SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strelastealer (Back to overview)

StrelaStealer


According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.

Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.

Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.

References
2022-11-08DCSOAxel Wauer, Johann Aydinbas
@online{wauer:20221108:shortandmalicious:21e0fa8, author = {Axel Wauer and Johann Aydinbas}, title = {{#ShortAndMalicious: StrelaStealer aims for mail credentials}}, date = {2022-11-08}, organization = {DCSO}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc}, language = {English}, urldate = {2022-11-11} } #ShortAndMalicious: StrelaStealer aims for mail credentials
StrelaStealer
Yara Rules
[TLP:WHITE] win_strelastealer_auto (20230125 | Detects win.strelastealer.)
rule win_strelastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.strelastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d942464010000 53 52 e8???????? }
            // n = 4, score = 100
            //   8d942464010000       | lea                 edx, [esp + 0x164]
            //   53                   | push                ebx
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_1 = { 68???????? 57 897c2460 e8???????? 33db 83c410 }
            // n = 6, score = 100
            //   68????????           |                     
            //   57                   | push                edi
            //   897c2460             | mov                 dword ptr [esp + 0x60], edi
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   83c410               | add                 esp, 0x10

        $sequence_2 = { a1???????? 8901 8b15???????? 895104 0fb605???????? 884108 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b15????????         |                     
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   0fb605????????       |                     
            //   884108               | mov                 byte ptr [ecx + 8], al

        $sequence_3 = { 6800020080 55 55 55 0fb68220a30010 3001 }
            // n = 6, score = 100
            //   6800020080           | push                0x80000200
            //   55                   | push                ebp
            //   55                   | push                ebp
            //   55                   | push                ebp
            //   0fb68220a30010       | movzx               eax, byte ptr [edx + 0x1000a320]
            //   3001                 | xor                 byte ptr [ecx], al

        $sequence_4 = { 57 8d842464010000 50 ff15???????? 8d8c2480050000 51 8d942464010000 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8d842464010000       | lea                 eax, [esp + 0x164]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8c2480050000       | lea                 ecx, [esp + 0x580]
            //   51                   | push                ecx
            //   8d942464010000       | lea                 edx, [esp + 0x164]

        $sequence_5 = { 8bf0 e8???????? 6a59 8bf8 68???????? 57 897c2460 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   6a59                 | push                0x59
            //   8bf8                 | mov                 edi, eax
            //   68????????           |                     
            //   57                   | push                edi
            //   897c2460             | mov                 dword ptr [esp + 0x60], edi

        $sequence_6 = { 8975e4 33c0 39b818b90010 0f8491000000 ff45e4 }
            // n = 5, score = 100
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   33c0                 | xor                 eax, eax
            //   39b818b90010         | cmp                 dword ptr [eax + 0x1000b918], edi
            //   0f8491000000         | je                  0x97
            //   ff45e4               | inc                 dword ptr [ebp - 0x1c]

        $sequence_7 = { 53 894c2454 53 8d4c2458 8d9424a1060000 51 89542460 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   894c2454             | mov                 dword ptr [esp + 0x54], ecx
            //   53                   | push                ebx
            //   8d4c2458             | lea                 ecx, [esp + 0x58]
            //   8d9424a1060000       | lea                 edx, [esp + 0x6a1]
            //   51                   | push                ecx
            //   89542460             | mov                 dword ptr [esp + 0x60], edx

    condition:
        7 of them and filesize < 121856
}
[TLP:WHITE] win_strelastealer_w0   (20230118 | detect_StrelaStealer)
rule win_strelastealer_w0 {
    meta:
	    description = "detect_StrelaStealer"
	    author = "@malgamy12"
	    date = "2022/11/12"
	    license = "DRL 1.1"
        hash = "6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403"
        
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "StrelaDLLCompile.pdb" ascii

        $s1 = "4f3855aa-af7e-4fd2-b04e-55e63653d2f7" ascii
        $s2 = "StrelaDLLCompile.dll" ascii

        $chunk_1 = {33 D2 8B C7 F7 F3 8D 04 2E 83 C7 ?? 83 C6 ?? 8A 92 [4] 30 56 ?? 33 D2 F7 F3 8A 82 [4] 30 46 ?? 83 FF ??} 

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (1 of ($s*) and $chunk_1 ))

}
Download all Yara Rules