{
	"id": "b423e7f1-674b-49ec-b55a-fb4a3a76d463",
	"created_at": "2026-04-06T00:11:18.496222Z",
	"updated_at": "2026-04-10T13:12:56.213016Z",
	"deleted_at": null,
	"sha1_hash": "2e240ee126667179e262676d7d2c4dd490bcca8f",
	"title": "StrelaStealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57295,
	"plain_text": "StrelaStealer\r\nPublished: 2023-05-07 · Archived: 2026-04-05 21:21:02 UTC\r\nAnalysis\r\nSample - November 2022\r\nbe9f84b19f02f16b7d8a9148a68ad8728cc169668f2c59f918d019bce400d90e\r\nWed Nov 2 08:50:41 2022 UTC\r\nString Decryption\r\nThe strings are encrypted with XOR using a hard coded key that resembles a GUID 4f3855aa-af7e-4fd2-b04e-55e63653d2f7\r\nIDA String Decrypt\r\nThe following can be used to highlight and decrypt strings in IDA.\r\nkey = b'4f3855aa-af7e-4fd2-b04e-55e63653d2f7'\r\ndef xor(data, key):\r\n out = []\r\n for i in range(len(data)):\r\n out.append(data[i] ^ key[i%len(key)])\r\n return bytes(out)\r\nstart = idc.read_selection_start()\r\nend = idc.read_selection_end()\r\nif idaapi.BADADDR in (start, end):\r\n ea = idc.here()\r\n start = idaapi.get_item_head(ea)\r\n end = idaapi.get_item_end(ea)\r\ndata = idc.get_bytes(start, end - start).encode('hex')\r\nout = xor(data, key)\r\nprint(out)\r\nHot-key Bind.\r\nhttps://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html\r\nPage 1 of 4\n\nimport ida_expr import ida_kernwin\r\nimport idc\r\nimport ida_bytes\r\nimport ida_kernwin\r\nida_expr.compile_idc_text('static n_key() { RunPythonStatement(\"nopping()\"); }')\r\nida_kernwin.add_idc_hotkey(\"Alt-N\", \"n_key\")\r\nC2 Comms\r\nThe harvested data is sent to the following hard coded C2 with a POST request.\r\nhttp[:]//193.106.191[.]166/server.php\r\nDecoy\r\nThe payload expects a x.pdf file to be present in the launch directory at runtime. This pdf is launched by the\r\nmalware as a decoy to trick the user into thinking they have only opened a PDF not launched an executable. The\r\nPDF is not dropped by the payload, instead the payload relies on the previous stage to deploy the PDF. This\r\ndirectly ties the payload to delivery stage which is unusual for malware that is sold, and indicates that this\r\nmalware is both developed and operated by the same actor.\r\ncmd /c start msedge x.pdf\r\nSample - April 2023\r\n61118d0f778c2f9b3a2bb3e37176ba6a13ee266c49b89dab7e187129f5c00887\r\nSun Apr 2 22:42:15 2023 UTC\r\nUpdates\r\nAll strings are now plaintext\r\nThe decoy has been simplified to launch an error message box rather than a PDF\r\nPE file not a DLL\r\nThe C2 comms are still encrypted with a hard coded XOR string 7a7dd62b-c4ea-4bbb-9f3f-2e6d58aada40\r\nC2\r\nhttp[:]//91[.]215.85.209/server.php\r\nDecoy\r\nhttps://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html\r\nPage 2 of 4\n\nThe new \"decoy\" no longer requires a PDF instead a message box is launched that says...\r\nEl archivo está dañado y no se puede ejecutar\r\nTranslated from Spanish this reads The file is damaged and cannot be executed , an attempt to trick the user\r\ninto thinking they can't open the lure. Based on the use of Spanish they are still targeting Spanish victims.\r\nPDB Tracking\r\nThe following PDB paths have been found in versions of Strela.\r\nC:\\Users\\Serhii\\Documents\\Visual Studio 2008\\Projects\\StrelaDLLCompile\\Release\\StrelaDLLCompile.pdb\r\nC:\\Users\\admin\\source\\repos\\Dll1\\Release\\Dll1.pdb\r\nC:\\Users\\Serhii\\Documents\\Visual Studio 2008\\Projects\\dll1\\Release\\dll1.pdb\r\nC:\\Users\\Serhii\\source\\repos\\WindowsProject1\\x64\\Release\\WindowsProject1.pdb\r\nPivoting from these PDB paths and searching through public malware repositories related samples have been\r\nrecovered indicating that the developer has been working on similar projects since at least 2022-01-23 21:58:42\r\n(sample d091cb30b4c19b24249af2648d8c43abd5390118d502b5041b5d89d2152a0d7a ).\r\nMalware in Development\r\nSome related samples are not malware but rather test code apparently used to test features in development. These\r\ninclude a sample 2F3A2B18252E39C5B95A199412D97916E6E2611F3A83EF7160E74AA959A41933 that appears to be\r\nsome type of putty.exe launcher using the local path C:\\\\Users\\\\Serhii\\\\Downloads\\\\putty.exe .\r\nC2 Tracking\r\nPerforming a revers lookup for the C2 IP 91.215.85[.]209 the following domains have been registered and\r\npoint to this IP. It is unclear what their purpose is.\r\nposts-fi[.[com\r\ncarrefours-tw[.]com\r\ndirecteredie[.]org\r\ndkpostnord[.]com\r\nfornying-skonto[.]com\r\nredisimple[.]com\r\nchunghwa-post[.]app\r\natuh-manor[.]com\r\npost-chunghwa-tw[.]app\r\npost-chunghwa-tw[.]com\r\ntibouton[.]org\r\ncarrefour-tw[.]com\r\npost-tw[.]app\r\nhttps://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html\r\nPage 3 of 4\n\nSource: https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html\r\nhttps://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html"
	],
	"report_names": [
		"streala.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434278,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e240ee126667179e262676d7d2c4dd490bcca8f.pdf",
		"text": "https://archive.orkl.eu/2e240ee126667179e262676d7d2c4dd490bcca8f.txt",
		"img": "https://archive.orkl.eu/2e240ee126667179e262676d7d2c4dd490bcca8f.jpg"
	}
}