Threat Research

Detecting Maranhão Stealer with Wazuh

Wazuh
Detecting Maranhão Stealer with Wazuh

Maranhão Stealer is a Node.js infostealer distributed via pirated software and trojanized game installers that harvests browser credentials, cookies, cryptocurrency wallets, and other sensitive data on Windows systems. The post describes behavioral indicators, a analyzed SHA256 sample, and step-by-step Wazuh detection and SCA configurations to identify and alert on Maranhão Stealer activity. #MaranhãoStealer #isdecmp.dll

Keypoints

  • Maranhão Stealer is delivered through cracked or modified game launchers and trojanized installers to infect Windows endpoints.
  • The malware harvests sensitive data including browser credentials, cookies, and cryptocurrency wallets.
  • Observed behaviors include executing processes with a double “.tmp” pattern, loading isdecmp.dll (reflective DLL loader), and hiding files with attrib.exe +h +s.
  • Maranhão creates persistence by adding an updater value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to updater.exe.
  • The malware performs system fingerprinting via WMIC and PowerShell (e.g., Get-Volume, querying BackupProductKeyDefault) to enumerate system and disk information.
  • A specific SHA256 sample is provided for analysis: 97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b439eb3631638c61842a20e47e1a31d3c1e917f37688bc3ccdac67dae030117a616837d2715bc4afb190c08013ba185b4e62dc65fcbd5320f2dfe6f6be2ca9c27.

    • <li=Wazuh detection guidance includes Sysmon deployment, custom detection rules (maranhao_rules.xml), and a Wazuh SCA policy (maranhao_stealer_check.yml) to detect artifacts and persistence.

MITRE Techniques

  • [T1036 ] Masquerading – Detection of double .tmp in command line indicating possible masquerading: “Possible Maranhao malware activity: Detection of double .tmp in command line – possible masquerading”
  • [T1574.002 ] Hijack Execution Flow: DLL Search Order Hijacking – isdecmp.dll loaded by a .tmp file indicating reflective loader/injection: “Possible Maranhao malware activity: isdecmp.dll loaded by .tmp file”
  • [T1547.001 ] Registry Run Keys / Startup Folder – Creation of an updater registry value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to establish persistence: “Maranhao malware activity: $(win.eventdata.details) added to the Run Registry to establish persistence.”
  • [T1564.001 ] Indicator Removal on Host: Hidden Files and Directories – Use of attrib.exe with +h +s to hide files (names containing crypto or infoprocess): “Maranhao malware activity: attrib.exe used to hide a file with +h +s attributes in $(win.eventdata.CurrentDirectory)”
  • [T1082 ] System Information Discovery – Execution of wmic queries and PowerShell Get-Volume to enumerate system, disk, and hardware details: “Maranhao malware activity: System fingerprinting via wmic command: $(win.eventdata.commandLine)”
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Use of cmd.exe to run wmic queries for system fingerprinting: “Maranhao malware activity: System fingerprinting via wmic command: $(win.eventdata.commandLine)”
  • [T1552.002 ] Unsecured Credentials – PowerShell command to query BackupProductKeyDefault from the registry to retrieve Windows product key: “Maranhao malware activity: Malicious PowerShell command to retrieve Windows product key from registry”
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of PowerShell for registry queries and Get-Volume enumeration: “Maranhao malware activity: Malicious PowerShell command to retrieve Windows product key from registry”

Indicators of Compromise

  • [File hash ] analyzed sample SHA256 – 97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b439eb3631638c61842a20e47e1a31d3c1e917f37688bc3ccdac67dae030117a616837d2715bc4afb190c08013ba185b4e62dc65fcbd5320f2dfe6f6be2ca9c27
  • [File name ] persistence and artifacts – updater.exe (Run key and AppData path), crypto.key (hidden cryptographic key file)
  • [DLL name ] reflective loader – isdecmp.dll loaded by .tmp executable (used for injection)
  • [Registry ] persistence context – HKCUSoftwareMicrosoftWindowsCurrentVersionRunupdater pointing to updater.exe
  • [File path ] installation directory context – C:UsersAppDataLocalProgramsMicrosoft Updater (presence indicates infection)

Read more: https://wazuh.com/blog/detecting-maranhao-stealer-with-wazuh/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint