BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
20 infographic chevron month
Month rank
23 infographic chevron week
Week rank

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

1 January, 2023
First seen
16 April, 2024
Last seen

How to analyze Stealc with ANY.RUN

1 January, 2023
First seen
16 April, 2024
Last seen


IP addresses
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 166
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 553
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 301
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.


Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy