SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strelastealer (Back to overview)

StrelaStealer


According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.

Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.

Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.

References
2023-05-23Cert-AgIDCert-AgID
@online{certagid:20230523:technical:ad39da1, author = {Cert-AgID}, title = {{Technical analysis and considerations on Strela malware}}, date = {2023-05-23}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/analisi-tecnica-e-considerazioni-sul-malware-strela/}, language = {English}, urldate = {2023-06-26} } Technical analysis and considerations on Strela malware
StrelaStealer
2023-05-07OALabsSergei Frankoff
@online{frankoff:20230507:strelastealer:664452e, author = {Sergei Frankoff}, title = {{StrelaStealer Under the radar email credential stealer in development}}, date = {2023-05-07}, organization = {OALabs}, url = {https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html}, language = {English}, urldate = {2023-06-26} } StrelaStealer Under the radar email credential stealer in development
StrelaStealer
2022-11-08DCSOAxel Wauer, Johann Aydinbas
@online{wauer:20221108:shortandmalicious:21e0fa8, author = {Axel Wauer and Johann Aydinbas}, title = {{#ShortAndMalicious: StrelaStealer aims for mail credentials}}, date = {2022-11-08}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc}, language = {English}, urldate = {2022-11-11} } #ShortAndMalicious: StrelaStealer aims for mail credentials
StrelaStealer
Yara Rules
[TLP:WHITE] win_strelastealer_auto (20230715 | Detects win.strelastealer.)
rule win_strelastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.strelastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bf09000000 e8???????? 8b7c2434 83c404 50 8d0437 }
            // n = 6, score = 100
            //   bf09000000           | mov                 edi, 9
            //   e8????????           |                     
            //   8b7c2434             | mov                 edi, dword ptr [esp + 0x34]
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_1 = { 4983e1e0 4d8bd9 49c1eb05 478b9c9a64e00100 }
            // n = 4, score = 100
            //   4983e1e0             | dec                 eax
            //   4d8bd9               | lea                 edx, [0x15f46]
            //   49c1eb05             | xor                 ecx, ecx
            //   478b9c9a64e00100     | dec                 ecx

        $sequence_2 = { 33cc e8???????? 81c484050000 c3 }
            // n = 4, score = 100
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   81c484050000         | add                 esp, 0x584
            //   c3                   | ret                 

        $sequence_3 = { 418d511a ff15???????? 488d15e9620100 488d4c2440 ff15???????? }
            // n = 5, score = 100
            //   418d511a             | dec                 eax
            //   ff15????????         |                     
            //   488d15e9620100       | mov                 ebx, ecx
            //   488d4c2440           | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 57 33ff 8db7c0b30010 ff36 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8db7c0b30010         | lea                 esi, [edi + 0x1000b3c0]
            //   ff36                 | push                dword ptr [esi]

        $sequence_5 = { 8bd9 4c8d0d2de10000 b901000000 4c8d0519e10000 488d151ae10000 e8???????? 8bcb }
            // n = 7, score = 100
            //   8bd9                 | and                 ecx, 0xffffffe0
            //   4c8d0d2de10000       | dec                 ebp
            //   b901000000           | mov                 ebx, ecx
            //   4c8d0519e10000       | dec                 ecx
            //   488d151ae10000       | shr                 ebx, 5
            //   e8????????           |                     
            //   8bcb                 | inc                 edi

        $sequence_6 = { b804000000 8945d0 8945d4 488d05bd430100 488945e0 895128 488d0d87a30000 }
            // n = 7, score = 100
            //   b804000000           | lea                 edx, [0xe11a]
            //   8945d0               | mov                 ecx, ebx
            //   8945d4               | dec                 eax
            //   488d05bd430100       | lea                 ecx, [0x14379]
            //   488945e0             | dec                 eax
            //   895128               | lea                 ecx, [0x14385]
            //   488d0d87a30000       | mov                 al, 1

        $sequence_7 = { 6804010000 8d842480030000 53 50 e8???????? 6804010000 }
            // n = 6, score = 100
            //   6804010000           | push                0x104
            //   8d842480030000       | lea                 eax, [esp + 0x380]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   6804010000           | push                0x104

        $sequence_8 = { bf0d000000 e8???????? 83c404 50 8d44245c }
            // n = 5, score = 100
            //   bf0d000000           | mov                 edi, 0xd
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   8d44245c             | lea                 eax, [esp + 0x5c]

        $sequence_9 = { e8???????? 4533c9 4c8d054d5f0100 488d15465f0100 33c9 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4533c9               | inc                 ebp
            //   4c8d054d5f0100       | xor                 ecx, ecx
            //   488d15465f0100       | dec                 esp
            //   33c9                 | lea                 eax, [0x15f4d]

        $sequence_10 = { 488bd9 488bc2 488d0d61c50000 0f57c0 48890b }
            // n = 5, score = 100
            //   488bd9               | lea                 ecx, [0xe12d]
            //   488bc2               | mov                 ecx, 1
            //   488d0d61c50000       | dec                 esp
            //   0f57c0               | lea                 eax, [0xe119]
            //   48890b               | dec                 eax

        $sequence_11 = { 305108 ffd5 85c0 751b 8d8c2488060000 51 8d94247c040000 }
            // n = 7, score = 100
            //   305108               | xor                 byte ptr [ecx + 8], dl
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   751b                 | jne                 0x1d
            //   8d8c2488060000       | lea                 ecx, [esp + 0x688]
            //   51                   | push                ecx
            //   8d94247c040000       | lea                 edx, [esp + 0x47c]

        $sequence_12 = { 488d0d79430100 e8???????? 488d0d85430100 e8???????? b001 }
            // n = 5, score = 100
            //   488d0d79430100       | mov                 ebx, dword ptr [edx + ebx*4 + 0x1e064]
            //   e8????????           |                     
            //   488d0d85430100       | mov                 ebx, ecx
            //   e8????????           |                     
            //   b001                 | dec                 esp

        $sequence_13 = { 33db 5e 57 ff15???????? 5f }
            // n = 5, score = 100
            //   33db                 | xor                 ebx, ebx
            //   5e                   | pop                 esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   5f                   | pop                 edi

        $sequence_14 = { 89442434 89442438 8d442434 50 6a01 53 53 }
            // n = 7, score = 100
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_15 = { 8918 e8???????? 84c0 7473 e8???????? 488d0d2c080000 }
            // n = 6, score = 100
            //   8918                 | mov                 eax, edx
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   7473                 | lea                 ecx, [0xc561]
            //   e8????????           |                     
            //   488d0d2c080000       | xorps               xmm0, xmm0

    condition:
        7 of them and filesize < 266240
}
[TLP:WHITE] win_strelastealer_w0   (20230118 | detect_StrelaStealer)
rule win_strelastealer_w0 {
    meta:
	    description = "detect_StrelaStealer"
	    author = "@malgamy12"
	    date = "2022/11/12"
	    license = "DRL 1.1"
        hash = "6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403"
        
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "StrelaDLLCompile.pdb" ascii

        $s1 = "4f3855aa-af7e-4fd2-b04e-55e63653d2f7" ascii
        $s2 = "StrelaDLLCompile.dll" ascii

        $chunk_1 = {33 D2 8B C7 F7 F3 8D 04 2E 83 C7 ?? 83 C6 ?? 8A 92 [4] 30 56 ?? 33 D2 F7 F3 8A 82 [4] 30 46 ?? 83 FF ??} 

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (1 of ($s*) and $chunk_1 ))

}
Download all Yara Rules