SYMBOLCOMMON_NAMEaka. SYNONYMS
win.statc (Back to overview)

Statc

aka: Statc Stealer, Static Stealer
VTCollection    

This malicious software gains access to a victim’s data by appearing like an authentic Google advertisement. Once the victim clicks on the advertisement, their operating system is infected with malicious code that steals sensitive data like credentials from web browsers, credit card information, and cryptocurrency wallet details. Unauthorized access to a victim’s computer system can have enormous personal and professional repercussions. Victims become easy targets for identity theft, cryptojacking, and other forms of malware attacks. At the enterprise level, a Statc Stealer breach can result in financial loss, reputational damage, legal liabilities, and regulatory penalties.

References
2023-08-08ZscalerAmandeep Kumar, SHIVAM SHARMA
Statc Stealer: Decoding the Elusive Malware Threat
Statc
Yara Rules
[TLP:WHITE] win_statc_auto (20260504 | Detects win.statc.)
rule win_statc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.statc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.statc"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ba64000000 0f44c2 4489b188000000 884105 4a8b842580000000 488bc8 e8???????? }
            // n = 7, score = 100
            //   ba64000000           | dec                 esp
            //   0f44c2               | mov                 edx, dword ptr [esp + 0x38]
            //   4489b188000000       | inc                 ecx
            //   884105               | mov                 edx, ebp
            //   4a8b842580000000     | dec                 ecx
            //   488bc8               | mov                 ecx, ebp
            //   e8????????           |                     

        $sequence_1 = { c705????????01000000 488d15f1a80400 488d0daaa80400 e8???????? 85c0 740a b8ff000000 }
            // n = 7, score = 100
            //   c705????????01000000     |     
            //   488d15f1a80400       | lea                 ecx, [ebp - 0x38]
            //   488d0daaa80400       | inc                 ebp
            //   e8????????           |                     
            //   85c0                 | lea                 eax, [esi + 0x30]
            //   740a                 | dec                 eax
            //   b8ff000000           | mov                 edx, esi

        $sequence_2 = { e8???????? 488b4318 48638bb8000000 39483c 7f26 41b901000000 89742420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4318             | jle                 0x1ce4
            //   48638bb8000000       | dec                 eax
            //   39483c               | mov                 eax, 0
            //   7f26                 | add                 byte ptr [eax], al
            //   41b901000000         | add                 byte ptr [eax + 0x75c83b48], al
            //   89742420             | sahf                

        $sequence_3 = { eb13 4c8d85e8010000 488bd0 488d4df0 e8???????? 4c896d08 4c896d18 }
            // n = 7, score = 100
            //   eb13                 | dec                 eax
            //   4c8d85e8010000       | mov                 dword ptr [esp + 0x30], ebp
            //   488bd0               | dec                 eax
            //   488d4df0             | mov                 esi, edx
            //   e8????????           |                     
            //   4c896d08             | dec                 eax
            //   4c896d18             | test                edx, edx

        $sequence_4 = { eb32 448b442444 488d0c52 8d4201 418906 488b4368 66c704c85900 }
            // n = 7, score = 100
            //   eb32                 | mov                 edx, dword ptr [edi + 0x68]
            //   448b442444           | dec                 eax
            //   488d0c52             | test                ebx, ebx
            //   8d4201               | jne                 0x1714
            //   418906               | dec                 eax
            //   488b4368             | mov                 ebx, eax
            //   66c704c85900         | dec                 eax

        $sequence_5 = { 90 4c8bc3 488bd0 488d8dc0020000 e8???????? 90 488d8580000000 }
            // n = 7, score = 100
            //   90                   | inc                 ebp
            //   4c8bc3               | mov                 ecx, esi
            //   488bd0               | dec                 eax
            //   488d8dc0020000       | mov                 ecx, ebx
            //   e8????????           |                     
            //   90                   | inc                 ecx
            //   488d8580000000       | lea                 edx, [eax + 0xd]

        $sequence_6 = { 85c0 0f8507020000 49635710 488bcf 4d8b4550 4883c209 4c03c2 }
            // n = 7, score = 100
            //   85c0                 | mov                 edx, dword ptr [esp + 0x50]
            //   0f8507020000         | inc                 esp
            //   49635710             | movzx               ebp, word ptr [esp + 0x30]
            //   488bcf               | inc                 ecx
            //   4d8b4550             | mov                 ebx, 0x400
            //   4883c209             | dec                 esp
            //   4c03c2               | mov                 ecx, dword ptr [esp + 0x60]

        $sequence_7 = { e9???????? 488d0d8d611000 e9???????? 488d0d25611000 e9???????? 4883ec28 488d0ddd8d2e00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0d8d611000       | jb                  0x91
            //   e9????????           |                     
            //   488d0d25611000       | dec                 eax
            //   e9????????           |                     
            //   4883ec28             | cmp                 eax, 0x1f
            //   488d0ddd8d2e00       | ja                  0x133

        $sequence_8 = { eb1e 8b86b8000000 ffc8 4898 488d0c40 488b4668 488d14c8 }
            // n = 7, score = 100
            //   eb1e                 | jne                 0x146e
            //   8b86b8000000         | dec                 eax
            //   ffc8                 | test                edx, edx
            //   4898                 | je                  0x1488
            //   488d0c40             | dec                 eax
            //   488b4668             | mov                 eax, dword ptr [esp + 0x60]
            //   488d14c8             | dec                 eax

        $sequence_9 = { 5f c3 418bdd 488b442428 4c8928 488b7808 4c896808 }
            // n = 7, score = 100
            //   5f                   | cmp                 dword ptr [eax + 0x3c], ecx
            //   c3                   | jg                  0x1147
            //   418bdd               | inc                 ecx
            //   488b442428           | mov                 ecx, 0xfffffffe
            //   4c8928               | bts                 eax, esi
            //   488b7808             | dec                 esp
            //   4c896808             | mov                 dword ptr [esp + 0x20], esp

    condition:
        7 of them and filesize < 6429696
}
Download all Yara Rules