{ "id": "2e674d38-3927-472a-9169-aa8e4c6ff948", "created_at": "2026-04-06T00:14:58.753581Z", "updated_at": "2026-04-10T13:13:03.272218Z", "deleted_at": null, "sha1_hash": "af63d6c76d40b824677eb0a9fb57765ce362dff8", "title": "Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1322537, "plain_text": "Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity\r\n– Part 2\r\nBy Pierre Le Bourhis,\u0026nbsp;Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-02-27 · Archived: 2026-04-05 13:17:38 UTC\r\nTable of contents\r\nContext\r\nMalware analysis\r\nAnti analysis\r\nMain function overview\r\nDefeating string encryption\r\nDynamic API resolution\r\nEnvironment detection \u0026 checks\r\nMiscellaneous functionalities\r\nCommand and Control communication\r\nNext Stage\r\nTrace removal\r\nConclusion\r\nAnnex 1 – Configuration extraction\r\nAnnex 2 – IDA script for string deobfuscation\r\nContext\r\nThis report is a follow up of the previous blog post on Stealc. Stealc is an information stealer advertised on the\r\nunderground forums XSS, Exploit and BHF by the Plymouth threat actor. In this blog post, we focus on the technical\r\nanalysis of a standalone sample. Similarities were observed with Vidar, Raccoon and Mars stealers during the reverse\r\nengineering phase.\r\nFunctionalities implemented in Stealc, including environment detection, anti-analysis, strings obfuscation, dynamic API\r\nresolution, a significant list of targeted browsers, extensions, wallets and installed software makes it a top-tier threat within\r\nthe infostealer ecosystem. \r\nMalware analysis\r\nThe next sections list the different techniques observed during the reverse engineering of Stealc to provide information and\r\ndetailed explanations on Stealc operations and behaviors. \r\nAll details of the infection chain, distribution and tracking of this threat were provided in part 1.\r\nStealc sample SHA-256 used for the analysis is: 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d\r\nStealc sample SHA-256 with a next stage configured is:\r\n1587857ad744c322a2b32731cdd48d98eac13f8aa8ff2f2afb01ebba88d15359\r\nAnti analysis\r\nThe malware implements anti-analysis techniques by adding unconditional jump to a nearby offset, confusing the\r\ndecompiler that cannot grasp the pointed function. \r\nAs shown in figure 1, the decompiler analyzed a function with multiple jump instructions (jz, jnz opcodes), with a\r\ndestination address defined to the next address plus an offset of 1 or 2 (depending on the case). This results in the\r\ndecompiler not making a correct assumption and avoiding decompiling the function. \r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 1 of 12\n\nFigure 1. Wrong disassembly of the main function due to Stealc implemented anti-analysis technique\r\nRebuilding the function by setting the location to undefined and patching the previous byte of the location with a NOP\r\ninstruction, decompilers can work properly. When applying this technique, the decompiled opcodes are the following:\r\nFigure 2. Patched function that can be correctly decompiled by IDA\r\nHere, the instructions mov eax, 9DE9h (B8 E8 9D 00 00) are wrongly disassembled because of the location+1. Undefining\r\nthe location, replacing the B8 of the mov instruction by a NOP(0x90) and re-defining the beginning of the next instruction to\r\nE8 results in the correct disassembly of this code section. \r\nFigure 3. Jump in the middle trick patching example\r\nMain function overview\r\nFollowing the patching of the sample, the main function of Stealc shows similarities to the one analyzed in Raccoon and\r\nMars stealers reverses, notably in terms of operation order and used techniques.\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 2 of 12\n\nFigure 4. Main function overview\r\nThe execution flow of Stealc is straightforward, it first deobfuscates strings used for further dynamic API resolution.