SYMBOLCOMMON_NAMEaka. SYNONYMS
win.strelastealer (Back to overview)

StrelaStealer

VTCollection    

According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.

Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.

Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.

References
2025-09-30InfobloxInfoblox Threat Intelligence Group
Detour Dog: DNS Malware Powers Strela Stealer Campaigns
StrelaStealer
2025-09-30CIPState Service of Special Communication and Information Protection of Ukraine (CIP)
Russian Cyber Operations
WRECKSTEEL HOMESTEEL Amatera GIFTEDCROOK StrelaStealer
2025-04-21Aryaka NetworksAditya K. Sood, bikash dash
Strela Stealer Malware Research: Tracing the Digital Footprint and Network Behavior
StrelaStealer
2025-04-17TrustwaveDawid Nesterowicz, Pawel Knapczyk
Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns
StrelaStealer TargetCompany XWorm
2024-11-18LogpointAnish Bogati
Exploring Strela Stealer: Initial Payload Analysis and Insights
StrelaStealer
2024-06-24SonicWallSonicWall
StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe
StrelaStealer
2024-04-02SonicWallSonicWall
Updated StrelaStealer Targeting European Countries
StrelaStealer
2024-03-22Palo AltoAnmol Maurya, Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Vishwa Thothathri
Large-Scale StrelaStealer Campaign in Early 2024
StrelaStealer
2023-05-23Cert-AgIDCert-AgID
Technical analysis and considerations on Strela malware
StrelaStealer
2023-05-07OALabsSergei Frankoff
StrelaStealer Under the radar email credential stealer in development
StrelaStealer
2022-11-08DCSOAxel Wauer, Johann Aydinbas
#ShortAndMalicious: StrelaStealer aims for mail credentials
StrelaStealer
2014-11-12IBM X-ForceCharlotte Hammond, Golo Mühr, Joe Fasulo
Strela Stealer: Today’s invoice is tomorrow’s phish
StrelaStealer HIVE-0145
Yara Rules
[TLP:WHITE] win_strelastealer_auto (20260504 | Detects win.strelastealer.)
rule win_strelastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.strelastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 385e02 740b 8b7c2424 8bde e8???????? 56 }
            // n = 6, score = 100
            //   385e02               | mov                 dword ptr [ecx + 0x28], edx
            //   740b                 | dec                 eax
            //   8b7c2424             | lea                 ecx, [0xa387]
            //   8bde                 | dec                 eax
            //   e8????????           |                     
            //   56                   | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_1 = { 4533c9 4c89a424d0050000 ba00000080 4533e4 4c89b424c8050000 }
            // n = 5, score = 100
            //   4533c9               | mov                 ecx, dword ptr [eax + ecx*8]
            //   4c89a424d0050000     | mov                 byte ptr [ecx + edx*8 + 0x38], 0
            //   ba00000080           | dec                 eax
            //   4533e4               | sub                 esp, 0x20
            //   4c89b424c8050000     | mov                 ebx, ecx

        $sequence_2 = { 01c1 b8dc8856d3 29c8 b9dd8856d3 }
            // n = 4, score = 100
            //   01c1                 | cmp                 byte ptr [esi + 2], bl
            //   b8dc8856d3           | je                  0x10
            //   29c8                 | mov                 edi, dword ptr [esp + 0x24]
            //   b9dd8856d3           | mov                 ebx, esi

        $sequence_3 = { 01c7 897d14 8d1401 81c200040000 }
            // n = 4, score = 100
            //   01c7                 | lea                 ecx, [esp + 0x5c]
            //   897d14               | push                ecx
            //   8d1401               | mov                 ecx, dword ptr [esp + 0x2c]
            //   81c200040000         | lea                 edx, [esp + 0x594]

        $sequence_4 = { 895128 488d0d87a30000 488b45d8 488908 488d0d892f0100 488b45d8 8990a8030000 }
            // n = 7, score = 100
            //   895128               | dec                 esp
            //   488d0d87a30000       | lea                 ecx, [0xe12d]
            //   488b45d8             | mov                 ecx, 1
            //   488908               | dec                 esp
            //   488d0d892f0100       | lea                 eax, [0xe119]
            //   488b45d8             | dec                 eax
            //   8990a8030000         | lea                 edx, [0xe11a]

