Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Stealc

27
Global rank
13 infographic chevron month
Month rank
10 infographic chevron week
Week rank
0
IOCs

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Stealer
Type
ex-USSR
Origin
1 January, 2023
First seen
29 September, 2025
Last seen

How to analyze Stealc with ANY.RUN

Type
ex-USSR
Origin
1 January, 2023
First seen
29 September, 2025
Last seen

IOCs

IP addresses
193.106.174.125
194.50.153.69
77.246.99.24
172.86.77.177
172.86.66.22
85.192.40.37
167.235.140.81
193.233.49.95
5.161.97.13
77.105.147.59
172.86.66.42
89.23.98.198
91.201.113.144
45.141.86.121
5.161.66.54
194.50.153.109
94.142.138.121
104.234.10.108
162.33.178.240
89.116.255.177
Hashes
4630f2e42c67690b34c187feee43eabe447c935dea079b5bf1c480de070d097c
aa3df8b8bf546c07264c7f5f91790b25e83359317483e2f0f42aa11cb4ab29f7
e8d1c4f4cea682bee4ba4105f14bab0f6bcec51727080e1bc76993fa82f214fa
5dda23dea89feea09086361d99a9dc1c04f1a2e552a2f5f52cb83d2d8e4e11f8
9c9306c968318a95791dee86bbc6c16f6b1d0f53b5b7d682c2a48a5c6cc1a75e
aebd5e547d9d38dfcf2030986605a800de9f0cdcf27e0d3906b9a00812159870
8c10f794a46fb4dcb0a0a2b4ef9c8980f332e9487dd3200cfb3da2e0d2c2df38
a85528d4fcbc101d6c0fc37aad3e1859ad6e8a2556883900627f5e5f455f4f0d
2fc2dbfc4d287d1cc2fd6021c2b8285f96b8ae83710a7f6cd301ff53418422f4
6a37fb22ba4cf331c954a84f31a730bce22d16a8b86833488c0724f50a338fe7
d6bc2b0f5899b66f3e21c6f8616c02aa218b6fbf292e9131da0414badacfe62e
fafe7d66e5bd7b863c859d329c390978d7e2db8627664e1427f7f184ba7dc24e
9bc696c7c68c2c31cd431ed0af9264fe056942923399b1adb4c55241639bc835
908548cb94a13710b0668aca7ef2045da8ba4443e9edcae7a46e93900856d1a3
a5f2f3c199df73e31969d96acc46694759792ba294c6311d37bb7b72f5e54fde
8a203721f1f1ca0d1026969363b9182a42aade9766d0cb2e296965182b76628d
2249197c31828fc399259ec0264df1eec433a0294253b121616c265b9bcb198b
2645970960a371b535d69137952599f3577b193594e1266b8e6f6d8c9521f024
24169a2e792caa88dea3ded0931e30d920a6bb374920f0ad89ab4eb598ac3565
98ab57ac192335e03016f40e6d1fd05f267fec8c15840ae64ca0ebee2bd10807
Domains
elprogresofood.com
mastercompu.com
thanjainatural.com
facebook.meta-software-worldwide.com
facebook.windows-software-downloads.com
facebook.windows-software-updates.com
facebook.windows-software-updates.cc
talk-chief.gl.at.ply.gg
pdf.rm16.workers.dev
chrome1update.shop
freaks.icu
somebodyonce.shop
mail.wxtp.store
giveitupthousands.shop
hector.su
hotsocks.biz
hotsocks.ws
b1ackstash.cc
bclub.cm
avscan.net
URLs
http://193.233.134.93/fd07ec3137071f71.php
http://publisherget.top/410b5129171f10ea.php
http://weighget.top/410b5129171f10ea.php
http://79.137.206.248/0cf6bfa19d78b1fb.php
http://95.217.102.100/5ae84a6abb1a9a5b.php
http://172.86.77.102/72cd883ebd748330.php
http://45.15.159.188/f2cb651e3e755a0f.php
http://91.103.252.32/ba7ec45efcfa89a3.php
http://unlikeget.top/3886d2276f6914c4.php
http://23.184.48.114/68517e86206d47d9.php
http://adriaenclaeys.top/e9c345fc99a4e67e.php
http://185.161.248.78/eba140b7c5f2f228.php
http://91.212.166.50/812472d22955f523.php
http://77.73.131.100/a2f524d70db7d1a7.php
http://94.131.107.238/3aa13fff14e398a1.php
http://5.42.64.12/4e815d9f1ec482dd.php
http://91.103.253.50/e9131e1df8a3fa06.php
http://michealjohnson.top/e9c345fc99a4e67e.php
http://charlesjones.top/e9c345fc99a4e67e.php
http://217.196.96.138/a737400ffa5db996.php
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 564
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2443
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1025
comments 0

What is malware: Stealc?

