Threat Research

Fletchen Stealer: An Information Stealer with Sophisticated Anti-Analysis Measures – CYFIRMA

Cyfirma

Fletchen Stealer is a Rust-based information-stealing malware offered as stealer-as-a-service, featuring sophisticated anti-analysis defenses to hinder detection and analysis. The report details its data collection, persistence, exfiltration, and evolving capabilities, including version 2 updates and threat actor activity on underground forums and Telegram channels. Hashtags: #FletchenStealer #StealerAsAService

Keypoints

  • Fletchen Stealer is an advanced information-stealing malware offered as stealer-as-a-service.
  • It is distributed for free but requires users to meet conditions to obtain the specimen.
  • Advertising and distribution occur via underground forums, onion sites, and Telegram channels.
  • It employs sophisticated anti-analysis measures and persistence mechanisms (startup folder, scheduled task).
  • Targets a wide range of data: browser data, wallets, VPN/FTP data, chat apps, gaming, cloud storage, and more.
  • Exfiltration is to a hardcoded IP with trace cleanup; operators appear to be French-speaking with broader ecosystem support.

MITRE Techniques

  • [T1592] Gather Victim Host Information – During Reconnaissance to collect host data. “Reconnaissance (TA0043) … T1592: Gather Victim Host Information”
  • [T1059.003] Windows Command Shell – Execution stage usage. “Execution (TA0002) T1059.003: Windows Command Shell”
  • [T1053.005] Scheduled Task – Persistence mechanism used to run with highest privileges. “Scheduled Task”
  • [T1024.002] Malicious File – The malware is delivered as a non-signed binary described as a malicious file. “Malicious File”
  • [T1622] Debugger Evasion – Defense evasion by avoiding debuggers. “Debugger Evasion”
  • [T1497] Virtualization/Sandbox Evasion – Avoiding virtualization/sandbox environments. “Virtualization/Sandbox Evasion”
  • [T1140] Deobfuscate/Decode Files or Information – Handling embedded payloads and obfuscated data. “Deobfuscate/Decode Files or Information”
  • [T1564.001] Hidden Files and Directories – Hiding artifacts via hidden files/directories. “Hidden Files and Directories”
  • [T1070.004] File Deletion – Cleaning traces by deleting data after exfiltration. “File Deletion”
  • [T1027.009] Embedded Payloads – Use of embedded DLL (escapi.dll) as part of the payload. “Embedded Payloads”
  • [T1083] File and Directory Discovery – Enumerating files/directories to locate data. “File and Directory Discovery”
  • [T1071.001] Web Protocols – C2 communication over web protocols. “Web Protocols”
  • [T1041] Exfiltration – Exfiltration over a C2 channel to a hard-coded IP. “Exfiltration Over C2 Channel”

Indicators of Compromise

  • [File] Network.zip – 487bae97ec7b96bc020511af3a3b3954, 0a970e1e07e550b2c5d725ea82d5ef3d5e2cbf53da9561a8815e39e55ae89ec3
  • [File] Network.exe – fd9ee313b9b543a53cb8843df91e18de, a3d23713b6a1bc888eae41a2884dd94c72b1d749de3015689c4f86ee2ebd00dd
  • [File] escapi.dll – 568aea1ddacf0948fc623e6695796e04, e6134f3dca8c2d281f1af92eaf2551a737a46d88ab6eec1c09ffd7d4719a4fff
  • [Domain] Phishing – test.brosecure360[.]com, metamask.toyosol[.]com
  • [IP address] Phishing – 45[.]61[.]139[.]51
  • [IP address] Exfiltration site – 38[.]180[.]120[.]148, 185[.]166[.]39[.]91:7777
  • [IP address] Exfiltration site – 195[.]35[.]3[.]209, 162[.]241[.]85[.]73

Read more: https://www.cyfirma.com/research/fletchen-stealer-an-information-stealer-with-sophisticated-anti-analysis-measures/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint