Executive Summary
StealC is a commodity information‑stealer offered as Malware‑as‑a‑Service (MaaS). It emerged in early 2023 and has evolved with newer versions introducing RC4‑protected strings and traffic. It targets browser credentials, cookies, autofill data, crypto‑wallets, and messenger tokens. Distribution typically occurs via malvertising, SEO‑poisoned download sites, and phishing campaigns.
Malware Family: StealC
Sample SHA‑256: 95a6054ae187f3c968ad3a7832aa05c413dd00b7c6feaec42bb74349a97471b0
The analyzed sample executed a short‑lived loader that:
- Spawned two child binaries in the user’s Documents folder.
- Harvested Chromium/Firefox/Edge artifacts (cookies, Login Data, Web Data, Local State).
- Attempted wallet discovery.
- Contacted hard‑coded C2 endpoints over HTTP using PHP paths.
- Performed anti‑VM/anti‑debug checks and self‑deletion.
Configuration data included RC4 keys, consistent with recent StealC variants.
Sample Overview
- Primary process: Panda3D.exe launched and dropped two executables in %USERPROFILE%\Documents\:
- 4PjB1WqGxDre.exe
- WOjeTQIDIjpz.exe
- Issued cmd.exe /c timeout /t 5 & del /f /q "<path>\Panda3D.exe" for self‑deletion.
- Accessed browser storage paths for Chromium/Edge (Cookies, Login Data, Web Data, Local State) and Firefox (cookies.sqlite).
- Probed wallet directories for Bitcoin and Electrum.
- Implemented anti‑VM and anti‑debug techniques.
- Used Themida packing and XOR/aPLib compression.
- Downloaded additional payloads via HTTP GET and exfiltrated data via HTTP POST to hard‑coded IP addresses.
- RC4 keys and botnet tags were found in memory.
StealC Family Background
- Origins: First advertised in early 2023 on underground forums, influenced by Vidar and Raccoon.
- Targets: Steals from multiple browsers, crypto wallets, email clients, and messengers.
- Recent updates: Newer versions use JSON‑style C2, RC4 encryption, and expanded grabber modules. They typically avoid persistence, favoring quick data theft and exit.
Technical Analysis
1) Initial Access
Common delivery methods include fake installers, cracked software, phishing, and loaders.
2) Execution Flow
- Parent process dropped two executables and deleted itself.
- Hidden windows and RWX memory allocations indicate unpacking/injection.
- Child binaries spoofed metadata to mimic legitimate Windows components.
3) Evasion & Anti‑Analysis
- Themida packing, XOR encoding, and aPLib decompression.
- Anti‑VM checks (BIOS, VirtualBox keys), memory checks, and anti‑debugging (thread hiding, guard pages).
4) Credential Access & Collection
- Accessed browser credential stores and cookies.
- Probed crypto wallet directories.
- Evidence of DPAPI decryption routines.
5) Command‑and‑Control
- HTTP POST to PHP endpoint on raw IP.
- HTTP GET for additional payloads.
- Minimal HTTP headers and RC4‑encrypted configuration.
6) Persistence
No persistence observed; the malware deleted its initial loader after execution.
MITRE ATT&CK Mapping
|
Tactic
|
Technique
|
ID
|
|
Defense Evasion
|
Obfuscated/packed binaries
|
T1027 / T1027.002
|
|
Defense Evasion
|
Hidden window
|
T1564.003
|
|
Discovery
|
System info & BIOS checks
|
T1082
|
|
Discovery
|
Process discovery
|
T1057
|
|
Credential Access
|
Credentials from browsers
|
T1555.003
|
|
Collection
|
Data from local system
|
T1005
|
|
Command & Control
|
Application‑layer protocol (HTTP)
|
T1071.001
|
|
Impact
|
Self‑deletion
|
T1070.004
|
Indicators of Compromise
Files & Processes
- Dropped executables:
- %USERPROFILE%\Documents\4PjB1WqGxDre.exe
- %USERPROFILE%\Documents\WOjeTQIDIjpz.exe
- Randomized directories in C:\ProgramData\.
Browser Paths
- ...\Chromium\User Data\Default\Network\Cookies
- ...\Edge\User Data\Default\Login Data
- ...\Firefox\Profiles\<profile>\cookies.sqlite
Network
- C2 POST: http://178.16.54.175/98192667989749a8.php
- Payload GET: http://178.16.53.193/.../YEr2KP0jEBhSDdVc...FZq.exe
Config
- RC4 keys: qCoL4tk4lS, 5256ba8fd3514625
- Botnet tag: cause
Detection & Hunting
- Monitor for processes accessing browser credential stores outside normal browser activity.
- Detect self‑deletion patterns using cmd.exe /c timeout /t 5 & del /f /q.
- Look for HTTP traffic to raw IPs with minimal headers and PHP endpoints.
- Hunt for Themida‑packed binaries and RWX memory allocations.
Containment & Remediation
- Block identified IPs and paths at network perimeter.
- Isolate affected hosts and collect memory for analysis.
- Reset credentials and invalidate tokens for impacted users.
- Deploy EDR rules for suspicious browser DB access and self‑deletion patterns.
- Educate users on risks of cracked software and phishing.
#Juniper