{ "id": "2266a1a2-744d-4da6-abe6-2673fad60f61", "created_at": "2026-04-06T00:12:35.813116Z", "updated_at": "2026-04-10T13:11:23.738148Z", "deleted_at": null, "sha1_hash": "29294c745496545f527d96a8247ad66b08217f87", "title": "Stealc Malware Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 189663, "plain_text": "Stealc Malware Analysis\r\nBy Glyc3rius\r\nPublished: 2023-10-03 · Archived: 2026-04-05 22:01:21 UTC\r\nStealc is just a typical information stealer written in C. The malware encodes/encrypts its strings with base64 and RC4\r\nmethods and imports its functions with the help of PEB while several anti-analysis and evasion techniques are also applied.\r\nIt drops 7 additional third-party DLLs (such as sqlite3.dll ) from the C2 server. The stealing procedure targets browsers,\r\nbrowser extensions, desktop cryptocurrency wallets and applications such as Outlook, Steam, Discord, Telegram, Tox, and\r\nPidgin. It gathers information about the victim’s machine as well and after its all done, removes itself and the dropped DLLs\r\nfrom the computer.\r\nThe analysed sample’s SHA-256 is e978871a3a76c83f94e589fd22a91c7c1a58175ca5d2110b95d71b7805b25b8d .\r\nInside the disassembler, we discover two functions which contain likely important strings that are encoded with base64.\r\nAfter decoding them, we can conclude that an encryption mechanism is used as well. In search of it, an RC4 algorithm is\r\nfound with its hard-coded key: 52129722198130874989795557381261264814249348323986 . I decrypted these strings with a\r\nsimple python script. The deobfuscated strings are:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n 10\r\n 11\r\n 12\r\n 13\r\n 14\r\n 15\r\n 16\r\n 17\r\n 18\r\n 19\r\n 20\r\n 21\r\n 22\r\n 23\r\n 24\r\n 25\r\n 26\r\n 27\r\n 28\r\n 29\r\n 30\r\n 31\r\n 32\r\n 33\r\n 34\r\n 35\r\n 36\r\n 37\r\n 38\r\n 39\r\n 40\r\n 41\r\n 11\r\n 20\r\n 23\r\n GetProcAddress\r\n LoadLibraryA\r\n lstrcatA\r\n OpenEventA\r\n CreateEventA\r\n CloseHandle\r\n Sleep\r\n GetUserDefaultLangID\r\n VirtualAllocExNuma\r\n VirtualFree\r\n GetSystemInfo\r\n VirtualAlloc\r\n HeapAlloc\r\n GetComputerNameA\r\n lstrcpyA\r\n GetProcessHeap\r\n GetCurrentProcess\r\n lstrlenA\r\n ExitProcess\r\n GlobalMemoryStatusEx\r\n GetSystemTime\r\n SystemTimeToFileTime\r\n advapi32.dll\r\n gdi32.dll\r\n user32.dll\r\n crypt32.dll\r\n ntdll.dll\r\n GetUserNameA\r\n CreateDCA\r\n GetDeviceCaps\r\n ReleaseDC\r\n CryptStringToBinaryA\r\n sscanf\r\n VMwareVMware\r\n HAL9TH\r\n JohnDoe\r\n DISPLAY\r\n %hu/%hu/%hu\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 1 of 12\n\n42\r\n 43\r\n 44\r\n 45\r\n 46\r\n 47\r\n 48\r\n 49\r\n 50\r\n 51\r\n 52\r\n 53\r\n 54\r\n 55\r\n 56\r\n 57\r\n 58\r\n 59\r\n 60\r\n 61\r\n 62\r\n 63\r\n 64\r\n 65\r\n 66\r\n 67\r\n 68\r\n 69\r\n 70\r\n 71\r\n 72\r\n 73\r\n 74\r\n 75\r\n 76\r\n 77\r\n 78\r\n 79\r\n 80\r\n 81\r\n 82\r\n 83\r\n 84\r\n 85\r\n 86\r\n 87\r\n 88\r\n 89\r\n 90\r\n 91\r\n 92\r\n 93\r\n 94\r\n 95\r\n 96\r\n 97\r\n 98\r\n 99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n http://185.106.94.206\r\n /4e815d9f1ec482dd.php\r\n /49171d9bb28d893a/\r\n GoogleMaps\r\n GetEnvironmentVariableA\r\n GetFileAttributesA\r\n GlobalLock\r\n HeapFree\r\n GetFileSize\r\n GlobalSize\r\n CreateToolhelp32Snapshot\r\n IsWow64Process\r\n Process32Next\r\n GetLocalTime\r\n FreeLibrary\r\n GetTimeZoneInformation\r\n GetSystemPowerStatus\r\n GetVolumeInformationA\r\n GetWindowsDirectoryA\r\n Process32First\r\n GetLocaleInfoA\r\n GetUserDefaultLocaleName\r\n GetModuleFileNameA\r\n DeleteFileA\r\n FindNextFileA\r\n LocalFree\r\n FindClose\r\n SetEnvironmentVariableA\r\n LocalAlloc\r\n GetFileSizeEx\r\n ReadFile\r\n SetFilePointer\r\n WriteFile\r\n CreateFileA\r\n FindFirstFileA\r\n CopyFileA\r\n VirtualProtect\r\n GetLogicalProcessorInformationEx\r\n GetLastError\r\n lstrcpynA\r\n MultiByteToWideChar\r\n GlobalFree\r\n WideCharToMultiByte\r\n GlobalAlloc\r\n OpenProcess\r\n TerminateProcess\r\n GetCurrentProcessId\r\n gdiplus.dll\r\n ole32.dll\r\n bcrypt.dll\r\n wininet.dll\r\n shlwapi.dll\r\n shell32.dll\r\n psapi.dll\r\n rstrtmgr.dll\r\n CreateCompatibleBitmap\r\n SelectObject\r\n BitBlt\r\n DeleteObject\r\n CreateCompatibleDC\r\n GdipGetImageEncodersSize\r\n GdipGetImageEncoders\r\n GdipCreateBitmapFromHBITMAP\r\n GdiplusStartup\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 2 of 12\n\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n140\r\n141\r\n142\r\n143\r\n144\r\n145\r\n146\r\n147\r\n148\r\n149\r\n150\r\n151\r\n152\r\n153\r\n154\r\n155\r\n156\r\n157\r\n158\r\n159\r\n160\r\n161\r\n162\r\n163\r\n164\r\n165\r\n166\r\n167\r\n168\r\n169\r\n GdiplusShutdown\r\n GdipSaveImageToStream\r\n GdipDisposeImage\r\n GdipFree\r\n GetHGlobalFromStream\r\n CreateStreamOnHGlobal\r\n CoUninitialize\r\n CoInitialize\r\n CoCreateInstance\r\n BCryptGenerateSymmetricKey\r\n BCryptCloseAlgorithmProvider\r\n BCryptDecrypt\r\n BCryptSetProperty\r\n BCryptDestroyKey\r\n BCryptOpenAlgorithmProvider\r\n GetWindowRect\r\n GetDesktopWindow\r\n GetDC\r\n CloseWindow\r\n wsprintfA\r\n EnumDisplayDevicesA\r\n GetKeyboardLayoutList\r\n CharToOemW\r\n wsprintfW\r\n RegQueryValueExA\r\n RegEnumKeyExA\r\n RegOpenKeyExA\r\n RegCloseKey\r\n RegEnumValueA\r\n CryptBinaryToStringA\r\n CryptUnprotectData\r\n SHGetFolderPathA\r\n ShellExecuteExA\r\n InternetOpenUrlA\r\n InternetConnectA\r\n InternetCloseHandle\r\n InternetOpenA\r\n HttpSendRequestA\r\n HttpOpenRequestA\r\n InternetReadFile\r\n InternetCrackUrlA\r\n StrCmpCA\r\n StrStrA\r\n StrCmpCW\r\n PathMatchSpecA\r\n GetModuleFileNameExA\r\n RmStartSession\r\n RmRegisterResources\r\n RmGetList\r\n RmEndSession\r\n sqlite3_open\r\n sqlite3_prepare_v2\r\n sqlite3_step\r\n sqlite3_column_text\r\n sqlite3_finalize\r\n sqlite3_close\r\n sqlite3_column_bytes\r\n sqlite3_column_blob\r\n encrypted_key\r\n PATH\r\n C:\\\\ProgramData\\\\nss3.dll\r\n NSS_Init\r\n NSS_Shutdown\r\n PK11_GetInternalKeySlot\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 3 of 12\n\n170\r\n171\r\n172\r\n173\r\n174\r\n175\r\n176\r\n177\r\n178\r\n179\r\n180\r\n181\r\n182\r\n183\r\n184\r\n185\r\n186\r\n187\r\n188\r\n189\r\n190\r\n191\r\n192\r\n193\r\n194\r\n195\r\n196\r\n197\r\n198\r\n199\r\n200\r\n201\r\n202\r\n203\r\n204\r\n205\r\n206\r\n207\r\n208\r\n209\r\n210\r\n211\r\n212\r\n213\r\n214\r\n215\r\n216\r\n217\r\n218\r\n219\r\n220\r\n221\r\n222\r\n223\r\n224\r\n225\r\n226\r\n227\r\n228\r\n229\r\n230\r\n231\r\n232\r\n233\r\n PK11_FreeSlot\r\n PK11_Authenticate\r\n PK11SDR_Decrypt\r\n C:\\\\ProgramData\\\\\r\n url:\r\n SELECT origin_url, username_value, password_value FROM logins\r\n browser:\r\n profile:\r\n login:\r\n password:\r\n Opera\r\n OperaGX\r\n Network\r\n cookies\r\n .txt\r\n TRUE\r\n SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies\r\n FALSE\r\n autofill\r\n SELECT name, value FROM autofill\r\n history\r\n SELECT url FROM urls LIMIT 1000\r\n cc\r\n name:\r\n SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards\r\n month:\r\n year:\r\n card:\r\n Cookies\r\n Login Data\r\n Web Data\r\n History\r\n logins.json\r\n formSubmitURL\r\n usernameField\r\n encryptedUsername\r\n encryptedPassword\r\n guid\r\n SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies\r\n SELECT fieldname, value FROM moz_formhistory\r\n SELECT url FROM moz_places LIMIT 1000\r\n cookies.sqlite\r\n formhistory.sqlite\r\n places.sqlite\r\n plugins\r\n Local Extension Settings\r\n Sync Extension Settings\r\n IndexedDB\r\n Opera Stable\r\n Opera GX Stable\r\n CURRENT\r\n chrome-extension_\r\n _0.indexeddb.leveldb\r\n Local State\r\n profiles.ini\r\n chrome\r\n opera\r\n firefox\r\n wallets\r\n %08lX%04lX%lu\r\n SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\r\n ProductName\r\n x32\r\n x64\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 4 of 12\n\n234\r\n235\r\n236\r\n237\r\n238\r\n239\r\n240\r\n241\r\n242\r\n243\r\n244\r\n245\r\n246\r\n247\r\n248\r\n249\r\n250\r\n251\r\n252\r\n253\r\n254\r\n255\r\n256\r\n257\r\n258\r\n259\r\n260\r\n261\r\n262\r\n263\r\n264\r\n265\r\n266\r\n267\r\n268\r\n269\r\n270\r\n271\r\n272\r\n273\r\n274\r\n275\r\n276\r\n277\r\n278\r\n279\r\n280\r\n281\r\n282\r\n283\r\n284\r\n285\r\n286\r\n287\r\n288\r\n289\r\n290\r\n291\r\n292\r\n293\r\n294\r\n295\r\n296\r\n297\r\n %d/%d/%d %d:%d:%d\r\n HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\0\r\n ProcessorNameString\r\n DisplayName\r\n SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\r\n DisplayVersion\r\n Network Info:\r\n \\t- IP: IP?\r\n \\t- Country: ISO?\r\n System Summary:\r\n \\t- HWID:\r\n \\t- OS:\r\n \\t- Architecture:\r\n \\t- UserName:\r\n \\t- Computer Name:\r\n \\t- Local Time:\r\n \\t- UTC:\r\n \\t- Language:\r\n \\t- Keyboards:\r\n \\t- Laptop:\r\n \\t- Running Path:\r\n \\t- CPU:\r\n \\t- Threads:\r\n \\t- Cores:\r\n \\t- RAM:\r\n \\t- Display Resolution:\r\n \\t- GPU:\r\n User Agents:\r\n Installed Apps:\r\n All Users:\r\n Current User:\r\n Process List:\r\n system_info.txt\r\n freebl3.dll\r\n mozglue.dll\r\n msvcp140.dll\r\n nss3.dll\r\n softokn3.dll\r\n vcruntime140.dll\r\n \\\\Temp\\\\\r\n .exe\r\n runas\r\n open\r\n /c start\r\n %DESKTOP%\r\n %APPDATA%\r\n %LOCALAPPDATA%\r\n %USERPROFILE%\r\n %DOCUMENTS%\r\n %PROGRAMFILES%\r\n %PROGRAMFILES_86%\r\n %RECENT%\r\n *.lnk\r\n files\r\n \\\\discord\\\\\r\n \\\\Local Storage\\\\leveldb\\\\CURRENT\r\n \\\\Local Storage\\\\leveldb\r\n \\\\Telegram Desktop\\\\\r\n key_datas\r\n D877F783D5D3EF8C*\r\n map*\r\n A7FDF864FBC10B77*\r\n A92DAA6EA6F891F2*\r\n F8806DD0C461824F*\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 5 of 12\n\n298\r\n299\r\n300\r\n301\r\n302\r\n303\r\n304\r\n305\r\n306\r\n307\r\n308\r\n309\r\n310\r\n311\r\n312\r\n313\r\n314\r\n315\r\n316\r\n317\r\n318\r\n319\r\n320\r\n321\r\n322\r\n323\r\n324\r\n325\r\n326\r\n327\r\n328\r\n329\r\n330\r\n331\r\n332\r\n333\r\n334\r\n335\r\n336\r\n337\r\n338\r\n339\r\n340\r\n341\r\n342\r\n343\r\n344\r\n345\r\n346\r\n347\r\n348\r\n349\r\n Telegram\r\n Tox\r\n *.tox\r\n *.ini\r\n Password\r\n Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A66\r\n Software\\\\Microsoft\\\\Office\\\\13.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\\r\n Pidgin\r\n Software\\\\Microsoft\\\\Office\\\\14.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\\r\n accounts.xml\r\n Software\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\\r\n dQw4w9WgXcQ\r\n Software\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\\r\n ssfn*\r\n Software\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676\\\\\r\n 00000001\r\n 00000002\r\n 00000003\r\n 00000004\r\n \\\\Outlook\\\\accounts.txt\r\n \\\\.purple\\\\\r\n token:\r\n Software\\\\Valve\\\\Steam\r\n SteamPath\r\n \\\\config\\\\\r\n config.vdf\r\n DialogConfig.vdf\r\n DialogConfigOverlay*.vdf\r\n libraryfolders.vdf\r\n loginusers.vdf\r\n \\\\Steam\\\\\r\n sqlite3.dll\r\n browsers\r\n done\r\n soft\r\n \\\\Discord\\\\tokens.txt\r\n /c timeout /t 5 \u0026 del /f /q \"\r\n \" \u0026 del \"C:\\\\ProgramData\\\\*.dll\"\" \u0026 exit\r\n C:\\\\Windows\\\\system32\\\\cmd.exe\r\n https\r\n Content-Type: multipart/form-data; boundary=----\r\n POST\r\n HTTP/1.1\r\n Content-Disposition: form-data; name=\"\r\n hwid\r\n build\r\n token\r\n file_name\r\n file\r\n message\r\n ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\r\n screenshot.jpg\r\nStealc uses the Process Environment Block (PEB) to dynamically load libraries and to avoid antivirus detection. In this\r\ncase, the malware uses the PEB as an obfuscation technique to hide Windows API libraries and their imported functions.\r\nAccessing the PEB structure can be described with the table below:\r\nOffset Description\r\n1.\r\nFS:[offset\r\nProcessEnvironmentBlock]\r\nThe equivalent of FS:[0x30] , that means we access the PEB\r\ndirectly\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 6 of 12\n\nOffset Description\r\n2. 0xc Access to the LoaderData\r\n3. 0xc Access to the InLoadOrderModuleList\r\n4. 0x18 Access to the DllBase\r\nInside the DllBase , the malware looks for the base address of kernel32.dll . After that it loads the GetProcAddress\r\nfunction that is used to dynamically resolve the address of the LoadLibraryA function. Then, LoadLibraryA loads\r\nadditional DLLs that the malware can utilize and their functions are also called with GetProcAddress dynamically.\r\nAnti-analysis and Evasion Methods\r\nFirst, Stealc checks the number of pixels the screen can show vertically and compares the GetDeviceCaps function’s return\r\nvalue to 666 which represents the screen height. In case the screen height is below 666 pixels, the malware stops execution\r\n(for example, if the screen resolution is 800x600 then the ExitProcess is called, since 600 is lower than 666). This is a\r\ntechnique to avoid virtual machines with lower resolutions which are not expected in a regular environment.\r\nIt checks whether the victim’s machine has a processor with at least 2 cores. If it doesn’t, the malware stops execution, since\r\nit assumes that the machine is in a virtualized environment.\r\nWith GlobalMemoryStatusEx , the malware retrieves information about the system’s physical and virtual memory. If the\r\ntotal physical memory is under 1111 MB of memory, the malware calls the ExitProcess function. This ensures that the\r\nmalware is not running under a virtual machine.\r\nThe stealer also tries to allocate memory with VirtualAllocExNuma . It is an anti-emulator technique, since an AV emulator\r\ncan’t perform this kind of allocation, making the API call fail. If the allocation doesn’t happen, the malware exits\r\nimmediately.\r\nStealc checks the language ID of the current user with the GetUserDefaultLangID function and if they return one of the\r\nhexadecimal values from the table below, then the malware exits and won’t run on the victim’s computer.\r\nLanguage ID (Hex) Country\r\n0x419 Russia\r\n0x422 Ukraine\r\n0x423 Belarus\r\n0x43F Kazakhstan\r\n0x443 Uzbekistan\r\nIt calls  GetComputerNameA  with HAL9TH parameter and GetUserNameA with JohnDoe. Both of these parameters are used\r\nby Microsoft Defender emulator and they are compared to the victim’s computer name and username. It checks whether the\r\nmalware is in a virtual or sandbox environment.\r\nBefore the malware starts its information stealing procedure, it downloads 7 DLLs from the C2 server:\r\nhxxp://185[.]106[.]94[.]206/49171d9bb28d893a/ . These DLLS are: sqlite3.dll , nss3.dll , freebl3.dll ,\r\nmozglue.dll , msvcp140.dll , softokn3.dll , vcruntime140.dll . All of them are valid third-party DLLs and they are\r\nplaced within the C:\\ProgramData\\ folder and all the stolen data is also stored under this path. The sqlite3.dll and\r\nnss3.dll are essential for the information stealing that Stealc performs. The imported functions of these two and their\r\nusage are represented in the tables below.