Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Stealc

22
Global rank
14 infographic chevron month
Month rank
15 infographic chevron week
Week rank
0
IOCs

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Stealer
Type
ex-USSR
Origin
1 January, 2023
First seen
16 April, 2025
Last seen

How to analyze Stealc with ANY.RUN

Type
ex-USSR
Origin
1 January, 2023
First seen
16 April, 2025
Last seen

IOCs

IP addresses
193.106.174.125
194.50.153.69
77.246.99.24
172.86.66.22
172.86.77.177
85.192.40.37
167.235.140.81
193.233.49.95
5.161.97.13
91.201.113.144
5.161.66.54
77.105.147.59
172.86.66.42
194.50.153.109
45.141.86.121
89.23.98.198
162.33.178.221
89.116.255.177
104.234.10.108
162.33.178.240
Domains
interactiedovspm.shop
bassizcellskz.shop
deallerospfosu.shop
studennotediw.store
quialitsuzoxm.shop
locatedblsoqp.shop
celebratioopz.shop
commandejorsk.site
languagedscie.shop
gutterydhowi.shop
deicedosmzj.shop
southedhiscuso.shop
weiggheticulop.shop
greetycruthsuo.shop
caffegclasiqwp.shop
drawzhotdog.shop
branchtriviawlek.shop
writerospzm.shop
charecteristicdxp.shop
ghostreedmnu.shop
URLs
http://171.22.28.221/5c06c05b7b34e8e6.php
http://5.42.64.41/40d570f44e84a454.php
http://185.172.128.79/3886d2276f6914c4.php
http://5.42.92.211/
http://5.42.64.41/
http://185.172.128.24/40d570f44e84a454.php
http://104.245.33.157/99210de056092a58.php
http://185.172.128.79/3886d22766914c4.php
http://185.17.40.133/ba91ff2f6a996325.php
http://185.172.128.24/40d570f44e84a44.php
http://45.15.157.217/cbb264a91564bd6c.php
http://109.107.181.33/de4846fc29f26952.php
http://45.87.153.135/5d4f090c730016b1.php
http://149.255.35.132/e50ac16f7b113954.php
http://5.42.66.58/3886d2276f6914c4.php
http://176.124.198.17/1da263bff25c8346.php
http://5.42.66.36/1fa9cf51b66b1f7e.php
http://5.42.66.57/3886d2276f6914c4.php
http://5.42.65.54/4ea69013b92ecb73.php
http://77.91.76.36/3886d2276f6914c4.php
Last Seen at
Last Seen at

Recent blog posts

post image
How Indicators of Compromise, Attack, and Beh...
watchers 23
comments 0
post image
Malware Trends Report, Q1 2025: Get Your Copy
watchers 66
comments 0
post image
Malware Signatures: How Cybersecurity Teams U...
watchers 67
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.

Conclusion

Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More