BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Stealc

41
Global rank
20 infographic chevron month
Month rank
23 infographic chevron week
Week rank
524
IOCs

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Stealer
Type
ex-USSR
Origin
1 January, 2023
First seen
16 April, 2024
Last seen

How to analyze Stealc with ANY.RUN

Type
ex-USSR
Origin
1 January, 2023
First seen
16 April, 2024
Last seen

IOCs

IP addresses
94.156.8.213
193.233.132.56
4.185.137.132
185.172.128.33
163.5.215.245
45.88.186.209
217.63.234.90
16.171.25.219
185.196.10.233
94.156.8.44
77.232.39.164
45.93.20.199
195.123.219.158
94.142.138.189
65.21.118.113
193.106.174.125
194.50.153.69
77.246.99.24
172.86.77.177
167.235.140.81
Hashes
9c9306c968318a95791dee86bbc6c16f6b1d0f53b5b7d682c2a48a5c6cc1a75e
8a203721f1f1ca0d1026969363b9182a42aade9766d0cb2e296965182b76628d
5c00aa250e356a29b7e0e558d9d4fc76dd9b2a27294e410a0a2c3153bf062e6b
f920a086916b70d1977d6d23ac8775efb5f5ce6e82fe16b408d9e9310b3bc166
0aad799770dfb5710cdcc0e5da8c49aa24cc9daf9f6e40326b00f6d3ac22f349
98f7665ff8dfa1af1f13b1067d7945330ee10fe31f3988fc688ca76ae3bdad08
1e5f5daa040827fa75b9e034bbf1a0e1ba46df9480ecd9669ddfdfcb87e12b4d
0e89665b3c4e5a1ca8f448b5cacf51392b00f1a896efa801985891d807a12812
1c1062e65701fdea8fa0eca0884f974b8c9e6cfe70391dfc33fcbf5594b1ebf8
48447660b4854c67a73cd2bd22429306348363a63b59225066d90674ca088eea
7cc6d21bc3764fdcd35f402ba9e40f9cb4d19d1fd4e1fbd9922bd10f75ffbe49
32d1e22474c8bb4bce7c249062ff9f0377cc2e0b78baaf5c637424bd4801cc7c
e5fceb9a524e67e0e9de3a7041d45e822a2ac51f111f77cfb821e9380b453fcf
d1935f1f372cb9c529f94ad0a5c842baf68e9c90196340d436dde4001a01aebe
81dc4e840be63ced06cf2949a358127e2f9e7bbf917aeea7181a46ab58353f75
b93d906affe424ab8331cd9cb4814713f3909ec62aae8410ebf8a7b529cd6a08
ee8a7c06a995129e7052b677acfd62142746430eaad70b4c62639c86396de09a
7afcd1472e00ac3014b0953ae0e589e239c718d822d24985757f2ce4255642a4
c841e395224e51d0f753169bec1fcc1ae1be7df31cc1c9ee831048433bca7413
f1ffae3fba1359eb7e6756134268ebabe97102c3674d964469a718e258ff0130
Domains
cp5ua.hyperhost.ua
applereports.ddns.net
mail.officeemailbackup.com
sideindexfollowragelrew.pw
secure-connection.portmap.io
mail.telefoonreparatiebovenkarspel.nl
mail.zoomfilms-cz.com
unidasg.top
farozinda.ru
top-adobe.site
abrws.com.br
rewe-coupouns.com
edurestunningcrackyow.fun
pooreveningfuseor.pw
technologyenterdo.shop
lighterepisodeheighte.fun
problemregardybuiwo.fun
detectordiscusser.shop
florianhabeler.icu
wxt82.xyz
URLs
http://5.42.64.41/
http://185.172.128.79/3886d2276f6914c4.php
http://185.172.128.24/40d570f44e84a454.php
http://104.245.33.157/99210de056092a58.php
http://185.172.128.79/3886d22766914c4.php
http://185.17.40.133/ba91ff2f6a996325.php
http://185.172.128.24/40d570f44e84a44.php
http://45.15.157.217/cbb264a91564bd6c.php
http://5.42.64.41/40d570f44e84a454.php
http://109.107.181.33/de4846fc29f26952.php
http://45.87.153.135/5d4f090c730016b1.php
http://149.255.35.132/e50ac16f7b113954.php
http://5.42.66.58/3886d2276f6914c4.php
http://176.124.198.17/1da263bff25c8346.php
http://5.42.66.36/1fa9cf51b66b1f7e.php
http://5.42.66.57/3886d2276f6914c4.php
http://5.42.65.54/4ea69013b92ecb73.php
http://77.91.76.36/3886d2276f6914c4.php
http://95.216.72.17/cdc8cb4ba5f9dfaa.php
http://77.91.123.99/0d8af8f06ba4b880.php
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 166
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 553
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 301
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.

Conclusion

Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy