Threat Research

Stealc Stealer

Securonix

Stealc is a Malware-as-a-Service information stealer promoted by Plymouth, active since January 9, 2023, designed to covertly harvest a wide array of data from the victim and exfiltrate it directly to its command-and-control server. Its standout feature is a streamlined data path that sends data to the C2 as soon as it is gathered, while employing anti-analysis and dynamic API-resolving techniques to stay under the radar. #Stealc #DiscordTokens

Keypoints

  • Stealc is marketed as Malware-as-a-Service by Plymouth on Russian-speaking underground forums.
  • It exfiltrates a wide range of data directly to its C2, bypassing local file writes.
  • Targets Chrome, Firefox, and Opera data (logins, cookies, history, wallet extensions, and more) plus tokens and sensitive configs.
  • Includes anti-analysis and anti-VM/sandbox checks (emulation checks, memory checks, language checks, Defender emulation) and an expiration mechanism.
  • Uses advanced obfuscation (Opaque control flow) and dynamic API resolution via GetProcAddress, PEB/Ldr, and later decrypts configs with RC4/DPAPI AES.
  • Communicates with a hardcoded C2 (www.fff-ttt.com) using HTTP, generates victim IDs from drive serials, and base64-encodes data for transmission.

MITRE Techniques

  • [T1082] System Information Discovery – Stealc collects system and hardware data (IP, OS, CPU, architecture, user/computer names, etc.) to identify the host. “gathers system and hardware information like, ip address country processor name operating system arch 32 or 64 pc or laptob UserName computerName Screenshot installed apps running process etc…..”
  • [T1555.003] Credentials from Web Browsers – It steals browser data including logins, cookies, history, and wallet data from Chrome/Firefox/Opera, and related browser artifacts. “Chrome/Firefox/Opera logins, credit cards, cookies, and History”
  • [T1113] Screen Capture – Takes screenshots of the victim’s machine as part of data collection. “Take screenshots of the victim’s machine”
  • [T1105] Ingress Tool Transfer – Downloads additional components (DLLs like Sqlite3.dll) from C2 to enable data extraction. “Stealc will download Sqlite3 Dll which will be used to execute some queries to retrieve data from Ghrome Application data”
  • [T1497] Virtualization/Sandbox Evasion – Performs multiple checks to detect emulation/AV/sandbox (Windows Defender emulator checks, memory checks, language checks) and exits if detected. “check if it’s running under Emulation Environment By doing some checks for Emulators specifically Windows Defender”
  • [T1041] Exfiltration Over C2 Channel – Data is collected, encoded (base64), and sent to the C2 server via HTTP requests, with packet IDs and victim IDs used in the exchange. “the malware will send the victim ID … the packet format confirmed our code analysis”

Indicators of Compromise

  • [Domain] fff-ttt.com – main C2 server used by Stealc
  • [Domain] moneylandry.com – alternative C2 domain referenced in the traffic flow
  • [URL] hxxp://fff-ttt[.]com/984dd96064cb23d7.php – first C2 endpoint mentioned
  • [IP Address] 162.0.238.10 – example host used within the C2 chain
  • [IP Address] 185.5.248.95 – another remote endpoint observed in the traffic
  • [SHA-256] 1E09D04C793205661D88D6993CB3E0EF5E5A37A8660F504C1D36B0D8562E63A2 – sample hash of the Stealc analysis
  • [File name] wallet.dat – file used by local cryptocurrency wallets that Stealc targets

Read more: https://farghlymal.github.io/Stealc-Stealer-Analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint