SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stealc (Back to overview)

Stealc

VTCollection    

Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.

Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.

References
2025-01-16eSentireeSentire Threat Response Unit (TRU)
MintsLoader: StealC and BOINC Delivery
MintsLoader Stealc
2025-01-10SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc
2024-10-17SekoiaQuentin Bourgue, Sekoia TDR
ClickFix tactic: The Phantom Meet
Rhadamanthys Stealc
2024-10-03LexfoLexfo
StealC Malware Analysis Part 2
Stealc
2024-10-03LexfoLexfo
StealC Malware Analysis Part 1
Stealc
2024-10-03LexfoLexfo
StealC Malware Analysis Part 3
Stealc
2024-08-15KasperskyAbdulRhman Alfaifi, Elsayed Elrefaei
Tusk campaign uses infostealers and clippers for financial gain
DanaBot HijackLoader Stealc
2024-06-17Recorded FutureInsikt Group
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications
AMOS Rhadamanthys Stealc Markopolo
2024-02-20YouTube (Embee Research)Embee_research
StealC Loader Analysis - Decoding Powershell Malware With CyberChef
Stealc
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2023-12-05Medium g0njxag0njxa
Approaching stealers devs : a brief interview with StealC
Stealc
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-03Glyc3rius
Stealc Malware Analysis
Stealc
2023-09-25EchoCTIBilal BAKARTEPE, bixploit
StealC Technical Analysis Report
Stealc
2023-08-24Github (muha2xmad)Muhammad Hasan Ali
StealC configuration extractor
Stealc
2023-08-15Github (muha2xmad)Muhammad Hasan Ali
StealC string decryption
Stealc
2023-08-15eSentireeSentire Threat Response Unit (TRU)
StealC Delivered via Deceptive Google Sheets
Stealc
2023-05-05VMRayVMRay Labs Team
Stealc: A new stealer emerges in 2023
Stealc
2023-02-27SekoiaQuentin Bourgue, Threat & Detection Research Team
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2
Stealc
2023-02-20SekoiaPierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
Stealc
2023-02-03CloudsekDeepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT
Yara Rules
[TLP:WHITE] win_stealc_auto (20241030 | Detects win.stealc.)
rule win_stealc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.stealc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c460 e8???????? 83c40c }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c460               | add                 esp, 0x60
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { ff15???????? 85c0 7507 c685e0feffff43 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c685e0feffff43       | mov                 byte ptr [ebp - 0x120], 0x43

        $sequence_2 = { e8???????? e8???????? 83c418 6a3c }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   6a3c                 | push                0x3c

        $sequence_3 = { 50 e8???????? e8???????? 83c474 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c474               | add                 esp, 0x74

        $sequence_4 = { e8???????? e8???????? 81c480000000 e9???????? }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e8????????           |                     
            //   81c480000000         | add                 esp, 0x80
            //   e9????????           |                     

        $sequence_5 = { 68???????? e8???????? e8???????? 83c474 }
            // n = 4, score = 600
            //   68????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c474               | add                 esp, 0x74

        $sequence_6 = { 50 e8???????? e8???????? 81c484000000 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   81c484000000         | add                 esp, 0x84

        $sequence_7 = { 8d45fc 50 ff75f4 e8???????? 59 59 8d85f0feffff }
            // n = 7, score = 400
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]

        $sequence_8 = { b9e8030000 33c0 f3aa 8d850ca5ffff 8945fc 8b7dfc b9e8030000 }
            // n = 7, score = 400
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   33c0                 | xor                 eax, eax
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   8d850ca5ffff         | lea                 eax, [ebp - 0x5af4]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   b9e8030000           | mov                 ecx, 0x3e8

        $sequence_9 = { 8d75f4 e8???????? 8b45d0 e8???????? 8d7de8 8d75d0 }
            // n = 6, score = 400
            //   8d75f4               | lea                 esi, [ebp - 0xc]
            //   e8????????           |                     
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   e8????????           |                     
            //   8d7de8               | lea                 edi, [ebp - 0x18]
            //   8d75d0               | lea                 esi, [ebp - 0x30]

    condition:
        7 of them and filesize < 4891648
}
[TLP:WHITE] win_stealc_w0   (20230221 | Find standalone Stealc sample based on decryption routine or characteristic strings)
rule win_stealc_w0 {
   meta:
       malware = "Stealc"
       description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
       source = "SEKOIA.IO"
       reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
       classification = "TLP:CLEAR"
       hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d"
       author = "crep1x"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
       malpedia_version = "20230221"
       malpedia_license = "CC BY-NC-SA 4.0"
       malpedia_sharing = "TLP:WHITE"
       malpedia_rule_date = "20230221"
       malpedia_hash = ""
   strings:
       $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function

       $str01 = "------" ascii
       $str02 = "Network Info:" ascii
       $str03 = "- IP: IP?" ascii
       $str04 = "- Country: ISO?" ascii
       $str05 = "- Display Resolution:" ascii
       $str06 = "User Agents:" ascii
       $str07 = "%s\\%s\\%s" ascii

   condition:
       uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
}
Download all Yara Rules