\r\nsqlite3.dll which is used to interact with SQLite databases in C/C++ applications:\r\nFunction Usage\r\nsqlite3_open Opens or creates a new SQLite database file\r\nsqlite3_prepare_v2 Compiles an SQL statement into a prepared statement\r\nsqlite3_step Executes a prepared statement one step at a time\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 7 of 12\n\nFunction Usage\r\nsqlite3_column_text Retrieves the text value of a column in the current row of the result set\r\nsqlite3_finalize Finalizes a prepared statement and releases associated resources\r\nsqlite3_close Closes the SQLite database connection\r\nsqlite3_column_bytes Retrieves the number of bytes in a column value in the current row of the result set\r\nsqlite3_column_blob Retrieves a blob (binary) value from a column in the current row of the result set\r\nnss3.dll which is associated with Firefox:\r\nFunction Usage\r\nNSS_Init Initializes the NSS library\r\nNSS_Shutdown Cleans up and releases resources acquired during NSS initialization\r\nPK11_GetInternalKeySlot Obtains a cryptographic slot\r\nPK11_FreeSlot Releases the slot\r\nPK11_Authenticate Authenticates a cryptographic module or unlocks a cryptographic token\r\nPK11SDR_GetInternalKeySlot Used for decrypting data using the NSS library\r\nStealc attempts to get the information from browsers that are based on Chromium, Opera, or Mozilla. The data related to\r\nOpera-based browsers (Opera, Opera GX) are exfiltrated the same way as the Chromium ones. The stolen information could\r\ninclude: login credentials, cookies, autofills, history and credit card details. The information stealer utilizes SQLite with\r\nsqlite3.dll library and uses SQL queries with SELECT statements to get the victim’s stolen data. In case of Mozilla-based applications, the nss3.dll library is also used to decrypt credentials.\r\nFirst, the malware searches the Local State JSON file to locate Chromium users, then it attempts to gain information\r\nfrom 5 databases:\r\n1. Login Data\r\n2. Web Data\r\n3. Cookies\r\n4. Network\r\n5. History\r\nBefore getting the information from these databases, the stealer needs to take care of the encrypted values that\r\nChromium browsers have. First, it searches the Local State file and locates the key that is encoded with base64. This is\r\ndecoded with the CryptStringToBinaryA function and with its  CRYPT_STRING_BASE64 parameter. Since this string contains\r\n'DPAPI' (the name of one of the encryption method) as a prefix of the key, the stealer has to drop this prefix, so that it only\r\ndecrypts the actual key string. Then it calls the CryptUnprotectData and decrypts the actual key. Finally, the AES-GCM\r\ndecryption is done with the BCryptDecrypt function. After these steps, the encrypted information from the SQLite\r\ndatabases are easily retrievable.\r\nThe SELECT origin_url, username_value, password_value FROM logins query gets the username and password values.\r\nThe password_value is in an encrypted form and decrypted with the method disclosed above.\r\nAfter the decryption, the information are saved in the following form:\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 8 of 12\n\n1\r\n2\r\n3\r\n4\r\n5\r\nbrowser: %value%\\n\r\nprofile: %value%\\n\r\nurl: %url%\\n\r\nlogin: %username_value%\\n\r\npassword: %password_value%\\n\\n\r\nSELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from\r\ncookies is the query to collect the cookies. The encrypted cookie value is decrypted with the described method and saves\r\nthe stolen data into cookies.txt . Inside the text file, each column name is separated with a '\\t' (tab) and each cookie is\r\nseparated with a '\\n' (newline) character inside the text file.\r\nIn order to get the autofill information, the malware uses the SELECT name, value FROM autofill query. After that, it saves\r\nthe stolen data into autofill.txt where each autofill data is split with '\\n' .\r\nSELECT url FROM urls LIMIT 1000 gets the history data of the web browser. The LIMIT 1000 restricts the number of\r\nrows returned, so only the first 1000 results are collected. It saves the stolen data into history.txt and splits each URL\r\nwith a '\\n' .