BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Stealc

30
Global rank
2 infographic chevron month
Month rank
3 infographic chevron week
Week rank
0
IOCs

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Stealer
Type
ex-USSR
Origin
1 January, 2023
First seen
30 October, 2024
Last seen

How to analyze Stealc with ANY.RUN

Type
ex-USSR
Origin
1 January, 2023
First seen
30 October, 2024
Last seen

IOCs

IP addresses
193.106.174.125
194.50.153.69
77.246.99.24
172.86.66.22
172.86.77.177
167.235.140.81
85.192.40.37
45.141.86.121
5.161.97.13
77.105.147.59
5.161.66.54
193.233.49.95
172.86.66.42
91.201.113.144
194.50.153.109
89.23.98.198
89.116.255.177
94.142.138.75
104.234.10.108
162.33.178.240
Domains
darkblow.com
myultimate.xyz
ultimategame.xyz
cozyworld.io
fatoreader.net
cozymeta.com
nor-tex.world
us08web.us
lunacy4.com
meet.google.cdm-join.us
us6web-zoom.us
millyscroqwp.shop
mybattleforge.xyz
calipsoproject.com
stamppreewntnq.shop
cozyweb3.com
cozymeta.xyz
cozymeta.fun
cozyland.xyz
carolinejuskus.com
URLs
http://5.42.92.211/
http://5.42.64.41/40d570f44e84a454.php
http://5.42.64.41/
http://185.172.128.79/3886d2276f6914c4.php
http://185.172.128.24/40d570f44e84a454.php
http://104.245.33.157/99210de056092a58.php
http://185.172.128.79/3886d22766914c4.php
http://185.17.40.133/ba91ff2f6a996325.php
http://185.172.128.24/40d570f44e84a44.php
http://45.15.157.217/cbb264a91564bd6c.php
http://109.107.181.33/de4846fc29f26952.php
http://45.87.153.135/5d4f090c730016b1.php
http://149.255.35.132/e50ac16f7b113954.php
http://5.42.66.58/3886d2276f6914c4.php
http://176.124.198.17/1da263bff25c8346.php
http://5.42.66.36/1fa9cf51b66b1f7e.php
http://5.42.66.57/3886d2276f6914c4.php
http://5.42.65.54/4ea69013b92ecb73.php
http://77.91.76.36/3886d2276f6914c4.php
http://95.216.72.17/cdc8cb4ba5f9dfaa.php
Last Seen at

Recent blog posts

post image
How TI Feeds Support Organizational Performan...
watchers 123
comments 0
post image
Recent Cyber Attacks Discovered by ANY.RUN: O...
watchers 407
comments 0
post image
Notifications in Threat Intelligence Lookup 
watchers 881
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.

Conclusion

Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More