Stealc is a copycat information stealer advertised by Plymouth, drawing on Vidar, Raccoon, Mars and Redline. Sekoia.io analyzes its features, C2 communications, infection chain, and ongoing development, noting its rapid uptake among cybercriminals. #Stealc #Vidar #Raccoon #Mars #Redline #Plymouth
Keypoints
- Stealc is a MaaS information stealer advertised by Plymouth in January 2023, leveraging Vidar, Raccoon, Mars and Redline.
- It has achieved wide distribution with dozens of samples and more than 40 Stealc C2 servers, indicating popularity among criminals distributing stealers.
- Stealc targets web browsers, browser extensions for cryptocurrency wallets, desktop cryptocurrency wallets, and data from email clients/messenger apps; it includes a customizable file grabber and loader.
- The Stealc admin panel enables threat actors to configure the malware, parse/display/download logs, and manage stolen data, highlighting logs as a MaaS value proposition.
- Plymouth marketed Stealc across multiple channels (XSS, BHF, Exploit forums, Telegram) with deposits and free tests to build trust; development continues weekly with changelogs.
- Technical analysis ties Stealcβs features to the advertised capabilities (DLL usage, RC4/base64 obfuscation, WinAPI loading), showing a multi-stage data collection and C2 protocol.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter β Stealc uses Windows Command Shell to execute commands; e.g., βcmd.exe /c timeout /t 5 & del /f /q β$STEALERPATHβ & del βC:ProgramData*.dllβ & exitβ
- [T1106] Native API β The malware dynamically loads WinAPI functions via LoadLibraryA and GetProcAddress
- [T1129] Shared Modules β Stealc downloads legitimate third-party DLLs such as sqlite3.dll, freebl3.dll, mozglue.dll, msvcp40.dll, nss3.dll and others
- [T1027] Obfuscated Files or Information β All strings are obfuscated using RC4 and base64
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution β All functions are dynamically loaded
- [T1036] Masquerading β Checks for sandbox/ Defender emulator (HAL9TH, JohnDoe) to evade analysis
- [T1055] Process Injection β The malware loads and executes code via dynamically loaded WinAPI functions
- [T1070] Indicator Removal: File Deletion β Removes itself and downloaded DLLs after execution
- [T1140] Deobfuscate/Decode Files or Information β RC4/base64 deobfuscation of strings
- [T1622] Debugger Evasion β Debugger/sandbox checks to avoid analysis
- [T1005] Data from Local System β Exfiltrates fingerprint data (system_info.txt) including network, system summary, user agents, installed apps and process list
- [T1071.001] Application Layer Protocol: Web Protocols β C2 communications via HTTP POSTs to retrieve configuration and data
- [T1105] Ingress Tool Transfer β Downloads 7 legitimate DLLs from the C2 server
- [T1020] Automated Exfiltration β Exfiltrates data via automated pattern
- [T1041] Exfiltration Over C2 Channel β Exfiltration over the C2 channel
Indicators of Compromise
- [IP] Stealc C2 servers β 185.143.223.136, 94.131.99.185, and 65.109.131.183 (examples shown; many more)
- [IP] Additional Stealc-related hosts β 45.87.153.50, 179.43.162.94 (and many more)
- [Domain] C2 infrastructure domains β 666palm.com, aa-cj.com, and 777palm.com (additional domains)
- [Hash] Standalone Stealc SHA256 β 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d, 1e09d04c793205661d88d6993cb3e0ef5e5a37a8660f504c1d36b0d8562e63a2
- [Hash] Stealc sample SHA256 β a2465fc5059ea57c7b64b1dc01caf8735422a005ddb7fabeddfa3cbc89085ccf
- [URL] Stealc C2 URLs β http://146.70.161.51/273d9c8034a95cb4.php, http://162.0.238.10/752e382b4dcf5e3f.php (and more)
- [File] Exfiltrated data files β system_info.txt, and other data files