\r\nSELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards query collects\r\nthe credit card details and saves the information to a text file called cc.txt . As the query suggests, the card number comes\r\nin an encrypted form which is decrypted with the method above.\r\nAfter the decryption process, the card details are written in the following form to the text file:\r\n1\r\n2\r\n3\r\n4\r\nname: %name_on_card%\\n\r\nmonth: %expiration_month%\\n\r\nyear: %expiration_year%\\n\r\ncard: %card_number_decrypted%\\n\\n\r\nThe malware first checks the used profiles in the profiles.ini configuration file and targets them. It uses the nss3.dll\r\nand the sqlite3.dll libraries to steal data. The sqlite3.dll is used to extract the victim’s information with its functions\r\ndisclosed above in the table. The information that it wants to obtain are: login credentials, cookies, autofills and history data.\r\nThe credentials are stored in logins.json . The stealer looks for the following 5 values inside the JSON file and extracts\r\nthem: formSubmitURL , usernameField , encryptedUsername , encryptedPassword , guid . Since both the username and\r\npassword values are encrypted, the stealer attempts to decrypt it with the help of the Network Security Services (NSS)\r\nlibrary.\r\nThe decryption routine with the nss3.dll functions:\r\n1. PK11_GetInternalKeySlot –\u003e Obtains a cryptographic slot\r\n2. PK11_Authenticate –\u003e Authenticates a cryptographic module or unlocks a cryptographic token\r\n3. PK11SDR_GetInternalKeySlot –\u003e Used for decrypting data\r\n4. PK11_FreeSlot –\u003e Releases the slot\r\nAfter the decryption, the stolen values are collected in the following form:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nbrowser: %guid%\\n\r\nprofile: %usernameField%\\n\r\nurl: %formSubmitURL%\\n\r\nlogin: %username%\\n\r\npassword: %password%\\n\\n\r\nThe applications’ cookies are stored in the cookies.sqlite database. It is extracted with the SELECT host, isHttpOnly,\r\npath, isSecure, expiry, name, value FROM moz_cookies query. The stealer collects information about the domain and\r\npath for which the cookie is valid, whether the cookie is “http only” and secure, the cookie’s expiration time, name and\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 9 of 12\n\nvalue. Then it is written in the cookies.txt file. Each column name is separated with a '\\t' and each cookie is\r\nseparated with a '\\n' character inside the text file.\r\nThe autofill information are kept in the formhistory.sqlite database which remembers what the victim searched for in\r\nthe Firefox search bar and what they’ve entered into forms on websites. It is extracted with the SELECT fieldname, value\r\nFROM moz_formhistory query and the stolen data is saved in the autofill.txt file. The fieldname and value columns\r\nare separated with a '\\t' and each autofill data is on a new line ( '\\n' ).\r\nThe history data can be found in the places.sqlite database which contains the user’s Firefox bookmarks, downloaded\r\nfiles and visited websites. The SELECT url FROM moz_places LIMIT 1000 query is used to extract the URL and returns the\r\nfirst 1000 rows. Then the retrieved information is written in the history.txt file where each URL is separated with a\r\n'\\n' character.\r\nThe stealer also targets Chrome-based browser extensions. It searches for the following folders related to extensions:\r\nLocal Extension Settings —\u003e refers to the configuration and settings specific to a particular Chrome extension\r\nSync Extension Settings —\u003e the ability to synchronize the settings of an extension across multiple devices\r\nIndexedDB\\chrome-extension__0.indexeddb.leveldb —\u003e where an extension might store data using IndexedDB\r\nsuch as user preferences, cached content\r\nThe CURRENT value is also used to get the most recent information related to the extensions. Cryptocurrency wallets are in\r\ndanger if they are browser-based ones.