        $sequence_5 = { 08c1 0f1f440000 b810000000 e8???????? }
            // n = 4, score = 100
            //   08c1                 | mov                 ecx, dword ptr [eax + 0x88]
            //   0f1f440000           | dec                 eax
            //   b810000000           | lea                 eax, [0x15405]
            //   e8????????           |                     

        $sequence_6 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db128b90010 8975e4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4de4               | dec                 eax
            //   83c40c               | mov                 dword ptr [eax], ecx
            //   6bc930               | dec                 eax
            //   8975e0               | lea                 ecx, [0x12f89]
            //   8db128b90010         | dec                 eax
            //   8975e4               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_7 = { 488b8888000000 488d053d110100 483bc8 7405 e8???????? c70301000000 488b85a0010000 }
            // n = 7, score = 100
            //   488b8888000000       | dec                 eax
            //   488d053d110100       | mov                 ecx, dword ptr [eax + 0x88]
            //   483bc8               | dec                 eax
            //   7405                 | lea                 eax, [0x1113d]
            //   e8????????           |                     
            //   c70301000000         | dec                 eax
            //   488b85a0010000       | cmp                 ecx, eax

        $sequence_8 = { 08c1 08d3 89ca 80e201 }
            // n = 4, score = 100
            //   08c1                 | mov                 ecx, 0xd35688dd
            //   08d3                 | sub                 ecx, eax
            //   89ca                 | dec                 eax
            //   80e201               | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_9 = { 68???????? ff15???????? 6a05 8bf8 e8???????? 8b15???????? }
            // n = 6, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a05                 | dec                 eax
            //   8bf8                 | mov                 dword ptr [ecx], eax
            //   e8????????           |                     
            //   8b15????????         |                     

        $sequence_10 = { 08c1 08da 80f201 89c8 }
            // n = 4, score = 100
            //   08c1                 | mov                 ecx, esi
            //   08da                 | add                 edi, eax
            //   80f201               | mov                 dword ptr [ebp + 0x14], edi
            //   89c8                 | lea                 edx, [ecx + eax]

        $sequence_11 = { 015304 eb55 4d85c0 7e27 488bd7 4c8b4dc7 4b8b8ccbc0120600 }
            // n = 7, score = 100
            //   015304               | mov                 eax, dword ptr [ebp - 4]
            //   eb55                 | push                dword ptr [eax*8 + 0x1000b2ac]
            //   4d85c0               | push                ebx
            //   7e27                 | mov                 eax, dword ptr [esp + 0x34]
            //   488bd7               | mov                 ecx, dword ptr [esp + 0x38]
            //   4c8b4dc7             | push                ebx
            //   4b8b8ccbc0120600     | push                ebx

        $sequence_12 = { 4883ec20 8bd9 4c8d0d2de10000 b901000000 4c8d0519e10000 488d151ae10000 }
            // n = 6, score = 100
            //   4883ec20             | sub                 eax, esi
            //   8bd9                 | dec                 esp
            //   4c8d0d2de10000       | lea                 eax, [0xcc2f]
            //   b901000000           | and                 edx, 0x3f
            //   4c8d0519e10000       | dec                 eax
            //   488d151ae10000       | mov                 ecx, edi

        $sequence_13 = { 56 e8???????? 83c414 8b45fc ff34c5acb20010 53 }
            // n = 6, score = 100
            //   56                   | inc                 ebp
            //   e8????????           |                     
            //   83c414               | xor                 ecx, ecx
            //   8b45fc               | dec                 esp
            //   ff34c5acb20010       | mov                 dword ptr [esp + 0x5d0], esp
            //   53                   | mov                 edx, 0x80000000

        $sequence_14 = { 08c1 20ca 80f101 89c8 }
            // n = 4, score = 100
            //   08c1                 | mov                 edx, ecx
            //   20ca                 | and                 dl, 1
            //   80f101               | or                  cl, al
            //   89c8                 | or                  bl, dl

        $sequence_15 = { e8???????? 8b15???????? 83c404 8bf0 52 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8b15????????         |                     
            //   83c404               | mov                 dword ptr [eax + 0x3a8], edx
            //   8bf0                 | inc                 esp
            //   52                   | mov                 ecx, dword ptr [esp + 0x78]

