Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

StrelaStealer

77
Global rank
30 infographic chevron month
Month rank
34 infographic chevron week
Week rank
0
IOCs

StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
13 December, 2024
Last seen

How to analyze StrelaStealer with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
13 December, 2024
Last seen

IOCs

URLs
http://94.159.113.48/server.php
http://193.109.85.231/server.php
http://91.215.85.209/server.php
http://45.9.74.12/server.php
http://193.109.85.77/server.php
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 265
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1404
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1839
comments 0

What is StrelaStealer malware?

StrelaStealer is an information-stealing malware first observed in late 2022, primarily targeting login credentials from popular email clients. This malware is known for its large-scale phishing campaigns, particularly across Europe and the United States, where it has successfully compromised numerous organizations.

The malware is predominantly distributed through phishing emails containing malicious attachments, such as ZIP files or ISO files, which execute the payload once opened.

StrelaStealer employs various obfuscation and anti-analysis techniques to evade detection, including control flow obfuscation and removing PDB strings, making it increasingly difficult for security tools to detect and analyze.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

StrelaStealer malware technical details

StrelaStealer’s primary function is to steal email login information, which is then transmitted back to the attacker’s command-and-control (C2) server.

This stolen data can be used to conduct further malicious activities, such as sending spam emails, launching spear-phishing attacks, or exfiltrating sensitive information.

Although it is not explicitly marketed as Malware-as-a-Service (MaaS), the ongoing development and frequent updates suggest that it is actively maintained and potentially distributed through cybercriminal networks.

The primary capabilities of the StrelaStealer malware include:

  • Stealing login credentials from popular email clients, capturing usernames and passwords.
  • Transmitting stolen email login data to the attacker’s command-and-control (C2) server.
  • Distributing itself through large-scale phishing campaigns, often targeting organizations in the EU and U.S.
  • Using advanced obfuscation methods, such as control flow obfuscation, to evade detection and hinder analysis.
  • Utilizing compromised email accounts to send out further phishing emails, perpetuating the attack cycle.
  • Adapting its payload delivery methods, changing file formats and attachment types to avoid detection by static security measures.
  • Ensuring it remains active on infected systems through various persistence techniques, making removal difficult.

StrelaStealer execution process

To see how StrelaStealer operates, let’s launch an analysis session using its sample in the ANY.RUN sandbox.

As noted, StrelaStealer is primarily distributed through phishing emails that often contain ZIP file attachments. These emails typically use localized language and subject lines resembling invoices or bills (e.g., "Factura/Rechnung/Invoice###/PO###") to lure victims into opening them. When a victim opens the ZIP file, it contains a JScript file that, upon execution, may drop a base64-encoded file and a batch file onto the system.

The batch file utilizes the certutil -f decode command to decode the base64 file, which creates a Portable Executable (PE) DLL file. The DLL file is then executed using the rundll32.exe or regsvr32.exe process, specifically calling an exported function (often named "hello" in the latest variants) to initiate the malware's operations.

In our sample, the command line contains "davwwwroot" in the path to the downloaded DLL file.

StelaStealer report in ANY.RUN Process graph of StelaStealer displayed by ANY.RUN sandbox

Once executed, StrelaStealer is designed to steal email login credentials from popular email clients such as Outlook and Thunderbird. The stolen credentials are then sent back to the attacker's Command and Control (C2) server for further exploitation.

The latest variants of StrelaStealer employ advanced obfuscation techniques, including control flow obfuscation and the removal of debugging symbols (PDB strings), making it more challenging for security analysts to detect and analyze the malware. The malware's code includes excessively long arithmetic instructions to complicate execution in sandbox environments, potentially causing timeouts during analysis.

Since its emergence in 2022, StrelaStealer has targeted over 100 organizations across the U.S. and Europe, with significant campaigns observed in late 2023 and early 2024. The threat actors continue to adapt their strategies to evade detection while maximizing the impact of their attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

StrelaStealer malware distribution methods

StrelaStealer is primarily distributed through:

  • Phishing emails: Emails with malicious attachments (e.g., ZIP or ISO files) or links that lead to malware downloads.
  • Loaders: Initial malware that infects the system and then downloads StrelaStealer.
  • Fake websites: Sites mimicking legitimate services, tricking users into downloading the malware.

Conclusion

StrelaStealer is a dangerous malware due to its ability to steal email credentials, evade detection through advanced obfuscation techniques, and spread rapidly via phishing campaigns. Its ongoing development and adaptability make it a persistent threat to organizations.

ANY.RUN is a cloud-based interactive malware analysis platform that enables users to safely analyze and observe the behavior of malicious files in a secure environment. It provides real-time insights, helping security professionals collect indicators of compromise (IOCs) and understand the tactics used by malware like StrelaStealer, ultimately strengthening defenses against such threats.

Sign up for a free ANY.RUN account today and take your cybersecurity to the next level.

HAVE A LOOK AT

Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More