Stealc is an infostealer written in C that has been promoted and sold on DarkWeb forums since the beginning of 2023. This malware is primarily used to steal sensitive data from programs, such as web browsers, email clients and messengers. Some examples of such software include Discord, Telegram, and Outlook. This malicious software also has the capability to grab files from infected systems and drop additional malware on them.

According to an interview conducted by threat researcher g0njxa with the developers of the malware, the unique feature of Stealc is the provision of a PHP control panel that has to be hosted on the operator's own server, which gives them more privacy.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Stealc malicious software technical details

Stealc has a range of functions that make it a serious threat. Here are some of its notable features:

  • Fingerprinting: Stealc collects different info about the infected system, including public IP address, geolocation, hardware ID, OS version, etc.
  • Control Panel: Attackers are provided with a control panel for managing attacks and configuring the malware. The panel allows attackers to manipulate stolen data and make changes to their campaigns.
  • Evasion Mechanisms: Stealc checks for virtual or sandbox environments to evade detection. It also uses unconditional jumps to make the decompilation process more time-consuming and error-prone. Additionally, Stealc checks for the presence of antivirus software and terminates itself if it detects any.
  • String obfuscation: The malware relies on RC4 encryption and base64 encoding to protect its strings.
  • Dropping Other Malware: Stealc can also upload additional malicious software on to the victim’s machine, such as Laplas Clipper, which intercepts clipboard data and replaces cryptocurrency wallet addresses with the attacker's own address.

Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The downloaded DLLs include sqlite3.dll, freebl3.dll, mozglue.dll, etc. These DLLs provide additional functionality to the malware, such as interacting with SQLite databases, encrypting data, and interacting with Mozilla-based applications.

After establishing persistence, Stealc begins its communication with the C2 server, first requesting its configuration and then exfiltrating stolen data with the help of HTTP POST requests.

In summary, Stealc is a sophisticated malware that can steal sensitive data, evade detection, establish persistence, and communicate with a C2 server. Its unique features and capabilities make it a significant threat to cybersecurity. It is crucial for individuals and organizations to take proactive measures to protect themselves from such threats.

Stealc execution process

To analyze Stealc, we can upload its sample to the ANY.RUN sandbox for detailed analysis.

Stealc malware typically operates through a multi-stage execution chain to compromise systems and steal sensitive information. Initially, it may infiltrate a target system through various means such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once inside, it may establish persistence mechanisms to ensure its continued operation even after system reboots. Stealc then proceeds to escalate its privileges to gain deeper access to the system and evade detection.

It often employs techniques like code injection or hooking to hide its presence from security software. Finally, the malware executes its primary function of stealing data, such as login credentials, financial information, or personal documents, and exfiltrates it to remote servers controlled by the attackers. Throughout this process, Stealc may employ encryption and obfuscation techniques to further mask its activities and evade detection by security measures.

Stealc process tree shown in ANY.RUN Stealc process tree demonstrated in ANY.RUN

In the example, the malware checks the operating system language and creates a scheduled task through the Windows Task Scheduler to repeatedly execute malicious code. However, the execution chain of Stealc often consists of a single process that performs all malicious activities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Stealc malware distribution methods

Attackers employ various methods to distribute Stealc malware. One of the most common methods is the use of fake websites offering legitimate software for download. Users are tricked into downloading Stealc instead of the program they were looking for.

Another distribution method is through malicious email attachments. Attackers send phishing emails with malicious attachments, such as Microsoft Office documents or PDF files, that contain the Stealc payload.

Stealc can also be dropped by loaders, malicious programs that are designed to download and install other malware onto a compromised system. One example is CrackedCantil, which is a loader that has been observed dropping Stealc, as well as other ones, such as Lumma, RisePro, and RedLine.

Conclusion

Stealc is an advanced malware that can steal sensitive data, evade detection, and maintain persistence on compromised devices. To safeguard against such threats, individuals and organizations need to take proactive measures. ANY.RUN is an online sandbox that provides an effective solution for this purpose.

ANY.RUN's sandbox provides a secure and isolated environment for running and analyzing malware samples. This allows users to observe the behavior of the malware without putting their systems at risk. The detailed technical reports generated by ANY.RUN provide insights into the malware's functionality, communication patterns, and other important characteristics.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Chaos Ransomware screenshot
Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More