Keypoints
- StealC is delivered as fake installers/cracks via platforms like Discord, GitHub, Dropbox, and Mega and may redirect victims through multiple pages before download.
- Samples check file names and will not trigger malicious actions if renamed, a deliberate sandbox/analysis evasion technique.
- On execution, StealC downloads a PNG from image hosting sites that contains encoded malicious data; decoding produces shellcode and binary payloads.
- The payload launches child processes (SysWOW64 binaries like netsh.exe and AutoIt scripts in Temp), then loads the infostealer into the AutoIt process for execution.
- Injection methods include manual ntdll.dll mapping and Heaven’s Gate (x64 execution from WOW64), used to bypass and hinder security product analysis.
- StealC gathers system/browser data, crypto wallets, and messaging/mail client info; its distribution and C2 methods overlap with Vidar samples, suggesting common actor or infrastructure.
- IOCs published include MD5 hashes, PNG distribution URLs, Mega distribution links, and a C2 IP endpoint (193.143.1[.]226).
MITRE Techniques
- [T1055] Process Injection – Used to load and execute payloads inside legitimate processes via manual ntdll mapping and other injection methods (‘The ntdll manual mapping and Heaven’s Gate techniques are used for injection.’).
- [T1105] Ingress Tool Transfer – Initial payload and required binaries are fetched from external hosting (PNG and other files downloaded from image-hosting sites) (‘When the malware is executed, it downloads a PNG file from an image hosting site.’).
- [T1027] Obfuscated Files or Information – Malicious data is encoded and embedded inside a PNG image to hide the payload (‘The image file has encoded malicious data embedded in the middle of the image data.’).
- [T1036] Masquerading – The malware is presented as legitimate installers or software cracks to trick users into execution (‘StealC malware disguised as an installer’ and ‘disguised as software cracks’).
- [T1497] Virtualization/Sandbox Evasion – Samples check file names and suppress malicious actions if altered to avoid sandbox analysis (‘The malicious actions are not triggered if the file names are changed, a feature intended for bypassing analysis environments such as sandboxes.’).
Indicators of Compromise
- [MD5 hashes] StealC samples – c935f54929475d06b6d11c746ac64156, d3bbe6f53dec9b65400f6477fb7ad697 (setup filenames shown).
- [PNG URLs] Embedded payload hosts – https://i.ibb.co/FxjS8cy/1492239061.png, https://gcdnb.pbrd.co/images/ZZsYr33PtdW0.png?o=1 (and multiple other image-hosted PNGs).
- [Distribution links] Installer distribution examples – hxxps://mega[.]nz/file/AhEBmaBI#lyluDB_AcC4qphklfyKhGYHyJnwyRCfvX2UC-zi6YA8, hxxps://mega[.]nz/file/VWs2HKSQ#PnyLXgyDKNY1REGwFIG2D_K0Vmw8K0z_KM-aVGVEBWI.
- [C2 / IP] Command-and-control endpoint – hxxp://193.143.1[.]226/129edec4272dc2c8.php (StealC C2); other related C2s used by Vidar include 37.27.36[.]6 and 142.132.224[.]223:9001.
When executed, the deceptive installer first performs filename checks to avoid sandbox detection; if the expected filename is present, it downloads a PNG from image-hosting services. That PNG contains encoded data which, after decoding, yields shellcode and a binary payload. The decoded components are written to disk and staged for execution.
The launcher spawns legitimate SysWOW64 child processes (examples: netsh.exe and more.com) and creates AutoIt-based processes (WinAPIHObj.au3, DllCall.au3) in the Temp folder. The final infostealer is loaded into and run from the AutoIt process; during this flow the actor employs process injection techniques, notably manual mapping of ntdll.dll and the Heaven’s Gate x64-from-WOW64 method to execute code and evade detection.
StealC then performs credential and data theft (system/browser information, crypto wallets, Discord/Telegram/mail client data) and communicates with C2 infrastructure observed at 193.143.1[.]226 and other endpoints. The campaign shares distribution methods, injection techniques, PNG-hosted payloads, and C2 overlap with previously observed Vidar samples, indicating related tooling or actors.
Read more: https://asec.ahnlab.com/en/63308/