\r\nThen, it performs various checks on the infected host to exit on particular conditions, it also checks the amount of RAM\r\nand whether it is executed by an antivirus solution. Finally, it verifies that the current date is preceding the hardcoded one.\r\nAfter this initial setup and detection, the malware goes to the function responsible for the C2 interaction, in which the\r\nstealer configuration is downloaded, and data are exfiltrated.\r\nDefeating string encryption\r\nThe malware stores its strings and part of its configuration is obfuscated. Stealc data are RC4-encrypted and base64-\r\nencoded. The key for decryption is stored in the PE in cleartext, as seen in the first variable assignment in figure 5.\r\nFigure 5. Base64 decoding and RC4 decryption function\r\nFor further analysis, an IDA script to decrypt the strings and assign their value to the correct DWORD is provided in annex\r\n2.\r\nDynamic API resolution\r\nTo reduce its detection rate by antivirus solutions, Stealc uses the Dynamic API Resolution (T1027.007) technique. To do so,\r\nthe malware searches for the kernel32 base address using the PE header structure and goes through\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 3 of 12\n\nLDR_DATA_TABLE_ENTRY. Then, it iterates over the table until it matches the GetProcAddress function and returns the\r\naddress of the dedicated entry.\r\nFigure 6. Debugging of the search GetProcAddess of Kernel32.dll\r\nIn figure 6, register EAX is used to store kernel32 base address:\r\n1. Register fs:000030h is the address of the ProcessEnvironmentBlock (PEB) member of the ThreadEnvironmentBlock\r\n(TEB) structure ;\r\n2. The offset 0xC of the PEB structure is the LDR_DATA structure member that contains a pointer to the\r\nInMemoryOrderModuleList member;\r\n3. InMemoryOrderModuleList is a structure of type LIST_ENTRY whose member DllBase is pointer to Kernel32 (see\r\nfigure6)\r\nOnce the malware obtains the address of GetProcAddress, it loads the function LoadLibrary and other functions from\r\nkernel32 including OpenEventA, CreateEventA, Sleep, VirtualAlloc, etc. \r\nLoadLibrary is used to load advapi32, gdi32, user32, crypt32 and ntdll DLLs, only specific functions of these libraries are\r\nloaded afterwards.\r\nFigure 7. Extract of the function used to load extra libraries and their methods\r\nEnvironment detection \u0026 checks\r\nStealc attempts to detect its environment for two purposes:\r\n1. Exit in particular conditions (sandbox environment, unwanted location, etc.)\r\n2. Host fingerprinting\r\nThe malware implements the following exit conditions:\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 4 of 12\n\nUsername is JohnDoe (Windows Defender emulator default username);\r\nHostname is HAL9TH (Windows Defender emulator default hostname);\r\nConfigured language is Russian;\r\nExpiration date is overdue, a date is hardcoded in the binary, if this date is passed, the malware exits. This is almost\r\ncertainly a functionality added to the build by the developer(s) as part of their business model;\r\nSection .text should be writable (by default Stealc configures its .text with write permission).\r\nRAM capacity is below 1 GB;\r\nNo display is configured.\r\nMiscellaneous functionalities\r\nStealc also implements functionalities common to other malware of the stealer family. It has the capability to take a\r\nscreenshot of the infected host and to fingerprint the infected machine. To retrieve this information, the sample queries the\r\nsuitable registry keys and interacts with the Windows API.\r\nThe fingerprinted information are:\r\nPublic IP address;\r\nGeolocation;\r\nHardware ID;\r\nOperating System version;\r\nArchitecture;\r\nUsername;\r\nComputer name;\r\nLocal time;\r\nLanguage;\r\nKeyboard layout;\r\nPhysical resources: CPU (core, name), RAM, number of threads, display resolution and GPU driver;\r\nList of running processes;\r\nList of installed applications.