{
	"id": "a125cdf2-7fd0-4309-862f-2e50192d7b8a",
	"created_at": "2026-04-06T00:19:19.553872Z",
	"updated_at": "2026-04-10T03:21:46.886671Z",
	"deleted_at": null,
	"sha1_hash": "c35b3eda99fec94f01e00ea894f9a4f0c128df1a",
	"title": "StrelaStealer Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3134700,
	"plain_text": "StrelaStealer Malware Analysis\r\nBy serverca\r\nPublished: 2023-09-18 · Archived: 2026-04-05 17:10:55 UTC\r\nFortgale has identified an offensive campaign targeting Italian business systems, carried out via malicious email\r\ncontaining the StrelaStealer malware.\r\nDuring the compromise, several techniques are observed including:\r\nSpearphishing Attachment  (T1566.001)\r\nObfuscated Files or Information (T1027)\r\nRundDLL32 (T1218.011)\r\nThe information collected and the characteristics of the compromise allow the case to be attributed to the\r\nStrelaStealer Malware. It is a malware known since November 2022 that cyclically reappears in new campaigns.\r\nIts purpose is usually to collect information about Outlook and ThunderBird accounts, as also confirmed by our\r\ntechnical analysis.\r\nThe attention of these Threat Actors is focusing on European entities, particularly on Italian, Spanish, and\r\nGerman companies.\r\nOur investigation has allowed us to identify localized strings also in Polish language, not emerged from previous\r\nanalyses of the same malware. This suggests a potential expansion of the Threat Actor’s targets towards new\r\ncountries.\r\nThe use of a specific language is deduced from the keyboard layout. If this does not correspond to any of those\r\nindicated, the malware blocks its execution.\r\nAnother peculiarity of StrelaStealer, and the reason why it is called this way, is related to the presence of the\r\n“strela” string used as an encryption key.\r\nIn the analysis below it is possible to observe in detail the tactics of Discovery, Collection and Exfiltration,\r\nreconstructed through techniques of Reverse Engineering.\r\nAt the end of the article there is a list of Indicators of Compromise useful for identifying malware in a business\r\nenvironment.\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 1 of 14\n\nThe criminal actors have used an ‘automation‘ to personalize the name of the zip file, using the domain‘s email\r\naccount of the victim.\r\nThe compressed file contains a javascript file with the structure “VictimDomain”.js.\r\nThe Javascript contains obfuscated code divided into two portions, one part written in .bat format and one in .js\r\nformat. Execution via cmd.exe or wscript.exe determines the part of the code to execute (batch/js).\r\nThis is decoded through the legitimate software certutil.exe, which generates the malicious payload by writing\r\nand starting the .dll file “2PCGV1.dll”:\r\nMalicious Payload: 2PCGV1.dll\r\nThe DLL has been obfuscated through the addition of numerous mathematical operations that are useless, in\r\norder to slow down and complicate the analysis and identification of the operations performed by the malware.\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 2 of 14\n\nAfter careful observation, both through static and dynamic analysis, it was possible to identify the main function,\r\nwhich is decrypted in memory before execution.\r\nThe functionalities of the malware are limited and simple. There are procedures for the exfiltration of data from\r\nThunderbird and Outlook mail clients and subsequent sending via HTTP requests.\r\nLike many other Stealers, there are anti-analysis functionalities and checks on system localization.\r\nA characteristic of this sample is the verification of the keyboard layout: if the Italian, German, Spanish or\r\nPolish layout is not present, the malware terminates its process.\r\nOnce the information has been exfiltrated, depending on the recognized keyboard layout (it-IT, de-DE, es-ES, pl),\r\nthe victim is shown an error message via a messagebox.