{
	"id": "28b52084-186f-4334-8761-232534cdbba8",
	"created_at": "2026-04-06T00:19:24.227291Z",
	"updated_at": "2026-04-10T03:20:35.12913Z",
	"deleted_at": null,
	"sha1_hash": "3a418591ee1e698f92573a8503473adc20ffb065",
	"title": "Updated StrelaStealer Targeting European Countries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2719755,
	"plain_text": "Updated StrelaStealer Targeting European Countries\r\nPublished: 2024-04-02 · Archived: 2026-04-05 16:17:39 UTC\r\nOverview\r\nSonicWall Capture Labs threat research team has observed an updated variant of StrelaStealer. StrelaStealer is an\r\ninfostealer malware known for targeting Spanish-speaking users and focuses on stealing email account credentials\r\nfrom Outlook and Thunderbird. StrelaStealer was reported in the wild in early November 2022. StrelaStealer has\r\nbeen updated with an obfuscation technique and anti-analysis technique.\r\nTechnical Analysis\r\nMD5: 1E37C3902284DD865C20220A9EF8B6A9\r\nSHA256: F2D7CF39392D394D6CCD0F9372DB7D486D4CB2BB6C3BBFD0D8BFBB6117A5E211\r\nThis updated version of malware delivered via JavaScript comes in archive files as attachments in emails. The\r\ninitial vector is JavaScript which will drop the 64-bit executable file in the %userprofile% folder and execute the\r\nmalware process. We have observed that StrelaStealer is being delivered as a 64-bit exe as well as a DLL via\r\nJavaScript. We are explaining the analysis for the 64-bit executable in this blog. This 64-bit executable is a\r\nwrapper that will act as a loader for the actual payload.\r\nIn the main 64-bit executable file, the data section has an encryption key, and the size of the encryption key is\r\n0x2714 bytes. The encoded payload is embedded in the data section at the end of the encryption key. The size of\r\nthe payload is 0x1C600. A single-byte XOR encryption is performed to decrypt an encoded PE file from the data\r\nsection.\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 1 of 12\n\nFigure 1:  Encryption key started from 0x10th offset in the data section\r\nFigure 2:  Obfuscated Jumps\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 2 of 12\n\nFigure 3: Graph view for obfuscated function\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 3 of 12\n\nFigure 4: Another graph view of the obfuscated function\r\nFigure 5:  PEB parsing code fragments inside the jump code block\r\nThis obfuscation is quite effective. Anti-analysis techniques delay the execution, and the researcher has to search\r\nthe code fragments inside the jump blocks, which is a tedious task.\r\nAlong with jump blocks and multiple loops, there are multiple dummy functions that are not doing anything but\r\nwasting time while analyzing the sample.\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 4 of 12\n\nFigure 6: Dummy functions inside nested Jumps\r\nFigure 7: Dummy functions\r\nFigure 8: XOR decryption to decrypt the encoded payload\r\nOnce it decrypts the payload, it reads the encoded API string array at the end of the encoded payload embedded in\r\nthe data section. Within the payload, the first DWORD is the size of the array and next is the API function array.\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 5 of 12\n\nThis array is of size 0x52 bytes and the encryption key used earlier to decrypt the payload will also be used to\r\ndecrypt the API array. The only difference between the decryption of the payload and the array  is malware uses an\r\nencryption key of size 0x52 bytes from the 4th offset of encryption key.\r\nFigure 9: Encoded API array\r\nFigure 10: Malware calculates the start offset of the encoded API string and starts decrypting it\r\nFigure 11: API array after an XOR decryption\r\nIt accesses the PEB structure and parses it to get the list of loaded modules in process memory.\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 6 of 12\n\nThe following is an example of the instructions set to parse the PEB.\r\nFigure 11B: Instructions\r\nHere InLoadOrderModuleList is a doubly-linked list that contains the loaded modules for the process.\r\nThe malware parses this “InLoadOrderModuleList” to get the Imagebase address of kernel32.dll with the goal of\r\nresolving the VirutalAlloc API Then the malware will parse the PE structure of kernel32.dll to get the name of\r\neach exported function and matches them with the API string that got decrypted earlier in 0x52 byte array. If the\r\nAPI name matches the exported function name, then the malware will read the associated function RVA from the\r\nexport directory and add it to the Imagebase of kernel32.dll,. Using this method, the malware resolves each API\r\ndynamically. It will resolve 4 APIs - here VirtualAlloc,  LoadLibraryA , GetProcAddress , and\r\nMessageBoxTimeoutA. Once its finished resolving the APIs, the malware will show the error massage box and\r\nthen continue execution.\r\nNow, the malware calls the “VirtualAlloc” API to allocate memory in the process and start its task as loader to\r\nload the actual payload.\r\nThe malware parses the PE file structure of the payload from the data section where previously it decrypted\r\nthe PE file and read each section header one by one.\r\nTo map the process as per section alignment, it reads the virtual address of each section and adds it to the\r\nimage base of the injected PE and copies each section of data to this offset in memory.\r\nThe malware will not copy the PE header to the injected PE, this has been done intentionally to evade\r\ndetection from AV products.\r\nIt reads the relocation section and does the fixup as it gets loaded at the different base address in the\r\nmemory.