\r\nCommand and Control communication\r\nThe malware communicates over HTTP, data are sent in POST requests that use multi-form structure whose forms are the\r\nstolen data encoded in base64.\r\nIn the first interaction, the infected host sends its HWID (hardware ID) and its build name (the value is “default“).\r\nThe server responds with the following base64 string:\r\nMWZjZTYzMTFhZDg1NmUzYTVjNTQ5OTQ0NDU0NWJmOGJjNjc2MDc0YTY3ZWIwZDJiMmZiNTQwMWE4OTMxODM3Y2NiZDlhMTllfGlzZ\r\nThe decoded content from the base64 format is:\r\n1fce6311ad856e3a5c5499444545bf8bc676074a67eb0d2b2fb5401a8931837ccbd9a19e|isdone|docia.docx|1|1|0|1|1|1|1|1|\r\nThe first hash is, in fact, an identifier used as a token for all communications, and sent in a dedicated form for each\r\nmessage. \r\nThe early communications of the malware aim at downloading the configuration of the stealer, for instance the path and file\r\npatterns to look for on the infected host, the wallets or extensions to search, etc.\r\nThe stealer gets its configuration from the C2, with a POST request whose two forms are sent. The form name “message”\r\nindicates which type of data will be sent, it could be “browser“, “plugin“, “wallets” or “files“. The structure of the C2\r\nresponse (for the configuration) is always the same, data are concatenated with the pipe character | (see figure 9).\r\nIt repeats this same operation for each browser, their extensions, for the wallets and installed applications.\r\nThe list of targeted assets is provided in the part 1 of Stealc analysis in the annex 1 – Stealc capabilities.\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 5 of 12\n\nFigure 8. Downloaded configuration encoded in base64\r\nAfter downloading the bot configuration, the stealer sends the fingerprinted information (see section Miscellaneous\r\nfunctionalities for the list of fingerprinted information that are exfiltrated).\r\nThe table below displays communications between the infected host and Stealc C2.\r\nRequest Request forms Response Functionality\r\nRegister infected host and download configuration\r\nPOST main URL hwid, build name token  \r\nPOST main URL\r\ntoken,\r\nmessage=”browsers”\r\nbrowsers\r\nconfiguration\r\nconfigure the browsers\r\nstealing operation\r\nPOST main URL\r\ntoken,\r\nmessage=”plugins”\r\nplugins\r\nconfiguration\r\nconfigure the plugins\r\nstealing operation\r\nPOST main URL\r\ntoken, host fingerprint\r\n(RAM, OS, apps, etc)\r\n   \r\nTarget Chromium-based browsers (e.g. Chrome, Chromium, Edge)\r\nGET DLLs URL\r\nsqlite3.dll\r\n \r\ndownload\r\nsqlite3.dll\r\n \r\nPOST main URL token, file_name, file    Chrome cookies\r\nPOST main URL token, file_name, file   Chrome history\r\nPOST main URL token, file_name, file  \r\nChrome\r\nextensions (exfiltrated each\r\nfile separately)\r\nGET DLLs URL\r\nfreebl3.dll\r\n \r\ndownload\r\nfreebl3.dll\r\n \r\nGET DLLs URL\r\nmozglue.dll\r\n \r\ndownload\r\nmozglue.dll\r\n \r\nGET DLLs URL\r\nmsvcp140.dll\r\n \r\ndownload\r\nmsvcp140.dll\r\n \r\nGET DLLs URL\r\nnss3.dll\r\n  download nss3.dll  \r\nGET DLLs URL\r\nsoftoknn3.dll\r\n \r\ndownload\r\nsoftokn3.dll\r\n \r\nGET DLLs URL\r\nvcrunctime140.dll\r\n \r\ndownload\r\nvcrunctime140.dll\r\n \r\nTarget Firefox-based browsers, repeat the actions executed for Chromium-based\r\nTarget Opera-based browsers, same actions executed for Chromium-based\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 6 of 12\n\nPOST main URL\r\ntoken,\r\nmessage=”wallets”\r\nlist of targeted\r\nwallets \r\nconfigure the wallets\r\nstealing operation\r\nPOST main URL token, message=”files”\r\nfile grabber\r\nconfiguration\r\nconfigure the file grabber\r\nPOST main URL token, file_name, file  \r\nexfiltrate each file\r\nmatching the grabber\r\nconfiguration\r\nTarget desktop applications: Outlook, Steam, Tox, Pidgin, Discord, Telegram\r\nPOST