SYMBOLCOMMON_NAMEaka. SYNONYMS
win.stealc (Back to overview)

Stealc


Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.

Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.

References
2023-10-12SpamhausSpamhaus Malware Labs
@techreport{labs:20231012:spamhaus:cc0ff5c, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2023}}, date = {2023-10-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-10-17} } Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-03Glyc3rius
@online{glyc3rius:20231003:stealc:9085f93, author = {Glyc3rius}, title = {{Stealc Malware Analysis}}, date = {2023-10-03}, url = {https://glyc3rius.github.io/2023/10/stealc/}, language = {English}, urldate = {2023-10-09} } Stealc Malware Analysis
Stealc
2023-08-24Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230824:stealc:7286a94, author = {Muhammad Hasan Ali}, title = {{StealC configuration extractor}}, date = {2023-08-24}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb}, language = {English}, urldate = {2023-08-25} } StealC configuration extractor
Stealc
2023-08-15eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230815:stealc:25de99b, author = {eSentire Threat Response Unit (TRU)}, title = {{StealC Delivered via Deceptive Google Sheets}}, date = {2023-08-15}, organization = {eSentire}, url = {https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets}, language = {English}, urldate = {2023-08-21} } StealC Delivered via Deceptive Google Sheets
Stealc
2023-08-15Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230815:stealc:4aa8523, author = {Muhammad Hasan Ali}, title = {{StealC string decryption}}, date = {2023-08-15}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py}, language = {English}, urldate = {2023-08-25} } StealC string decryption
Stealc
2023-02-27SekoiaThreat & Detection Research Team
@online{team:20230227:stealc:ab91413, author = {Threat & Detection Research Team}, title = {{Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2}}, date = {2023-02-27}, organization = {Sekoia}, url = {https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/}, language = {English}, urldate = {2023-03-28} } Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2
Stealc
2023-02-20SekoiaThreat & Detection Research Team
@online{team:20230220:stealc:e74aaa7, author = {Threat & Detection Research Team}, title = {{Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1}}, date = {2023-02-20}, organization = {Sekoia}, url = {https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/}, language = {English}, urldate = {2023-02-21} } Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
Stealc
Yara Rules
[TLP:WHITE] win_stealc_auto (20230715 | Detects win.stealc.)
rule win_stealc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.stealc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7507 50 ff15???????? 8d45f4 50 8d45fc 50 }
            // n = 7, score = 400
            //   7507                 | jne                 9
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_1 = { 83c468 e8???????? 8b45f4 e8???????? 33c0 e8???????? ff75f0 }
            // n = 7, score = 400
            //   83c468               | add                 esp, 0x68
            //   e8????????           |                     
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_2 = { e8???????? 8b7dfc ff35???????? 8b470c 50 ff15???????? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   ff35????????         |                     
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { ff75ac ff75fc ff15???????? 57 ff75fc ff15???????? ff7530 }
            // n = 7, score = 400
            //   ff75ac               | push                dword ptr [ebp - 0x54]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff7530               | push                dword ptr [ebp + 0x30]

        $sequence_4 = { f3aa 8bc6 e8???????? 53 }
            // n = 4, score = 400
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_5 = { 3bfb 0f8c9d000000 8b45fc 8d55f8 52 68???????? 895df8 }
            // n = 7, score = 400
            //   3bfb                 | cmp                 edi, ebx
            //   0f8c9d000000         | jl                  0xa3
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx
            //   68????????           |                     
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_6 = { 83c40c 50 8d858cfeffff 50 ff15???????? }
            // n = 5, score = 400
            //   83c40c               | add                 esp, 0xc
            //   50                   | push                eax
            //   8d858cfeffff         | lea                 eax, [ebp - 0x174]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 59 8b45d4 e8???????? ff75f0 }
            // n = 4, score = 400
            //   59                   | pop                 ecx
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_8 = { 57 ff7508 8bf8 ff15???????? 034708 894608 40 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   034708               | add                 eax, dword ptr [edi + 8]
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   40                   | inc                 eax

        $sequence_9 = { a5 a5 83ec50 a5 8d5d10 8bfc }
            // n = 6, score = 400
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   83ec50               | sub                 esp, 0x50
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8d5d10               | lea                 ebx, [ebp + 0x10]
            //   8bfc                 | mov                 edi, esp

    condition:
        7 of them and filesize < 24891648
}
[TLP:WHITE] win_stealc_w0   (20230221 | Find standalone Stealc sample based on decryption routine or characteristic strings)
rule win_stealc_w0 {
   meta:
       malware = "Stealc"
       description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
       source = "SEKOIA.IO"
       reference = "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/"
       classification = "TLP:CLEAR"
       hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d"
       author = "crep1x"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc"
       malpedia_version = "20230221"
       malpedia_license = "CC BY-NC-SA 4.0"
       malpedia_sharing = "TLP:WHITE"
       malpedia_rule_date = "20230221"
       malpedia_hash = ""
   strings:
       $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function

       $str01 = "------" ascii
       $str02 = "Network Info:" ascii
       $str03 = "- IP: IP?" ascii
       $str04 = "- Country: ISO?" ascii
       $str05 = "- Display Resolution:" ascii
       $str06 = "User Agents:" ascii
       $str07 = "%s\\%s\\%s" ascii

   condition:
       uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
}
Download all Yara Rules