\r\nIt reads the import address table of the payload file from the data section region and resolves the API\r\naddress dynamically using the “LoadLibraryA” and “GetProcAddress”  APIs and copies these all function\r\npointers to the IAT of the injected payload.\r\nWhen the injected PE file is ready for execution, it will read the RVA of the address from the entry point\r\nfrom the PE file in the data section and add the base address of the injected payload and redirect execution\r\nto the injected code.\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 7 of 12\n\nFigure 12: Configuration setting for the payload\r\nThe injected payload is 64-bit executable file, it will call the “GetKeyboardLayout” API and check the lower\r\nwords of the return value with the hardcoded values in binary. It tries to check if the keyboard layout is from the\r\nfollowing countries. If it is, then the malware will continue its execution, otherwise it terminates itself.\r\nLanguage Location (or type) Language ID\r\nGerman Germany 0x0407\r\nSpanish Spain 0x040A\r\nSpanish Spain 0x0C0A\r\nCatalan Spain 0x0403\r\nBasque Spain 0x042D\r\nItalian Italy 0x0410\r\nPolish Poland 0x0415\r\nFigure 13: Call to the “GetKeyboardLayout” API and check language identifiers\r\nNow, the payload retrieves the computer name by calling the “GetComputerNameA” API and encrypts the first 4\r\nbytes of the computer name string using single byte XOR encryption. The encryption key is “MIR24”, which is\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 8 of 12\n\nhardcoded in binary. It will create a Mutex with the name of this partially encrypted computer name string. If a\r\nMutex already exists, it will terminate it.\r\nFigure 14: Creating a Mutex and executing its core functionality to steal data from the infected machine\r\nAs we can see in Figure 14, it will execute the function which will steal confidential data from the infected\r\nmachine.\r\nHere, we have found two functions in the malware. The first is used to steal data from Mozilla Thunderbird, which\r\nis a free and open-source email client software. The other function is intended to steal data from Outlook.\r\nIt searches for the folder path “C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Thunderbird\\Profiles\\”\r\nAll of your data such as messages, passwords and user preferences as well as changes made while you use\r\nThunderbird are stored in a special folder called profile.\r\nIf it finds this folder path on the system, it will call the FindFirstFileAand FindNextFileA APIs to search\r\nfor two files in the subdirectory. The first is “logins.json” (account and password) and the second is\r\n“key4.db” (password database).\r\nIt reads the data from both of these files and appends both files’ data one after another, starting network\r\ncommunication.\r\nIt establishes a connection to its server and prepares an HTTP post request with the user-agent “Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113\r\nSafari/537.36” and then exfiltrates this data to its server.\r\nhttp[:]//45[.]9[.]74.12/server.php .\r\nThe server IP is hardcoded in binary which is “45.9.74[.]12”\r\nBefore sending data to the server, it will encrypt it with the single byte XOR encryption. The encryption\r\nkey is hardcoded in binary which is “00ca8abe-6ab2-4b10-97c8-925934cf0423”\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 9 of 12\n\nFigure 15: Searches for the “logins.json” and “key4.db” files from the profile folder\r\nFigure 16: StrelaStealer is expecting the response from its server\r\nWe have analysed the second function statically where it reads the windows registry key, enumerates data from it\r\nand tries to locate the 'IMAP User', 'IMAP Server' and 'IMAP Password' values.\r\nThe IMAP Password contains the user password in encrypted form. The malware will call the\r\nWindows “CryptUnprotectData”  API to decrypt it.\r\nThe following registry key is enumerated to steal Outlook data:\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 10 of 12\n\n“SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\”\r\nFigure 17: Outlook registry key would have been enumerated to steal data from the infected machine\r\nFigure 18: Network communication with server\r\nThe archive file cannot be found in any of the popular threat intelligence sharing portals like VirusTotal at the time\r\nof writing this blog.\r\nFigure 19: File is not available on VirusTotal\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 11 of 12\n\nThis threat is detected by SonicWall Capture ATP w/RTDMI . Evidence of the detection by our RTDMI engine\r\ncan be seen below in the Capture ATP report for this file.\r\nFigure 20: Capture report\r\nIOCs\r\nArchive file\r\nMD5: ca4797bf995c91864c8b290ebd4e1c7b\r\nSHA256: 74f21472fed71aaccbd60b34615a8390725cbab6cb25bbc6a51bd723ff8bd01a\r\nJavaScript (Initial vector)\r\nMd5 : C235CE3765F9B1606BDA81E96B71C23B\r\nSHA256 : E083662C896C47064FD47411D47459BF4B1CB26847B5D26AEDD7F9D701CABD43\r\nMain 64-bit executable file\r\nMD5 : 1E37C3902284DD865C20220A9EF8B6A9\r\nSHA256 : F2D7CF39392D394D6CCD0F9372DB7D486D4CB2BB6C3BBFD0D8BFBB6117A5E211\r\nInjected 64-bit Payload\r\nMD5 : 95F51B48FB079ED4E5F3499D45B7F14E\r\nSHA256 : C02BB26582576261645271763A17DE925C2D90D430E723204BAEC82030DC889A\r\nServer IP : “45[.]9.74[.]12”\r\nSource: https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nhttps://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/"
	],
	"report_names": [
		"updated-strelastealer-targeting-european-countries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434764,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a418591ee1e698f92573a8503473adc20ffb065.pdf",
		"text": "https://archive.orkl.eu/3a418591ee1e698f92573a8503473adc20ffb065.txt",
		"img": "https://archive.orkl.eu/3a418591ee1e698f92573a8503473adc20ffb065.jpg"
	}
}