{ "id": "50cbae71-0146-452c-afe3-3d590018e767", "created_at": "2026-04-06T00:16:16.586729Z", "updated_at": "2026-04-10T13:11:29.871362Z", "deleted_at": null, "sha1_hash": "fecf784608fe2916ea520f43880a8c743f421229", "title": "Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2242701, "plain_text": "Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity\r\n– Part 1\r\nBy Quentin Bourgue,\u0026nbsp;Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-02-20 · Archived: 2026-04-05 22:25:21 UTC\r\nTable of contents\r\nA successful entry into the cybercrime market\r\nFirst Stealc advertisement\r\nPlymouth ’s activity carried out in a professional manner\r\nTechnical analysis\r\nMalware sample association\r\nTechnical overview of Stealc sample\r\nTracking Stealc in its many forms\r\nStandalone samples\r\nPacked samples\r\nC2 servers\r\nConclusion\r\nAnnex\r\nAnnex 1 – Stealc capabilities\r\nTargeted web browsers\r\nTargeted browser extensions\r\nTargeted desktop cryptocurrency wallets\r\nAnnex 2 – A Stealc’s infection chain\r\nStatic detection\r\nDynamic detection using VirusTotal Livehunt\r\nSuricata rules\r\nDiscover a demo of our XDR platform\r\nContext\r\nIn January 2023, through our Dark Web monitoring routine, Sekoia.io identified a new information stealer advertised as\r\nStealc by its alleged developer, going by the handle Plymouth. The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars and Redline stealers. This information suggests that this\r\nnewcomer could be a serious competitor to the popular widespread malware families mentioned above.\r\nIn early February 2023, Sekoia.io identified a new malware family when tracking infrastructures distributing information\r\nstealers. The Command and Control (C2) communications of the associated samples share similarities with those of Vidar\r\nand Raccoon. Further analysis by Sekoia.io allowed us to associate this new malware family with Stealc.\r\nThe investigation led us to discover several dozens of Stealc samples distributed in the wild, and more than 40 Stealc C2\r\nservers, certainly an indication that this new infostealer became widespread and popular among cybercriminals distributing\r\nstealers. Sekoia.io therefore conducted an in-depth analysis of this emerging threat.\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 1 of 21\n\nThis blog post aims at presenting the activities of the Stealc’s alleged developer, a technical analysis of the malware and its\r\nC2 communications, and how to track it. We also share details on Stealc capabilities (Annex 1) and an infection chain\r\ndistributing it (Annex 2).\r\nIn a follow-up blog post, we will share a write-up on the reverse engineering of Stealc to take a look at the different\r\ntechniques implemented by the malware. \r\nA successful entry into the cybercrime market\r\nFirst Stealc advertisement\r\nOn 9 January, 2023, Plymouth advertised the Stealc information stealer for the first time on XSS and BHF Russians-speaking underground forums. The threat actor published a detailed description of the new malware to list its wide stealing\r\ncapabilities, the fully featured and well designed administration panel, and some technical characteristics.\r\nFigure 1. Advertisement for Stealc stealer on XSS, published by Plymouth on 9 January, 2023 \r\nBy default, Stealc targets sensitive data from most used web browsers, browser extensions for cryptocurrency wallets,\r\ndesktop cryptocurrency wallets and information from additional applications, including email client and messenger\r\nsoftware. Compared to other stealers Sekoia.io analysed, the data collection configuration can be customised to tailor the\r\nmalware to the customer needs.\r\nStealc also implements a customisable file grabber, allowing its customers to steal files matching their grabber rules. The\r\nstealer also has loader capabilities that would be usually expected for an information stealer sold as a Malware-as-a-Service\r\n(MaaS). A complete list of Stealc capabilities is shared in Annex 1.\r\nThe administration panel is also fully featured and allows its users (i.e. threat actors distributing the stealer), to:\r\nset up the malware configuration;\r\nparse, display, filter, sort and analyse the stolen data;\r\ndownload the logs (stolen data) with several options.\r\nSekoia.io observed that logs handling is a key feature for all information stealers entering the MaaS market. Threat actors\r\nare likely to sell the stolen data on logs marketplace and therefore need to download it in a personalised way. In addition,\r\nthey need to identify and extract the valuable credentials and files from the large amounts of collected data. Thus, we\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 2 of 21\n\nassess Plymouth, the Stealc presumed developer, almost certainly dedicated a great effort to develop the administration\r\npanel on sorting and downloading logs features.