\r\nStealc targets desktop cryptocurrency wallets as well. First, it searches for the wallets with the following file path:\r\nC:\\Users\\%user%\\AppData\\Roaming\\%WalletAppName%\\*.* . This is the default location of the applications that are\r\nassociated with cryptocurrency wallets. The end value of *.* is a wildcard that returns all files with any filename and any\r\nfile extension within the directory. The %WalletAppName% folder is a randomly generated string of 20 letters, such as\r\nAFHIEBKKFHIEGCAKECGH .\r\nMicrosoft’s email client Outlook is also targeted by the infostealer. It looks for registry paths to identify default Outlook\r\nprofiles:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\13.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676\\\r\nUnder the  9375CFF0413111d3B88A00104B2A6676 key in the registry path, it searches for the subkeys 00000001 , 00000002 ,\r\n00000003 , 00000004 . The stealer enumerates through these registry paths and if it confirms that Outlook is installed, it\r\ntargets the password of the victim’s account and attempts to decrypt it with the CryptUnprotectData function. After the\r\nextraction and decryption of the information, it saves the data into a text file: soft\\Outlook\\accounts.txt .\r\nFirst of all, the stealer checks whether it can open the registry key at HKEY_CURRENT_USER\\Software\\Valve\\Steam . If it can\r\nbe opened that means the Steam application is available on the victim’s computer and Stealc retrieves the Steam installation\r\npath from the SteamPath registry value. It also goes into the \\config\\ folder and extracts VDF (Valve Data Format) files\r\nsuch as config.vdf , DialogConfig.vdf , DialogConfigOverlay*.vdf , libraryfolders.vdf , loginusers.vdf and\r\nssfn* as well. Finally, exfiltrated data is written in the \\soft\\Steam folder.\r\nIn case of Discord, it looks for the \\Local Storage\\leveldb and the \\Local Storage\\leveldb\\CURRENT directories and\r\ntargets Discord tokens. The tokens are encrypted and every one of them starts with this hard-coded string: dQw4w9WgXcQ .\r\nThe actual token is after that and the stealer uses the following functions to decrypt: CryptStringToBinaryA (from base64),\r\nCryptUnprotectData (DPAPI) and BCryptDecrypt (AES with GCM mode). After the decryption is done, it saves the\r\nstolen information in the \\soft\\Discord\\tokens.txt file.\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 10 of 12\n\nUnder the Telegram Desktop folder, the stealer searches for different subdirectory values like key_datas ,\r\nD877F783D5D3EF8C* , map* , A7FDF864FBC10B77* , A92DAA6EA6F891F2* , F8806DD0C461824F* . The data stolen from the\r\napp is then placed in the \\soft\\Telegram folder.\r\nTox application’s configuration files are also aimed at by the stealer. First, it looks for the \\Tox directory and inside that\r\nthe *.tox and *.ini files.\r\nPidgin messaging application is also aimed at by the stealer. It looks for the configuration directory of the app which is\r\n%APPDATA%\\.purple . If it is located, inside the directory the stealer specifically seeks for the accounts.xml file in order to\r\ngain Information about the victim’s account and credentials.\r\nStealc also collects network information and a summary of the system, as well as user agents, installed apps, users, current\r\nuser and process list. The network information consists of the victim’s IP address and their country’s ISO code. The stolen\r\ninformation is saved in the system_info.txt in the following manner:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nNetwork Info:\r\n\\t- IP: IP?