{
	"id": "8618df86-aa15-419b-8a0d-b683c2c63ae1",
	"created_at": "2026-04-06T00:10:08.638666Z",
	"updated_at": "2026-04-10T03:21:02.236693Z",
	"deleted_at": null,
	"sha1_hash": "25fa5d7f02f8c1dabfd71f7f04691f89088d605d",
	"title": "#ShortAndMalicious: StrelaStealer aims for mail credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 670591,
	"plain_text": "#ShortAndMalicious: StrelaStealer aims for mail credentials\r\nBy DCSO CyTec Blog\r\nPublished: 2022-11-21 · Archived: 2026-04-05 20:13:29 UTC\r\nPress enter or click to view image in full size\r\nStrela surface-to-air missile launcher (Source: Wikipedia)\r\nIn our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples\r\nwe come across in our daily hunt for malware.\r\nFor the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing\r\nunder the moniker “StrelaStealer” (“Стрела” == arrow) which appears to be purpose-built to steal mail login data.\r\nPress enter or click to view image in full size\r\nPDB path contained in StrelaStealer samples\r\nDCSO CyTec first discovered StrelaStealer early November 2022 distributed via ISO files with what appears to be\r\nSpanish targets based on used lure documents. It is unclear at this point in time if StrelaStealer is part of a targeted\r\nattack.\r\nBlog authored by Johann Aydinbas and Axel Wauer.\r\nExecution via polyglot\r\nStrelaStealer samples are distributed in ISO files with varying content. In one instance, StrelaStealer uses a\r\nrenamed msinfo32.exe to sideload StrelaStealer as slc.dll. Another, more interesting variant distributes\r\nStrelaStealer as a DLL/HTML polyglot.\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nPage 1 of 5\n\nPolyglots files are files that are valid as two or more different file formats. In this case, StrelaStealer uses a file\r\nthat is both valid as a DLL as well as an HTML page.\r\nPress enter or click to view image in full size\r\nExecution of StrelaStealer via polyglot\r\nThe ISO file contains two files, one Factura.lnk and the polyglot x.html file. The LNK file then executes\r\nx.html twice, once as a DLL and a second time as an HTML file.\r\nPress enter or click to view image in full size\r\nParsed LNK file — command to execute the polyglot\r\nInspecting x.html then shows that it simply contains HTML code appended to the DLL file:\r\nPress enter or click to view image in full size\r\nAppended HTML code\r\nDouble-clicking it opens the browser and displays the lure document:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nPage 2 of 5\n\nLure document rendered by Firefox\r\nMalware analysis\r\nStrelaStealer samples are DLL files, with the main functionality triggered by calling its main export function\r\nnamed Strela or s . While its code is not obfuscated, strings are encrypted with a cyclic xor with a hardcoded\r\nkey:\r\nPress enter or click to view image in full size\r\nHardcoded xor key\r\nOnce executed, StrelaStealer attempts to locate and steal mail login data from Thunderbird and Outlook.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFor Thunderbird, StrelaStealer searches for logins.json and key4.db in the\r\n%APPDATA%\\Thunderbird\\Profiles\\ directory and sends the file contents to its C2.\r\nFor Outlook, StrelaStealer enumerates the registry\r\nkey HKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\ in\r\norder to find the values IMAP User , IMAP Server and IMAP Password . StrelaStealer then decrypts the IMAP\r\nPassword using CryptUnprotectData before sending the triple to its C2.\r\nCommunication\r\nCommunication is done using plain HTTP POSTs, with the payload encrypted using the same xor key as for the\r\nstrings. C2 server and resource name are hardcoded and so far all samples were configured for the same one:\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nPage 3 of 5\n\nhxxp://193.106.191[.]166/server.php\r\nThe IP address is hosted on known Russian bulletproof hosting “Kanzas LLC” with the /24 likely being hosted in\r\nMoscow.\r\nStolen files from Thunderbird are sent home in the following format:\r\n[prefix \"FF\"]\r\n[DWORD size logins.json]\r\n[contents of logins.json]\r\n[contents of key4.db]\r\nOutlook data uses the following format:\r\n[prefix \"OL\"]\r\n[Server1,User1,Password1]\r\n[Server2,User2,Password2]\r\n...\r\nWhen sending home data, StrelaStealer checks for the last two bytes of the response to be KH which appears to\r\nsignal a successful transfer and causes StrelaStealer to quit, otherwise it retries to send the data again after a 1\r\nsecond sleep.\r\nIoCs\r\nAs usual, you can find below the IoCs. We share a MISP event on our GitHub.\r\nsha256\r\nfa1295c746e268a3520485e94d1cecc77e98655a6f85d42879a3aeb401e5cf15\r\nc8eb6efc2cd0bd10d9fdd4f644ebbebdebaff376ece9e48ff502f973fe837820\r\n8b0d8651e035fcc91c39b3260c871342d1652c97b37c86f07a561828b652e907\r\n879ddb21573c5941f60f43921451e420842f1b0ff5d8eccabe11d95c7b9b281e\r\nb7e2e4df5cddcbf6c0cda0fb212be65dea2c442e06590461bf5a13821325e337\r\nd8d28aa1df354c7e0798279ed3fecad8effef8c523c701faaf9b5472d22a5e28\r\nac040049e0ddbcb529fb2573b6eced3cfaa6cd6061ce2e7a442f0ad67265e800\r\nbfc30cb876b45bc7c5e7686a41a155d791cd13309885cb6f9c05e001eca1d28a\r\n6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403\r\nc69bac4620dcf94acdee3b5e5bcd73b88142de285eea59500261536c1513ab86\r\nbe9f84b19f02f16b7d8a9148a68ad8728cc169668f2c59f918d019bce400d90e\r\n1437a2815fdb82c7e590c1e6f4b490a7cdc7ec81a6cb014cd3ff712304e4c9a3Pdb path:\r\nC:\\Users\\admin\\source\\repos\\Dll1\\Release\\Dll1.pdb\r\n\"C:\\Users\\Serhii\\Documents\\Visual Studio 2008\\Projects\\StrelaDLLCompile\\Release\\StrelaDLLCompile.pdb\r\n193.106.191[.]166\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nPage 4 of 5\n\nhxxp://193.106.191[.]166/server.phpITW URL:\r\nhxxp://45.142.212[.]20/dll.dll\r\nMITRE ATT\u0026CK\r\nT1003 - Credential Dumping\r\nT1041 - Exfiltration Over C2 Channel\r\nT1041 - Exfiltration Over Command and Control Channel\r\nT1059.003 - Windows Command Shell\r\nT1071 - Standard Application Layer Protocol\r\nT1566.001 - Spearphishing Attachment\r\nT1574.002 - DLL Side-Loading\r\nSource: https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nhttps://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc"
	],
	"report_names": [
		"shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25fa5d7f02f8c1dabfd71f7f04691f89088d605d.pdf",
		"text": "https://archive.orkl.eu/25fa5d7f02f8c1dabfd71f7f04691f89088d605d.txt",
		"img": "https://archive.orkl.eu/25fa5d7f02f8c1dabfd71f7f04691f89088d605d.jpg"
	}
}