Stealc (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.stealc (Back to overview)

Stealc

VTCollection

Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.

Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.

References

2025-05-01 ⋅ Zscaler ⋅ ThreatLabZ research team
I StealC You: Tracking the Rapid Changes To StealC
Stealc

2025-04-29 ⋅ Recorded Future ⋅ Insikt Group
Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting
FAKEUPDATES MintsLoader GhostWeaver Stealc

2025-04-10 ⋅ Medium TRAC Labs ⋅ TRAC Labs
Autopsy of a Failed Stealer: StealC v2
Stealc

2025-03-28 ⋅ Trend Micro ⋅ Ahmed Mohamed Ibrahim, Aliakbar Zahravi
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
DarkWisp SilentPrism Kematian Stealer Rhadamanthys Stealc

2025-03-04 ⋅ Hunt.io ⋅ Hunt.io
Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2
Pyramid Stealc

2025-01-16 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
MintsLoader: StealC and BOINC Delivery
MintsLoader Stealc

2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc

2024-10-17 ⋅ Sekoia ⋅ Quentin Bourgue, Sekoia TDR
ClickFix tactic: The Phantom Meet
Rhadamanthys Stealc

2024-10-03 ⋅ Lexfo ⋅ Lexfo
StealC Malware Analysis Part 2
Stealc

2024-10-03 ⋅ Lexfo ⋅ Lexfo
StealC Malware Analysis Part 3
Stealc

2024-10-03 ⋅ Lexfo ⋅ Lexfo
StealC Malware Analysis Part 1
Stealc

2024-08-15 ⋅ Kaspersky ⋅ AbdulRhman Alfaifi, Elsayed Elrefaei
Tusk campaign uses infostealers and clippers for financial gain
DanaBot HijackLoader Stealc

2024-06-17 ⋅ Recorded Future ⋅ Insikt Group
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications
AMOS Rhadamanthys Stealc Markopolo

2024-02-20 ⋅ YouTube (Embee Research) ⋅ Embee_research
StealC Loader Analysis - Decoding Powershell Malware With CyberChef
Stealc

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2023-12-05 ⋅ Medium g0njxa ⋅ g0njxa
Approaching stealers devs : a brief interview with StealC
Stealc

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-10-03 ⋅ Glyc3rius
Stealc Malware Analysis
Stealc

2023-09-25 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit
StealC Technical Analysis Report
Stealc

2023-08-24 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
StealC configuration extractor
Stealc

2023-08-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
StealC Delivered via Deceptive Google Sheets
Stealc

2023-08-15 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
StealC string decryption
Stealc

2023-05-05 ⋅ VMRay ⋅ VMRay Labs Team
Stealc: A new stealer emerges in 2023
Stealc

2023-02-27 ⋅ Sekoia ⋅ Quentin Bourgue, Threat & Detection Research Team
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2
Stealc

2023-02-20 ⋅ Sekoia ⋅ Pierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
Stealc

2023-02-03 ⋅ Cloudsek ⋅ Deepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT

Yara Rules

[TLP:WHITE] win_stealc_auto (20241030 | Detects win.stealc.)

rule win_stealc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.stealc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c460 e8???????? 83c40c }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c460               | add                 esp, 0x60
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { ff15???????? 85c0 7507 c685e0feffff43 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c685e0feffff43       | mov                 byte ptr [ebp - 0x120], 0x43

        $sequence_2 = { e8???????? e8???????? 83c418 6a3c }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   6a3c                 | push                0x3c

        $sequence_3 = { 50 e8???????? e8???????? 83c474 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c474               | add                 esp, 0x74

        $sequence_4 = { e8???????? e8???????? 81c480000000 e9???????? }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e8????????           |                     
            //   81c480000000         | add                 esp, 0x80
            //   e9????????           |                     

        $sequence_5 = { 68???????? e8???????? e8???????? 83c474 }
            // n = 4, score = 600
            //   68????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c474               | add                 esp, 0x74

        $sequence_6 = { 50 e8???????? e8???????? 81c484000000 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   81c484000000         | add                 esp, 0x84

        $sequence_7 = { 8d45fc 50 ff75f4 e8???????? 59 59 8d85f0feffff }
            // n = 7, score = 400
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]

        $sequence_8 = { b9e8030000 33c0 f3aa 8d850ca5ffff 8945fc 8b7dfc b9e8030000 }
            // n = 7, score = 400
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   33c0                 | xor                 eax, eax
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   8d850ca5ffff         | lea                 eax, [ebp - 0x5af4]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   b9e8030000           | mov                 ecx, 0x3e8

        $sequence_9 = { 8d75f4 e8???????? 8b45d0 e8???????? 8d7de8 8d75d0 }
            // n = 6, score = 400
            //   8d75f4               | lea                 esi, [ebp - 0xc]
            //   e8????????           |                     
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   e8????????           |                     
            //   8d7de8               | lea                 edi, [ebp - 0x18]
            //   8d75d0               | lea                 esi, [ebp - 0x30]

    condition:
        7 of them and filesize < 4891648
}

[TLP:WHITE] win_stealc_w0 (20230221 | Find standalone Stealc sample based on decryption routine or characteristic strings)

rule win_stealc_w0 {
   meta:
       malware = "Stealc"
       description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
       source = "SEKOIA.IO"
       reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
       classification = "TLP:CLEAR"
       hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d"
       author = "crep1x"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
       malpedia_version = "20230221"
       malpedia_license = "CC BY-NC-SA 4.0"
       malpedia_sharing = "TLP:WHITE"
       malpedia_rule_date = "20230221"
       malpedia_hash = ""
   strings:
       $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function

       $str01 = "------" ascii
       $str02 = "Network Info:" ascii
       $str03 = "- IP: IP?" ascii
       $str04 = "- Country: ISO?" ascii
       $str05 = "- Display Resolution:" ascii
       $str06 = "User Agents:" ascii
       $str07 = "%s\\%s\\%s" ascii

   condition:
       uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
}

Download all Yara Rules

Stealc Propose Change

References

Yara Rules

Stealc