\r\nPlymouth’s activity carried out in a professional manner\r\nAfter the first publication on 9 January, 2023 on XSS and BHF, Plymouth continued to advertise its infostealer to reach a\r\nlarger audience on additional channels, including Exploit hacking forum and Telegram messaging application.\r\nTo gain the trust of potential customers, developers often offer free malware tests to cybercrime forum users to collect\r\nreviews and possibly positive feedback on their product. This is considered as a guarantee of quality, similarly to a Bitcoin\r\ndeposit on a cybercrime forum. On some forums, it is even required to make a deposit or have relevant feedback from\r\nan administrator, moderator or experienced user to sell a product or service.\r\nAs shown in the following figure, Plymouth fulfils both: a 0.02 Bitcoin deposit (around $400 at the time of deposit), and free\r\nweekly tests offered to XSS users. We assess with high confidence that its alleged developer quickly established itself as a\r\nreliable threat actor, and its malware gained the trust of cybercriminals dealing with infostealers.\r\nFigure 2. Plymouth’s post offering Stealc free weekly tests, Plymouth’s profile indicates a deposit of 0.02\r\nBitcoin on XSS forum (translated from Russian)\r\nIn addition, Plymouth released several versions of Stealc and published changelogs on different forums, as well as on a\r\ndedicated Telegram channel (hxxps://t[.]me/stealc_changelog). The changelogs introduce new features and bug fixes. Main\r\nchanges for each release are listed in the following figure.\r\nFigure 3. Timeline of Stealc releases and Plymouth’s activities\r\nPlymouth’s publications and observed activities indicate that Stealc is under ongoing development with new features added\r\non a weekly basis. While the stealer is already functional and adopted by several threat actors, the developer continues to\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 3 of 21\n\nimprove both malware and administration panels, likely to expand its customer base.\r\nTechnical analysis\r\nBefore analysing Stealc’s execution process and C2 communications, we present how we associate the new malware family\r\nwith the malware advertised by Stealc.\r\nMalware sample association\r\nIn early February 2023, Sekoia.io analysts found a sample of an unknown malware by investigating an infrastructure\r\ntypically used to distribute stealers (SHA256: a2465fc5059ea57c7b64b1dc01caf8735422a005ddb7fabeddfa3cbc89085ccf,\r\nhttps://tria.ge/230212-pkc69adh37). The sample execution raises two specific characteristics:\r\nThe download of a legitimate third-party DLLs, already observed being abused by stealers (sqlite3.dll, freebl3.dll,\r\nmozglue.dll, msvcp40.dll, nss3.dll, softokn3.dll and vcruntime140.dll);\r\nThe execution of a command deleting all DLLs in C:\\ProgramData.\r\nFrom these behaviours, we pivoted on dozens of samples that appear to belong to the same malware family using the\r\nfollowing query on VirusTotal:\r\nbehaviour:\"C:\\ProgramData\\*.dll\" behaviour:\"timeout /t 5\" behaviour:\"sqlite3.dll\"\r\nFigure 4. Search on specific behaviours of the malware sample on VirusTotal yielding to packed and unpacked\r\nsamples\r\nThe results returned standalone samples of about 80KB (SHA256:\r\n77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d), we analysed it in depth to corroborate the\r\nassociation of this new malware family to Stealc. Here is a summary of the association of Stealc features as advertised by\r\nPlymouth and sample features observed by Sekoia.io.\r\nStealc features, as described by\r\nPlymouth on XSS\r\nSekoia.io observations based on samples of the new\r\nmalware family\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 4 of 21\n\nWhen developing our solution, we relied\r\non Vidar, Raccoon, Mars and RedLine\r\nStealc,  Vidar, Raccoon and Mars all download legitimate\r\nthird-party DLLs (sqlite3.dll, nss3.dll, etc.), as the found\r\nsample. \r\nCurrent build weight – 78kb The standalone sample is approximately 80KB.\r\nstealc was written in pure C using\r\nWinAPI\r\nC written malware uses WinAPI functions.\r\nall functions are dynamically loaded\r\nOnce the strings are deobfuscated, the malware loads the\r\nWinAPI functions using GetProcAddress and LoadLibraryA.\r\nimport table is taken by couple of\r\nimports from mscrt\r\nThe import address table imports 6 functions from\r\nMsvcrtDLL.\r\nAll lines of work are obfuscated.