main URL token, file_name, file   send the screenshot\r\nPOST main URL token, message=isdone Next stage URL\r\nGet the URL of the next\r\nstage to execute\r\nGET unrelated URL\r\nto Stealc\r\ninfrastructure\r\n  Executable Download the next stage\r\nTable 1. Table of Stealc’s HTTP communications with the C2\r\nmain url: 752e382b4dcf5e3f.php\r\nDLLs url: /dbe4ef521ee4cc21/\r\nFor each browser, wallets, plugins, the same actions are repeated and the forms are the same. The last communication is\r\noptional, this request is sent only if Stealc has a next stage configured on its panel.\r\nFile grabber\r\nAfter stealing data from targeted browsers and their extensions, the stealer uses its file grabber functionality. The grabber\r\nconfiguration is received from the C2 and is formatted as follow:\r\nstandart|%DESKTOP%\\\\|*.txt,*.doc,*.docx,*.xls|7000|1|0|\r\nThe structure of the configuration is the following one. First a name, then a directory or a shortcut to a directory (here the\r\ndesktop), thirdly a list of file extensions that the malware wants to exfiltrate and finally the maximum size. We also identified\r\n2 extra parameters that were not useful for the analysis.\r\nIn case the file name and path match the grabber filters, it is exfiltrated in a POST request to the C2 with three forms.\r\nForm ID Form name Form value\r\n1 token The token value provided by the C2 in the earlier communication\r\n2 file_name The full file path to the stolen file encoded in base64\r\n3 file The file content encoded in base64\r\nTable 2. List of forms and their content when conditions for exfiltration are met\r\nFigure 9. Example of a file exfiltrated by the file grabber\r\nDLLs loading\r\nTo access particular files or data, Stealc requires external DLLs that are not embedded in the PE but rather downloaded from\r\na specific URL hosted by the C2. The downloaded DLLs are:\r\n1. sqlite3.dll\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 7 of 12\n\n2. freebl3.dll\r\n3. mozglue.dll\r\n4. msvcp40.dll\r\n5. nss3.dll\r\n6. softokn3.dll\r\n7. vcruntime140.dll\r\nThe DLLS are all written in the C:\\ProgramData\\ directory and are then loaded (TTP: Shared Module: T1129). Of note, only\r\nspecific functions are loaded by the malware.\r\nFigure 10. Sqlite3.dll function loading\r\nAfter loading the required functionalities from the DLLs, Stealc exploits them to access data of interest, Similarly, when a\r\ntargeted data is found on the infected host, it is sent to the C2 using a POST request and encoding data in base64.\r\nAs described in this section, Stealc can be noisy in case many files are exfiltrated to the C2.\r\nNext Stage\r\nAs other analysed stealers observed upgrading their set of functionalities, Stealc is also able to download and execute a next\r\nstage payload. The next stage is configured by the request containing the form “isdone” or “done”, depending on the sample.\r\nThe C2 responds with a base64 data containing the URL of the next stage to download.\r\nThe sample (Stealc SHA-256: 1587857ad744c322a2b32731cdd48d98eac13f8aa8ff2f2afb01ebba88d15359) is configured to\r\nexecute a next stage which is a Laplas Clipper, here is the response of Stealc C2 to configure the next stage, the next payload\r\nis configured by an URL that Stealc download and execute (see figure 15).\r\nFigure 11. Next stage configuration \r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 8 of 12\n\nFigure 12. Decompiled function for the execution and download of the next\r\nTrace removal\r\nStealc attempts to reduce its infection traces by removing itself and its downloaded DLLs (T1070.004) with the following\r\none-line command:\r\ncmd.exe /c timeout /t 5 \u0026 del /f /q \"$STEALERPATH\" \u0026 del \"C:\\ProgramData\\*.dll\" \u0026 exit\r\nThe command is executed with a basic ShellExecuteA function from Shell32.dll.