\r\nDefense Evasion\r\nChecking for the presence of a debugger as an anti-analysis technique:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 3 of 14\n\nIdentification of localization and creation of a mutex based on the machine name:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 4 of 14\n\nCollection\r\nData exfiltration collected from Outlook and Thunderbird, and closure with a message:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 5 of 14\n\nData is collected from the registry keys: “IMAP Server“, “IMAP User“, “IMAP Password“. The value of “IMAP\r\nPassword” is decrypted via “CryptUnprotectedData” before being sent to the server:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 6 of 14\n\nThe second group of information collected is related to Thunderbird, these data are collected from the files\r\n%APPDATA%\\Thunderbird\\Profiles\\*\\logins.json and %APPDATA%\\Thunderbird\\Profiles\\*\\key4.db:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 7 of 14\n\nPt. 1\r\nPt. 2\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 8 of 14\n\nPt. 3\r\nExfiltration\r\nThe collected information is sent via POST method to the URL hxxp://91[.]215[.]85[.]209/server.php\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 9 of 14\n\nCommunication with the server\r\nConclusions\r\nFrom the information in our possession, this type of offensive campaign does not appear to be a targeted attack but\r\nrather a massive compromise activity against systems located in Europe.\r\nDespite this, it is a serious threat to the security of companies that, if not blocked promptly, could pose a tangible\r\nrisk to the security of the victim.\r\nThis type of compromise could lead to more serious consequences such as:\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 10 of 14\n\nexfiltration of personal data of the victim\r\nexfiltration of company data\r\ninfrastructure compromises\r\nRansomware attacks\r\nGiven the nature of the malware, the concrete risk is that of compromising Outlook accounts linked to the\r\ncompany domain and consequently an access to the system, starting point for more advanced offensive\r\nactivities.\r\nWe believe that StrelaStealer is a Malware that will create greater impacts against business and non-systems\r\nlocated in Europe.\r\nYARA Rules\r\nFortgale has developed the following Yara rule:\r\nrule my_rule {\r\nmeta:\r\n        Author = “Fortgale”\r\nstrings:\r\n        $xor_string_strela = “strela” ascii wide\r\n        $xor_string_uuid = /[a-z0-9]{8}\\-[a-z0-9]{4}\\-[a-z0-9]{4}\\-[a-z0-9]{4}\\-[a-z0-9]{12}/ ascii wide\r\n        $uri = “/server.php” ascii wide\r\n        $user_agent = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/60.0.3112.113 Safari/537.36” ascii wide\r\n        $msg_pl = {50 00 6c 00 69 00 6b 00 20 00 6a 00 65 00 73 00 74 00 20 00 75 00 73 00 7a 00 6b 00 6f 00 64\r\n00 7a 00 6f 00 6e 00 79 00 20 00 i nie mo|e zosta| uruchomiony.}\r\n        $msg_it = {Il file è danneggiato e non può essere eseguito.}\r\n        $msg_es = {El archivo está dañado y no se puede ejecutar.}\r\n        $msg_de = {Die Datei ist beschädigt und kann nicht ausgeführt werden.}\r\n        $discovery_str1 = “%s%s\\\\key4.db” ascii wide\r\n        $discovery_str2 = “%s%s\\\\logins.json” ascii wide\r\n        $discovery_str3 = “\\\\Thunderbird\\\\Profiles\\\\” ascii wide\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 11 of 14\n\n$discovery_str4 =\r\n“SOFTWARE\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\\\\”\r\nascii wide\r\ncondition:\r\n        any of ($msg_*) and any of ($discovery_str*) and any of ($uri, $user_agent, $xor_string_strela,\r\n$xor_string_uuid)\r\nAttack Patterns\r\nMapping of Tactics, Techniques and Procedures (TTPs) used to perform the attack.\r\nCODE NAME DESCRIPTION\r\n    DISCOVERY\r\nT1518 Software Discovery\r\nAdversaries may attempt to get a listing of software\r\nand software versions that are installed on a system or\r\nin a cloud environment.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nAdversaries may enumerate files and directories or\r\nmay search in specific locations of a host or network\r\nshare for certain information within a file system.