\r\n\\t- Country: ISO?\r\n\\n\\n\r\nSystem Summary:\r\n\\t- HWID:\r\n\\t- OS:\r\n\\t- Architecture:\r\n\\t- UserName:\r\n\\t- Computer Name:\r\n\\t- Local Time:\r\n\\t- UTC:\r\n\\t- Language:\r\n\\t- Keyboards:\r\n\\t- Laptop:\r\n\\t- Running Path:\r\n\\t- CPU:\r\n\\t- Threads:\r\n\\t- Cores:\r\n\\t- RAM:\r\n\\t- Display Resolution:\r\n\\t- GPU:\r\nUser Agents:\r\nInstalled Apps:\r\nAll Users:\r\nCurrent User:\r\nProcess List:\r\nThe malware opens 3 registry paths with the functions RegOpenKeyExA and RegQueryValueExA in order to gain\r\ninformation about the victim’s machine:\r\n1. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion gives us the information about the version\r\nand edition of the Windows NT operating system. The given ProductName value within the RegQueryValueExA\r\ncarries the name or edition of the Windows NT operating system.\r\n2. HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 registry path contains information about\r\nthe CPU. The ProcessorNameString value within the RegQueryValueExA returns the name or description of the\r\nCPU installed on the computer.\r\n3. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall path stores information about all of\r\nthe installed software and lists them on the infected machine. The RegQueryValueExA function has the value\r\nDisplayName which retrieves the name of the programs.\r\nIt also takes a screenshot of the desktop with the help of gdiplus.dll and saves it as screenshot.jpg .\r\nStealc sends multiple HTTP POST requests back to the hxxp://185.106.94[.]206/4e815d9f1ec482dd.php C2 server that\r\ngives a response. Here are the 4 most important requests:\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 11 of 12\n\n1. browsers —\u003e web browser data\r\n2. plugins —\u003e browser extensions\r\n3. wallets —\u003e desktop cryptocurrency wallets\r\n4. files —\u003e file grabber\r\nThe 7 DLLs are also dropped from the C2 to the host as already mentioned. The malware then gets the information related to\r\nthe 4 requests and sends them back to the C2. The data from applications like Outlook, Steam, Discord, Tox, Pidgin as well\r\nas the network and system information and the screenshot of the desktop are also exfiltrated. Every configuration and all the\r\ngathered information are encoded in base64 during the HTTP communication.\r\nAfter the infostealer finished its job by stealing the targeted information, it attempts to remove itself and the 7 imported\r\nthird-party DLLs from the victim’s machine with the command below:\r\n1 \"C:\\Windows\\system32\\cmd.exe\" /c timeout /t 5 \u0026 del /f /q \"Malware_Path\" \u0026 del \"C:\\ProgramData\\*.dll\" \u0026 exit\r\nIOCs Description\r\ne978871a3a76c83f94e589fd22a91c7c1a58175ca5d2110b95d71b7805b25b8d Stealc Sample\r\nhxxp://185.106.94[.]206/4e815d9f1ec482dd.php C2 Server\r\nStealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1\r\nStealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2\r\nStealc: A new stealer emerges in 2023\r\nStealC Delivered via Deceptive Google Sheets\r\nStealc Malware Technical Analysis Report\r\nSource: https://glyc3rius.github.io/2023/10/stealc/\r\nhttps://glyc3rius.github.io/2023/10/stealc/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://glyc3rius.github.io/2023/10/stealc/" ], "report_names": [ "stealc" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434355, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29294c745496545f527d96a8247ad66b08217f87.pdf", "text": "https://archive.orkl.eu/29294c745496545f527d96a8247ad66b08217f87.txt", "img": "https://archive.orkl.eu/29294c745496545f527d96a8247ad66b08217f87.jpg" } }