\r\nAll strings are obfuscated using RC4 and base64, except a\r\nfew ones which are related to new features (update v1.1.2).\r\nstealc does not generate an archive on\r\nthe client side, each file to be collected is\r\nsent to the server in a separate request\r\nThe malware exfiltrates the collected data file by file and\r\ndoesn’t wait to receive all configuration to collect and send\r\ndata.\r\nmore than 23 supported browsers\r\nBased on the configuration sent by the C2, the malware\r\ntargets 22 browsers.\r\nmore than 70 web plugins\r\nBased on the configuration sent by C2, Stealc targets 75\r\nplugins.\r\nmore than 15 desktop wallets\r\nBased on the configuration sent by C2, Stealc targets 25\r\nwallets.\r\nemail clients\r\nThe sample collects data from Outlook files\r\n(\\Outlook\\accounts.txt), the configuration is stored in the\r\nobfuscated data.\r\nadded random name generation for\r\nscript-gate (api.php), in stealc update\r\nv1.1.2\r\nThe first samples communicated on /api.php and\r\ndownloaded the DLLs from /libs/. Recent samples used\r\nrandom paths ([a-f0-9]{16}) for data exfiltration and DLL\r\ndownload.\r\nrecorded user-agents in the\r\nsystem_info.txt file, in stealc update\r\nv1.1.2\r\nThe malware exfiltrates victim host’s user agents.\r\nrecorded ip and country in file\r\nsystem_info.txt, in stealc update v1.1.2\r\nIP address and country of the infected host (ISO) are\r\nexfiltrated to the C2.\r\nTable 1. Sekoia.io observations on the advertised Stealc features and collected samples\r\nBased on this comparative table, Sekoia.io analysts assess this new malware family found in the wild matches Stealc\r\ninfostealer with high confidence.\r\nTechnical overview of Stealc sample\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 5 of 21\n\nSekoia.io reverse engineered Stealc and will publish an in-depth analysis to share further details. In the meantime, here is an\r\noverview of the main steps of Stealc execution.\r\nOnce executed, Stealc deobfuscates all its RC4-encrypted and base64-encoded strings. It then compares the system date\r\nto the hardcoded date in the obfuscated strings. If the execution occurs after the hardcoded date, the malware stops. This\r\ncheck is likely implemented by the stealer developer to limit the customer’s activity to the licence validity period. \r\nStealc also checks for virtual or sandbox environments by comparing the machine name to HAL9TH and the user name to\r\nJohnDoe, solely used by Microsoft Defender emulator.\r\nThe malware dynamically loads the different WinAPI functions using LoadLibrary and GetProcAddress, and initiates the\r\ncommunication to its C2 server. Here is a step-by-step analysis of the malware communication:\r\n1. Stealc first sends the victim’s host HWID (Hardware Identifier) and build name to its C2 server, using a POST\r\nrequest on the server gate (name=”hwid”, name=”build”). The server responds with the base64-encoded\r\nconfiguration, such as:\r\nd325580bb149e327a7c8338ec6c9ac7227e7c319411261441d8d3097b2a2d6e5fef3ce48|isdone|docia.docx|\r\n1|1|0|1|1|1|1|1|\r\nFigure 5. Stealc C2 communication, first POST request to send the victim host HWID and build name\r\n2. The malware sends the command browsers to the C2 to retrieve its configuration for data collection from web\r\nbrowsers, using a POST request on the server gate (name=”token”, name=”message” (browsers)). Again, the server\r\nresponds with the base64-encoded configuration, such as:\r\nGoogle Chrome|\\Google\\Chrome\\User Data|chrome|Google Chrome Canary|\\Google\\Chrome SxS\\User\r\nData|chrome|Chromium|\\Chromium\\User Data|chrome|Amigo|\\Amigo\\User Data|chrome|Torch|\\Torch\\User\r\nData|chrome|Vivaldi|\\Vivaldi\\User Data|chrome|Comodo Dragon|\\Comodo\\Dragon\\User\r\nData|chrome|EpicPrivacyBrowser|\\Epic Privacy Browser\\User Data|chrome|CocCoc|\\CocCoc\\Browser\\User\r\nData|chrome|Brave|\\BraveSoftware\\Brave-Browser\\User Data|chrome|Cent Browser|\\CentBrowser\\User\r\nData|chrome|7Star|\\7Star\\7Star\\User Data|chrome|Chedot Browser|\\Chedot\\User Data|chrome|Microsoft\r\nEdge|\\Microsoft\\Edge\\User Data|chrome|360 Browser|\\360Browser\\Browser\\User\r\nData|chrome|QQBrowser|\\Tencent\\QQBrowser\\User Data|chrome|CryptoTab|\\CryptoTab Browser\\User\r\nData|chrome|Opera Stable|\\Opera Software|opera|Opera GX Stable|\\Opera Software|opera|Mozilla\r\nFirefox|\\Mozilla\\Firefox\\Profiles|firefox|Pale Moon|\\Moonchild Productions\\Pale\r\nMoon\\Profiles|firefox|Opera Crypto Stable|\\Opera\r\nSoftware|opera|Thunderbird|\\Thunderbird\\Profiles|firefox|\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 6 of 21\n\nFigure 6. Stealc C2 communication, second POST request to get the data collection configuration for web\r\nbrowsers\r\n3. Using the same format, it sends the command plugins to the C2 to retrieve its configuration for data collection from\r\nweb browser extensions, using a POST request on the server gate (name=”token”, name=”message” (plugins)).