Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Stealc

22
Global rank
13 infographic chevron month
Month rank
12 infographic chevron week
Week rank
0
IOCs

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Stealer
Type
ex-USSR
Origin
1 January, 2023
First seen
12 February, 2025
Last seen

How to analyze Stealc with ANY.RUN

Type
ex-USSR
Origin
1 January, 2023
First seen
12 February, 2025
Last seen

IOCs

IP addresses
193.106.174.125
194.50.153.69
77.246.99.24
172.86.66.22
167.235.140.81
172.86.77.177
85.192.40.37
45.141.86.121
193.233.49.95
5.161.97.13
5.161.66.54
91.201.113.144
194.50.153.109
89.23.98.198
172.86.66.42
77.105.147.59
89.116.255.177
94.142.138.75
162.33.178.240
162.33.178.221
Domains
traineiwnqo.shop
languagedscie.shop
millyscroqwp.shop
mennyudosirso.shop
spirittunek.store
commandejorsk.site
studennotediw.store
ccibchdgfjbhhfk.top
nlafhhiffkceadc.top
bidjdlegcnincee.top
anldfaggmdbglen.top
iblaehgffmflamn.top
hjbamcnnkmfjbld.top
jejmbadfmeenlnk.top
nuvye89bjz4.top
diebinjmajbkhhg.top
shd9inbjz4.top
ohunhebzhbu3.top
evoliutwoqm.shop
poubnxu3jubz.top
URLs
http://5.42.64.41/40d570f44e84a454.php
http://185.172.128.79/3886d2276f6914c4.php
http://5.42.92.211/
http://5.42.64.41/
http://185.172.128.24/40d570f44e84a454.php
http://104.245.33.157/99210de056092a58.php
http://185.172.128.79/3886d22766914c4.php
http://185.17.40.133/ba91ff2f6a996325.php
http://185.172.128.24/40d570f44e84a44.php
http://45.15.157.217/cbb264a91564bd6c.php
http://109.107.181.33/de4846fc29f26952.php
http://45.87.153.135/5d4f090c730016b1.php
http://149.255.35.132/e50ac16f7b113954.php
http://5.42.66.58/3886d2276f6914c4.php
http://176.124.198.17/1da263bff25c8346.php
http://5.42.66.36/1fa9cf51b66b1f7e.php
http://5.42.66.57/3886d2276f6914c4.php
http://5.42.65.54/4ea69013b92ecb73.php
http://77.91.76.36/3886d2276f6914c4.php
http://95.216.72.17/cdc8cb4ba5f9dfaa.php
Last Seen at
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.

Conclusion

Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More