\r\nT1012 Query Registry\r\nAdversaries may interact with the Windows Registry\r\nto gather information about the system, configuration,\r\nand installed software.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nAdversaries may attempt to get detailed information\r\nabout a device’s operating system and hardware,\r\nincluding versions, patches, and architecture.\r\n    EXECUTION\r\nT1059.003\r\nWindows Command\r\nShell\r\nAdversaries may abuse the Windows command shell\r\nfor execution. The Windows command shell (cmd) is\r\nthe primary command prompt on Windows systems.\r\nT1059.007 JavaScript\r\nAdversaries may abuse various implementations of\r\nJavaScript for execution. JavaScript is a platform-independent scripting language commonly associated\r\nwith scripts in webpages, though JS can be executed\r\nin runtime environments outside the browser.\r\n    DEFENSE EVASION\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 12 of 14\n\nT1027\r\nObfuscated Files or\r\nInformation\r\nAdversaries may attempt to make an executable or\r\nfile difficult to discover or analyze by encrypting,\r\nencoding, or otherwise obfuscating its contents on the\r\nsystem or in transit.\r\nT1218.011 RunDLL32\r\nAdversaries may abuse rundll32.exe to proxy\r\nexecution of malicious code. Using rundll32.exe, vice\r\nexecuting directly, may avoid triggering security tools\r\nthat may not monitor execution of the rundll32.exe\r\nprocess because of allowlists or false positives from\r\nnormal operations\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nAdversaries may use Obfuscated Files or\r\nInformation to hide artifacts of an intrusion from\r\nanalysis.\r\nT1622 Debugger Evasion\r\nAdversaries may employ various means to detect and\r\navoid debuggers. \r\n    INITIAL ACCESS\r\nT1566.001\r\nSpearphishing\r\nAttachment\r\nAdversaries may send spearphishing emails with a\r\nmalicious attachment in an attempt to gain access to\r\nvictim systems.\r\n    COLLECTION\r\nT1560 Archive Collected Data\r\nAn adversary may compress and/or encrypt data that\r\nis collected prior to exfiltration.\r\nT1119 Automated Collection\r\nOnce established within a system or network, an\r\nadversary may use automated techniques for\r\ncollecting internal data. \r\nT1005\r\nData from Local\r\nSystem\r\nAdversaries may search local system sources, such as\r\nfile systems and configuration files or local databases,\r\nto find files of interest and sensitive data prior to\r\nExfiltration.\r\nT1114 Email Collection\r\nAdversaries may target user email to collect sensitive\r\ninformation. Emails may contain sensitive data,\r\nincluding trade secrets or personal information, that\r\ncan prove valuable to adversaries. \r\n    EXFILTRATION\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 13 of 14\n\nT1041\r\nExfiltration Over C2\r\nChannel\r\nAdversaries may steal data by exfiltrating it over an\r\nexisting command and control channel.\r\nIndicators of Compromise (IOC)\r\nINFO TYPE Value\r\nIOZN9N.bat\r\nfile\r\nBAT\r\n7aa255285fcff60772086f75acd4e2e6c0a09a1fab94be32a705f550287c3dc2\r\n2PCGV1.dll\r\nfile\r\nDLL\r\n90b124755902204fa4b5ffd3cb6b1c334de6aca39b9a3bbc85e50b46a6b7a342\r\n8HFZVO\r\ntext\r\nfile\r\n210d530ce66b48d4e643ca7fc9211498cd24c2b74e202bacd65ae34ec9bcf938\r\nExfiltr.\r\nServer\r\nURL hxxp://91[.]215[.]85[.]209/server.php\r\nExfiltr.\r\nServer\r\nIP\r\nAdd.\r\n91[.]215[.]85[.]209\r\nSource: https://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nhttps://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://fortgale.com/blog/malware-analysis/strelastealer-malware-analysis-2/"
	],
	"report_names": [
		"strelastealer-malware-analysis-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434759,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c35b3eda99fec94f01e00ea894f9a4f0c128df1a.pdf",
		"text": "https://archive.orkl.eu/c35b3eda99fec94f01e00ea894f9a4f0c128df1a.txt",
		"img": "https://archive.orkl.eu/c35b3eda99fec94f01e00ea894f9a4f0c128df1a.jpg"
	}
}