\r\nConclusion\r\nStealc displays all functionalities and behaviors to be a viable tool in the information stealer catalog, and will almost\r\ncertainly be incorporated in multiple intrusion sets’ toolsets, either as a shift or an expansion of their capabilities. Based on\r\nobserved similarities between Stealc and other malware of the infostealer family, notably Raccoon and Mars stealer,\r\nSEKOIA.IO analysts assess it is likely a confirmation of a transmission and circulation of knowledge, including source\r\ncode, and of human resources, in the Russian-speaking cybercriminal ecosystem.\r\nSEKOIA.IO analysts expect Stealc developer will almost certainly continue to update its stealer with new and / or improved\r\nfeatures in the near term to meet customers’ expectations and expand its customer base. To provide our customers with\r\nactionable intelligence, SEKOIA.IO analysts will continue to monitor emerging and prevalent infostealers, including Stealc.\r\nAs introduced in the strings obfuscation section, Stealc embeds the address of the C2 and its different URLs in the rdata\r\nsection of the PE.\r\nBased on our observation, the script should meet the following requirements:\r\n1. Retrieve the RC4 key in rdata;\r\n2. Deobfuscate the strings until all patterns related to the C2 are spotted.\r\nThe RC4 key is hardcoded in the PE in cleartext and by definition RC4 keys are 20 bytes long. Stealc C2 information are\r\nstored with the following structure:\r\nC2 base URL: http://\u003cip or domain\u003e or https://\u003cip or domain\u003e;\r\nC2 URL resource which is a random string ending by .php extension;\r\nC2 directory name where the DLLs are hosted (nss3.dll, sqlite3.dll, etc…).\r\nThe provided configuration extractor simply loops over that section to find the patterns described previously.\r\nfrom base64 import b64decode\r\nfrom pefile import PE, SectionStructure\r\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 9 of 12\n\nclass Stealc:\r\n \"\"\"Stealc configuration\"\"\"\r\n rc4_key: bytes = b\"\"\r\n base_url: str = \"\"\r\n endpoint_url: str = \"\"\r\n dlls_directory: str = \"\"\r\n def __str__(self):\r\n out = f\"Stealc RC4 key: {self.rc4_key}\\n\"\r\n out += f\"SteaC Command and Control:\\n\"\r\n out += f\"\\t- {''.join([self.base_url, self.endpoint_url])}\\n\"\r\n out += f\"\\t- {''.join([self.base_url, self.dlls_directory])}\\n\"\r\n return out\r\n def rc4_decrypt(self, data: bytes) -\u003e bytes:\r\n \"\"\"decrypt RC4 data with the provided key.\"\"\"\r\n algorithm = algorithms.ARC4(self.rc4_key)\r\n cipher = Cipher(algorithm, mode=None)\r\n decryptor = cipher.decryptor()\r\n return decryptor.update(data)\r\ndef get_section(pe: PE, section_name: str) -\u003e SectionStructure:\r\n \"\"\"return section by name, if not found raise KeyError exception.\"\"\"\r\n for section in filter(\r\n lambda x: x.Name.startswith(section_name.encode()), pe.sections\r\n ):\r\n return section\r\n available_sections = \", \".join(\r\n [_sec.Name.replace(b\"\\x00\", b\"\").decode() for _sec in pe.sections]\r\n )\r\n raise KeyError(\r\n f\"{section_name} not found in the PE, available sections: {available_sections}\"\r\n )\r\ndef get_rdata(pe_path: str) -\u003e SectionStructure:\r\n \"\"\"Extract Stealc radata section\"\"\"\r\n pe = PE(pe_path)\r\n section_rdata = get_section(pe, \".rdata\")\r\n return section_rdata\r\ndef is_valid_string(data: bytes) -\u003e bool:\r\n return True if all(map(lambda x: x \u003e= 43 and x \u003c= 122, data)) else False\r\ndef search_Command_and_Control(stealc: Stealc, rdata_section: SectionStructure):\r\n \"\"\"\r\n Search two types of strings in rdata section of Stealc:\r\n 1. The RC4 key which is 20 bytes long;\r\n 2. Strings matching the way Stealc stores its C2 configuration (these strings are decoded (base64 decode + RC4 decrypt\r\n This works for the Stealc version at least until 15 Feb 2023 but could change in new versions...\r\n 2.1 base url (`http://something...