{
	"id": "da30f1fa-3222-45b7-929c-1f426b09e66c",
	"created_at": "2026-04-06T00:08:15.421648Z",
	"updated_at": "2026-04-10T13:12:33.402093Z",
	"deleted_at": null,
	"sha1_hash": "d66bd266f2928043205ab3918f36e74bda2ddebd",
	"title": "StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 374722,
	"plain_text": "StrelaStealer Resurgence: Tracking a JavaScript-Driven\r\nCredential Stealer Targeting Europe\r\nPublished: 2024-06-24 · Archived: 2026-04-05 18:34:18 UTC\r\nThe SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the\r\nthird week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically\r\nsteals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer\r\nexcept major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target\r\nregions limited to Poland, Spain, Italy and Germany.\r\nThe Initial infection vector is an obfuscated JavaScript file that is sent to the victim through emails in archive\r\nfiles. The JavaScript file drops a self-copy at “C:\\Users\\\u003cUsername\u003e” location with random names like\r\n“needlereportcreepy.bat”. The bat file is then executed to check the language of the operating system and to\r\nexclude Russian users from infection by the stealer. Upon confirmation of non-Russian users using OSLanguage\r\ncode “1049”, the base64-encoded PE file is dropped in the same directory with a random name (here,\r\nduckquixoticextra-small) and no extension. This base64-encoded data is then decoded and a DLL with some\r\nrandom name (here, bellpeeleight.ico) is dropped. The DLL is then executed using regsvr32.exe.\r\nFigure 1: Checks for OSLanguage\r\nThe DLL has highly obfuscated code – the same as what we have observed in recent StrelaStealer binaries. This\r\nloader DLL then decrypts the actual PE file from its data section and injects it into the current process.\r\nAll the necessary APIs needed for stealer functionality are loaded dynamically. The stealer first checks for the\r\nkeyboard layout of the system using the GetKeyboardLayout() API.\r\nhttps://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/\r\nPage 1 of 2\n\nFigure 2: Checks GetKeyboardLayout\r\nIt checks for multiple language codes including 0x0C0A(Spanish-Spain), 0x042D(Basque-Spain), 0x0415(Polish-Poland), 0x0403(Catalan-Spain), 0x040A(Spanish-Spain), 0x0410(Italian-Italy), 0x0407(German-Germany) to\r\ndetect the geo location of the system.\r\nThe main stealing functionality starts with the Mozilla Thunderbird email client. It checks for the presence of\r\nlogins.json and key4.db at the directory IC:\\Users\\Jay\\AppData\\Roaming\\Thunderbird\\Profiles\\\" . If found, the\r\ndata is sent to the IP http://45.9.74[.]176/.\r\nNext, it checks for the presence of the registry key\r\n\"SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\\". The\r\ninformation about email accounts is stored in subfolders under this key. All of this information is retrieved by\r\nenumerating the registry key. The information is then sent to the same IP address.\r\nMore information about StrelaStealer can be found in our previous blog.\r\nIOCs\r\nSHA256:\r\n0f069016bc5c9347099589c103c8617e716ad301c3b83b69b5ebd11ef623cf78\r\na4cd72aea29e992fcdf808370f3a7c9333458535b86c9a11a1fff20299f837e6\r\nf2afca709e2973f2733887e401c903580e1ffe4d4ae6d7ea28cc5a6149ba4b96\r\n2385a4dcf8076eb51ad6893624d36ba49beac92f1e681297afbb89cd5be46c57\r\nb36fee8895bd828a42a166488b4a2574a232726d89153e3e37fe4382020f7800\r\n00e7bdaa8ff895b3b82a0b9cc8ba1971d6401e9cf575ec44a5bc3adc6bfd0771\r\nIPs\r\n45.9.74[.]176\r\nSource: https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/\r\nhttps://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/"
	],
	"report_names": [
		"strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe"
	],
	"threat_actors": [],
	"ts_created_at": 1775434095,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d66bd266f2928043205ab3918f36e74bda2ddebd.pdf",
		"text": "https://archive.orkl.eu/d66bd266f2928043205ab3918f36e74bda2ddebd.txt",
		"img": "https://archive.orkl.eu/d66bd266f2928043205ab3918f36e74bda2ddebd.jpg"
	}
}