Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

StrelaStealer

109
Global rank
137 infographic chevron month
Month rank
156 infographic chevron week
Week rank
0
IOCs

StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.

Stealer
Type
Unknown
Origin
1 November, 2022
First seen
13 June, 2026
Last seen

How to analyze StrelaStealer with ANY.RUN

Type
Unknown
Origin
1 November, 2022
First seen
13 June, 2026
Last seen

IOCs

URLs
http://193.109.85.77/server.php
http://193.109.85.231/server.php
http://45.9.74.12/server.php
http://91.215.85.209/server.php
http://94.159.113.48/server.php
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4232
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 8849
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7132
comments 0

What is StrelaStealer malware?

StrelaStealer is an information-stealing malware first observed in late 2022, primarily targeting login credentials from popular email clients. This malware is known for its large-scale phishing campaigns, particularly across Europe and the United States, where it has successfully compromised numerous organizations.

The malware is predominantly distributed through phishing emails containing malicious attachments, such as ZIP files or ISO files, which execute the payload once opened.

StrelaStealer employs various obfuscation and anti-analysis techniques to evade detection, including control flow obfuscation and removing PDB strings, making it increasingly difficult for security tools to detect and analyze.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

StrelaStealer malware technical details

StrelaStealer’s primary function is to steal email login information, which is then transmitted back to the attacker’s command-and-control (C2) server.

This stolen data can be used to conduct further malicious activities, such as sending spam emails, launching spear-phishing attacks, or exfiltrating sensitive information.

Although it is not explicitly marketed as Malware-as-a-Service (MaaS), the ongoing development and frequent updates suggest that it is actively maintained and potentially distributed through cybercriminal networks.

The primary capabilities of the StrelaStealer malware include:

  • Stealing login credentials from popular email clients, capturing usernames and passwords.
  • Transmitting stolen email login data to the attacker’s command-and-control (C2) server.
  • Distributing itself through large-scale phishing campaigns, often targeting organizations in the EU and U.S.
  • Using advanced obfuscation methods, such as control flow obfuscation, to evade detection and hinder analysis.
  • Utilizing compromised email accounts to send out further phishing emails, perpetuating the attack cycle.
  • Adapting its payload delivery methods, changing file formats and attachment types to avoid detection by static security measures.
  • Ensuring it remains active on infected systems through various persistence techniques, making removal difficult.

StrelaStealer execution process

To see how StrelaStealer operates, let’s launch an analysis session using its sample in the ANY.RUN sandbox.

As noted, StrelaStealer is primarily distributed through phishing emails that often contain ZIP file attachments. These emails typically use localized language and subject lines resembling invoices or bills (e.g., "Factura/Rechnung/Invoice###/PO###") to lure victims into opening them. When a victim opens the ZIP file, it contains a JScript file that, upon execution, may drop a base64-encoded file and a batch file onto the system.

The batch file utilizes the certutil -f decode command to decode the base64 file, which creates a Portable Executable (PE) DLL file. The DLL file is then executed using the rundll32.exe or regsvr32.exe process, specifically calling an exported function (often named "hello" in the latest variants) to initiate the malware's operations.

In our sample, the command line contains "davwwwroot" in the path to the downloaded DLL file.

StelaStealer report in ANY.RUN Process graph of StelaStealer displayed by ANY.RUN sandbox

Once executed, StrelaStealer is designed to steal email login credentials from popular email clients such as Outlook and Thunderbird. The stolen credentials are then sent back to the attacker's Command and Control (C2) server for further exploitation.

The latest variants of StrelaStealer employ advanced obfuscation techniques, including control flow obfuscation and the removal of debugging symbols (PDB strings), making it more challenging for security analysts to detect and analyze the malware. The malware's code includes excessively long arithmetic instructions to complicate execution in sandbox environments, potentially causing timeouts during analysis.

Since its emergence in 2022, StrelaStealer has targeted over 100 organizations across the U.S. and Europe, with significant campaigns observed in late 2023 and early 2024. The threat actors continue to adapt their strategies to evade detection while maximizing the impact of their attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

StrelaStealer malware distribution methods

StrelaStealer is primarily distributed through:

  • Phishing emails: Emails with malicious attachments (e.g., ZIP or ISO files) or links that lead to malware downloads.
  • Loaders: Initial malware that infects the system and then downloads StrelaStealer.
  • Fake websites: Sites mimicking legitimate services, tricking users into downloading the malware.

Conclusion

StrelaStealer is a dangerous malware due to its ability to steal email credentials, evade detection through advanced obfuscation techniques, and spread rapidly via phishing campaigns. Its ongoing development and adaptability make it a persistent threat to organizations.

ANY.RUN is a cloud-based interactive malware analysis platform that enables users to safely analyze and observe the behavior of malicious files in a secure environment. It provides real-time insights, helping security professionals collect indicators of compromise (IOCs) and understand the tactics used by malware like StrelaStealer, ultimately strengthening defenses against such threats.

Sign up for a free ANY.RUN account today and take your cybersecurity to the next level.

HAVE A LOOK AT

Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
SalatStealer screenshot
SalatStealer
salatstealer
SalatStealer, also known as WEB_RAT or Salat Stealer, is a Go-based information-stealing malware targeting Windows systems. It operates as a Malware-as-a-Service (MaaS) focusing on harvesting browser credentials, cryptocurrency wallets, and session data from popular applications like Telegram and Steam.
Read More
PXA Stealer screenshot
PXA Stealer
pxastealer
PXA Stealer is an information-stealing malware that targets individuals and organizations in 60+ countries. It spreads via phishing, archives, and fake software updates. DLL sideloading, decoy documents, and obfuscation help it evade security tools. Exfiltrated data is exfiltrated and monetized through underground marketplaces.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
Neptune RAT screenshot
Neptune RAT is a Visual Basic .NET remote access trojan that gives attackers full control over infected Windows machines while stealing credentials from 270+ applications, hijacking cryptocurrency transactions, spying on victims in real time, and, in its most destructive mode, wiping the operating system entirely. Marketed openly on GitHub, Telegram, and YouTube as the "Most Advanced RAT," it is distributed under a malware-as-a-service model.
Read More