` or `https://something...`)\r\n 2.2 endpoint which ends with `.php`\r\n 2.3 DLLs directory starts and ends with `/` (eg: `/something_random/`)\r\n \"\"\"\r\n for string in filter(\r\n lambda x: x and is_valid_string(x), rdata_section.get_data().split(b\"\\x00\" * 2)\r\n ):\r\n if len(string) == 20 and not stealc.rc4_key:\r\n # Hopefully the RC4 key is stored as the beginning of the rdata section\r\n stealc.rc4_key = string\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 10 of 12\n\nprint(f\"[+] RC4 key found: {stealc.rc4_key}\")\r\n if stealc.rc4_key and string != stealc.rc4_key:\r\n try:\r\n cleartext = stealc.rc4_decrypt(b64decode(string))\r\n # print(f\"{string.decode():\u003c40} {cleartext}\")\r\n if cleartext.startswith(b\"http://\") or cleartext.startswith(\r\n b\"https://\"\r\n ):\r\n print(f\"[+] Found StealC Command and Control\")\r\n stealc.base_url = cleartext.decode()\r\n elif cleartext.startswith(b\"/\") and cleartext.endswith(b\"/\"):\r\n print(f\"[+] Found DLLs URL directory name\")\r\n stealc.dlls_directory = cleartext.decode()\r\n elif cleartext.endswith(b\".php\"):\r\n print(f\"[+] Found StealC endpoint\")\r\n stealc.endpoint_url = cleartext.decode()\r\n except Exception:\r\n pass\r\nif __name__ == \"__main__\":\r\n import sys\r\n if len(sys.argv) \u003c 2:\r\n print(f\"not enough parameter, please provide as argument the path to stealc sample.\")\r\n stealc = Stealc()\r\n rdata = get_rdata(sys.argv[1])\r\n search_Command_and_Control(stealc, rdata)\r\n print(stealc)\r\nAnnex 2 – IDA script for string deobfuscation\r\nfrom idaapi import *\r\nfrom ida_bytes import *\r\nfrom ida_name import *\r\nfrom base64 import b64decode\r\nfrom string import ascii_letters, digits\r\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\r\ndef read_rdata(name: str) -\u003e str:\r\n print(f\"read_rdata: {name}\")\r\n addr = get_name_ea_simple(name)\r\n size = get_max_strlit_length(addr, ida_nalt.STRENC_DEFAULT)\r\n return get_bytes(addr, size - 1)\r\ndef rc4_decrypt(key: bytes, data: bytes) -\u003e bytes:\r\n algorithm = algorithms.ARC4(key)\r\n cipher = Cipher(algorithm, mode=None)\r\n decryptor = cipher.decryptor()\r\n return decryptor.update(data)\r\ndef deobfuscate_string(base: int, end: int , KEY: bytes):\r\n ea = base\r\n size = 0\r\n clear = []\r\n addr = []\r\n \r\n while ea \u003c= end:\r\n flags = ida_bytes.get_flags(ea)\r\n if ida_bytes.is_code(flags):\r\n instr_str = idc.generate_disasm_line(ea, 1)\r\n instr_str = \" \".join(instr_str.split())\r\n if instr_str.startswith(\"push offset a\") or instr_str.startswith(\"mov dword ptr [esp], offset a\"):\r\n value = instr_str.split(\"offset\")[-1].split(';')[0].strip()\r\n value = read_rdata(value)\r\n clear.append(rc4_decrypt(KEY, b64decode(value)))\r\n elif instr_str.startswith(\"mov dword_\"):\r\n temp = instr_str.replace(\"mov dword_\", \"\")\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 11 of 12\n\ntemp = temp.split()[0].replace(\",\",\"\")\r\n addr = int(temp, 16)\r\n string = get_bytes(addr, size)\r\n cleartext = clear.pop(-1)\r\n cleartext = cleartext.decode()\r\n idc.set_cmt(ea, cleartext, 0)\r\n text = \"\"\r\n for c in cleartext:\r\n if c in f\"{ascii_letters}{digits}\":\r\n text += c\r\n else:\r\n text += \"_\"\r\n cleartext = f\"str_{text}\"\r\n print(f\"replace dword_{addr:x} by `{cleartext}`\")\r\n set_name(addr, cleartext)\r\n ea += 1\r\nThank you for reading this blogpost. You can also consult other results of surveys carried out by our analysts on the\r\necosystem of infostealers :\r\nCybercrime Malware Reverse Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/" ], "report_names": [ "stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af63d6c76d40b824677eb0a9fb57765ce362dff8.pdf", "text": "https://archive.orkl.eu/af63d6c76d40b824677eb0a9fb57765ce362dff8.txt", "img": "https://archive.orkl.eu/af63d6c76d40b824677eb0a9fb57765ce362dff8.jpg" } }