Sendsafe, and Cobalt Strike Beacons as payloads.

The malware is detected in the form of Word documents or Excel spreadsheets containing a DLL file and the macros necessary for its extraction and execution via the Microsoft RunDll32.exe program.


FickerStealer is a Malware-as-a-Service (MaaS). This type of malware is offered to criminal groups affiliated with the developers’ group and requires the payment of an access fee for the (time-limited) use of the malware.

In the case of FickerStealer, the product was advertised on Russian forums in the second half of 2020 and channels dedicated to supporting its use on Telegram were opened. Specifically, as observed by CERT-AGID, prices vary from $90 for a week up to $900 for six months of activity.

The malware is part of the Info-Stealer family and was designed to steal credentials and sensitive data present in the operating system, installed browsers and other software such as WinSCP, FileZilla, Steam, Discord and ThunderBird.

In addition, FickerStealer enumerates the crypto-wallets present in the system’s C:\Users\<UserName>\AppData\Roaming folder and does not run if the system language is one of the following:

  • ru-RU (Russia)
  • be-BY (Bielorussia)
  • uz-UZ (Uzbekistan)
  • ua-UA (Ucraina)
  • hy-AM (Armenia)
  • kk-KZ (Kazakistan)
  • az-AZ (Azerbaigian)

Static Analysis

DLL File


FickerStealer Hancitor


File Size249856 bytes
VirusTotalScore: 35/62


Di seguito vengono elencati gli Indicatori di Compromissione messi a disposizione dal CERT-AGID.


  • 4fcb584cd86c3a04b7e3357922204cb5
  • 338378927b00cbe6aa8c6620057755f9
  • 24190cd699631d16521dfb588b2571a3
  • 270c3859591599642bd15167765246e3


  • e227a8a338166dc97e360ca9cddda5e007079c58
  • 3fd7b142d7e0dc0ae8350197585c2d0744027c1c
  • 546a86929e82babd0ee6f970d7729e3bf6a14698


  • 99c4b9083ed613bc38904eec3e37d24d3ca092067ee54e373cc3c8d6339857a6
  • e746a6d562555f4d2f840727c9a9f8967dddcf100bd8d5f48a6209b76dd43375
  • fe62ee36d2ee6bedf3181beb5880115696396a51fe65870ade1a0af60a22f128
  • dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019


  • anithedtatione[.]ru
  • falan4zadron[.]ru
  • pospvisis[.]com
  • bahujansangam[.]org
  • feedproxy[.]google[.]com
  • wiltuslads[.]ru
  • feedproxy[.]google[.]com
  • feedproxy[.]google[.]com
  • thervidolown[.]com
  • feedproxy[.]google[.]com


  • hxxp://anithedtatione[.]ru/8/forum[.]php
  • hxxp://falan4zadron[.]ru/7hsjfd9w4refsd[.]exe
  • hxxp://pospvisis[.]com
  • hxxps://bahujansangam[.]org/insaneity[.]php
  • hxxp://feedproxy[.]google[.]com/~r/niqab/~3/SvG763Rcjf8/contagion[.]php
  • hxxp://wiltuslads[.]ru/8/forum[.]php
  • hxxp://feedproxy[.]google[.]com/~r/ddebvhnpl/~3/r564Ba1JvaM/haggle[.]php
  • hxxp://feedproxy[.]google[.]com/~r/hvkrnawm/~3/A_mGDDju4y8/insaneity[.]php
  • hxxp://thervidolown[.]com/8/forum[.]php
  • hxxp://feedproxy[.]google[.]com/~r/xrhjqrnh/~3/QrS209hUWag/hoping[.]php

Related articles