Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

StrelaStealer

83
Global rank
88 infographic chevron month
Month rank
104 infographic chevron week
Week rank
0
IOCs

StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
13 March, 2025
Last seen

How to analyze StrelaStealer with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
13 March, 2025
Last seen

IOCs

URLs
http://94.159.113.48/server.php
http://193.109.85.231/server.php
http://91.215.85.209/server.php
http://45.9.74.12/server.php
http://193.109.85.77/server.php
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 316
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 414
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 576
comments 0

What is StrelaStealer malware?

StrelaStealer is an information-stealing malware first observed in late 2022, primarily targeting login credentials from popular email clients. This malware is known for its large-scale phishing campaigns, particularly across Europe and the United States, where it has successfully compromised numerous organizations.

The malware is predominantly distributed through phishing emails containing malicious attachments, such as ZIP files or ISO files, which execute the payload once opened.

StrelaStealer employs various obfuscation and anti-analysis techniques to evade detection, including control flow obfuscation and removing PDB strings, making it increasingly difficult for security tools to detect and analyze.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

StrelaStealer malware technical details

StrelaStealer’s primary function is to steal email login information, which is then transmitted back to the attacker’s command-and-control (C2) server.

This stolen data can be used to conduct further malicious activities, such as sending spam emails, launching spear-phishing attacks, or exfiltrating sensitive information.

Although it is not explicitly marketed as Malware-as-a-Service (MaaS), the ongoing development and frequent updates suggest that it is actively maintained and potentially distributed through cybercriminal networks.

The primary capabilities of the StrelaStealer malware include:

  • Stealing login credentials from popular email clients, capturing usernames and passwords.
  • Transmitting stolen email login data to the attacker’s command-and-control (C2) server.
  • Distributing itself through large-scale phishing campaigns, often targeting organizations in the EU and U.S.
  • Using advanced obfuscation methods, such as control flow obfuscation, to evade detection and hinder analysis.
  • Utilizing compromised email accounts to send out further phishing emails, perpetuating the attack cycle.
  • Adapting its payload delivery methods, changing file formats and attachment types to avoid detection by static security measures.
  • Ensuring it remains active on infected systems through various persistence techniques, making removal difficult.

StrelaStealer execution process

To see how StrelaStealer operates, let’s launch an analysis session using its sample in the ANY.RUN sandbox.

As noted, StrelaStealer is primarily distributed through phishing emails that often contain ZIP file attachments. These emails typically use localized language and subject lines resembling invoices or bills (e.g., "Factura/Rechnung/Invoice###/PO###") to lure victims into opening them. When a victim opens the ZIP file, it contains a JScript file that, upon execution, may drop a base64-encoded file and a batch file onto the system.

The batch file utilizes the certutil -f decode command to decode the base64 file, which creates a Portable Executable (PE) DLL file. The DLL file is then executed using the rundll32.exe or regsvr32.exe process, specifically calling an exported function (often named "hello" in the latest variants) to initiate the malware's operations.

In our sample, the command line contains "davwwwroot" in the path to the downloaded DLL file.

StelaStealer report in ANY.RUN Process graph of StelaStealer displayed by ANY.RUN sandbox

Once executed, StrelaStealer is designed to steal email login credentials from popular email clients such as Outlook and Thunderbird. The stolen credentials are then sent back to the attacker's Command and Control (C2) server for further exploitation.

The latest variants of StrelaStealer employ advanced obfuscation techniques, including control flow obfuscation and the removal of debugging symbols (PDB strings), making it more challenging for security analysts to detect and analyze the malware. The malware's code includes excessively long arithmetic instructions to complicate execution in sandbox environments, potentially causing timeouts during analysis.

Since its emergence in 2022, StrelaStealer has targeted over 100 organizations across the U.S. and Europe, with significant campaigns observed in late 2023 and early 2024. The threat actors continue to adapt their strategies to evade detection while maximizing the impact of their attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

StrelaStealer malware distribution methods

StrelaStealer is primarily distributed through:

  • Phishing emails: Emails with malicious attachments (e.g., ZIP or ISO files) or links that lead to malware downloads.
  • Loaders: Initial malware that infects the system and then downloads StrelaStealer.
  • Fake websites: Sites mimicking legitimate services, tricking users into downloading the malware.

Conclusion

StrelaStealer is a dangerous malware due to its ability to steal email credentials, evade detection through advanced obfuscation techniques, and spread rapidly via phishing campaigns. Its ongoing development and adaptability make it a persistent threat to organizations.

ANY.RUN is a cloud-based interactive malware analysis platform that enables users to safely analyze and observe the behavior of malicious files in a secure environment. It provides real-time insights, helping security professionals collect indicators of compromise (IOCs) and understand the tactics used by malware like StrelaStealer, ultimately strengthening defenses against such threats.

Sign up for a free ANY.RUN account today and take your cybersecurity to the next level.

HAVE A LOOK AT

Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More