        $sequence_16 = { 4e0fbeac18d0a80100 418d4d01 4c8b459f 4c2bc6 }
            // n = 4, score = 100
            //   4e0fbeac18d0a80100     | je    7
            //   418d4d01             | mov                 dword ptr [ebx], 1
            //   4c8b459f             | dec                 eax
            //   4c2bc6               | mov                 eax, dword ptr [ebp + 0x1a0]

        $sequence_17 = { 4c8d052fcc0000 83e23f 488bcf 48c1f906 488d14d2 498b0cc8 c644d13800 }
            // n = 7, score = 100
            //   4c8d052fcc0000       | dec                 esi
            //   83e23f               | movsx               ebp, byte ptr [eax + ebx + 0x1a8d0]
            //   488bcf               | inc                 ecx
            //   48c1f906             | lea                 ecx, [ebp + 1]
            //   488d14d2             | dec                 esp
            //   498b0cc8             | mov                 eax, dword ptr [ebp - 0x61]
            //   c644d13800           | dec                 esp

        $sequence_18 = { 4883611000 488d056cc50000 48894108 488d0551c50000 488901 }
            // n = 5, score = 100
            //   4883611000           | dec                 eax
            //   488d056cc50000       | sar                 ecx, 6
            //   48894108             | dec                 eax
            //   488d0551c50000       | lea                 edx, [edx + edx*8]
            //   488901               | dec                 ecx

        $sequence_19 = { 53 53 53 8d4c245c 51 8b4c242c 8d942494050000 }
            // n = 7, score = 100
            //   53                   | sub                 esp, 0x20
            //   53                   | dec                 eax
            //   53                   | mov                 ebx, ecx
            //   8d4c245c             | dec                 esp
            //   51                   | lea                 ecx, [0x8324]
            //   8b4c242c             | mov                 ecx, 0x19
            //   8d942494050000       | dec                 esp

        $sequence_20 = { ff15???????? 8b442434 8b4c2438 53 53 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8b442434             | inc                 ebp
            //   8b4c2438             | xor                 esp, esp
            //   53                   | dec                 esp
            //   53                   | mov                 dword ptr [esp + 0x5c8], esi

        $sequence_21 = { 53 6804010000 8d94247c030000 52 50 }
            // n = 5, score = 100
            //   53                   | dec                 eax
            //   6804010000           | lea                 eax, [ebp + 0x1c0]
            //   8d94247c030000       | dec                 esp
            //   52                   | mov                 eax, dword ptr [ebp - 0x80]
            //   50                   | dec                 eax

        $sequence_22 = { 03c7 751f 488b85a0010000 488b8888000000 488d0505540100 }
            // n = 5, score = 100
            //   03c7                 | mov                 eax, 0xd35688dc
            //   751f                 | sub                 eax, ecx
            //   488b85a0010000       | mov                 ecx, 0xd35688dd
            //   488b8888000000       | add                 ecx, eax
            //   488d0505540100       | mov                 eax, 0xd35688dc

        $sequence_23 = { ff15???????? 448b4c2478 488d85c0010000 4c8b4580 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   448b4c2478           | dec                 eax
            //   488d85c0010000       | and                 dword ptr [ecx + 0x10], 0
            //   4c8b4580             | dec                 eax

    condition:
        7 of them and filesize < 872448
}
[TLP:WHITE] win_strelastealer_w0   (20230118 | detect_StrelaStealer)
rule win_strelastealer_w0 {
    meta:
	    description = "detect_StrelaStealer"
	    author = "@malgamy12"
	    date = "2022/11/12"
	    license = "DRL 1.1"
        hash = "6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403"
        
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $pdb = "StrelaDLLCompile.pdb" ascii

        $s1 = "4f3855aa-af7e-4fd2-b04e-55e63653d2f7" ascii
        $s2 = "StrelaDLLCompile.dll" ascii

        $chunk_1 = {33 D2 8B C7 F7 F3 8D 04 2E 83 C7 ?? 83 C6 ?? 8A 92 [4] 30 56 ?? 33 D2 F7 F3 8A 82 [4] 30 46 ?? 83 FF ??} 

        
    condition:
        uint16(0) == 0x5A4D  and ($pdb  or  (1 of ($s*) and $chunk_1 ))

}
Download all Yara Rules