\r\nThe server responds with the base64-encoded configuration, such as:\r\nMetaMask|djclckkglechooblngghdinmeemkbgci|1|0|0|MetaMask|ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|\r\nMetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|\r\nBinance\r\nWallet|fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|\r\nCoinbase Wallet extension|hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|Guarda|\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|(redacted)\r\n4. Stealc exfiltrates fingerprint data of the infected host, using a POST request on the server gate (name=”token”,\r\nname=”file_name”, name=”file”). The file is named system_info.txt and includes information on network, system\r\nsummary, user agents, installed apps and process list.\r\n5. It downloads 7 legitimate third-party DLLs from the C2 server, using GET requests, in the following order:\r\nsqlite3.dll\r\nfreebl3.dll\r\nmozglue.dll\r\nmsvcp40.dll\r\nnss3.dll\r\nsoftokn3.dll\r\nvcruntime140.dll\r\n6. Stealc exfiltrates files one by one, using POST requests on the server gate (name=”token”, name=”file_name”,\r\nname=”file”). Files collected and exfiltrated by the malware correspond to those defined in the received\r\nconfiguration, such as (for a victim host having Mozilla Firefox installed):\r\nhistory\\Mozilla Firefox_*.default-release.txt\r\nautofill\\Mozilla Firefox_*.default-release.txt\r\ncookies\\Mozilla Firefox_*.default-release.txt\r\n7. It sends the command wallets to the C2 to retrieve its configuration for data collection from desktop\r\ncryptocurrency wallets, using a POST request on the server gate (name=”token”, name=”message” (wallets)).\r\nAgain, the server responds with the base64-encoded configuration, such as:\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 7 of 21\n\nBitcoin Core|\\Bitcoin\\wallets\\|wallet.dat|1|Bitcoin Core\r\nOld|\\Bitcoin\\|*wallet*.dat|0|Dogecoin|\\Dogecoin\\|*wallet*.dat|0|Raven\r\nCore|\\Raven\\|*wallet*.dat|0|Daedalus Mainnet|\\Daedalus Mainnet\\wallets\\|she*.sqlite|0|Blockstream\r\nGreen|\\Blockstream\\Green\\wallets\\|*.*|1|Wasabi\r\nWallet|\\WalletWasabi\\Client\\Wallets\\|*.json|0|Ethereum|\\Ethereum\\|keystore|0|Electrum|\\Electrum\\wallets\\|*.*|0\r\n(redacted)\r\n8. It also sends the command files to the C2 to retrieve its configuration for the file grabber, using a POST request on\r\nthe server gate (name=”token”, name=”message” (files)). The server responds with the base64-encoded\r\nconfiguration, such as:\r\nDESKTOP|%DESKTOP%\\|*.txt|15|1|0|Doki|%DOCUMENTS%\\|*.txt|15|1|0|\r\n9. Again, it exfiltrates the collected data using the same pattern as previously described in step 6 (name=”token”,\r\nname=”file_name”, name=”file”). With the previous configuration, the file files\\DESKTOP\\SwitchSearch.txt is\r\ncollected and exfiltrated by the malware.\r\n10. Finally, Stealc obfuscated data includes the file path or the Windows Registry key related to sensitive data of\r\nDiscord, Telegram, Tox, Outlook and Steam. The malware gathers the targeted files and exfiltrates then with the\r\nsame pattern as described before.\r\n11. Once the malware finishes retrieving all configurations and exfiltrating collected data, it sends the command done\r\nusing a POST request on the server gate (name=”token”, name=”message” (done)).\r\nStealc C2 communications are verbose when the infected host has multiple web browsers, extensions, desktop wallets or\r\nfiles matching the collection configuration.\r\nOnce the data collection process is done, the malware removes itself and the downloaded DLL files from the compromised\r\nhost by executing the following command:\r\ncmd.exe /c timeout /t 5 \u0026 del /f /q \"$STEALERPATH\" \u0026 del \"C:\\ProgramData\\*.dll\" \u0026 exit\r\nTracking Stealc in its many forms\r\nStandalone samples\r\nAn efficient way to detect the Stealc standalone samples consists in writing a YARA rule on the specific strings which are\r\nnot obfuscated (those which were added in the v1.2.0 Stealc release).\r\nFor this purpose, we compare the common strings embedded in all the Stealc standalone samples. Here are the characteristic\r\nstrings included in all standalone samples:\r\nASCII: ------ paddr: 69704, 69726\r\nASCII: \\..\\ paddr: 69844\r\nASCII: block paddr: 69856\r\nASCII: Network Info: paddr: 69864\r\nASCII: - IP: IP? paddr: 69881\r\nASCII: - Country: ISO? paddr: 69893\r\nASCII: - Display Resolution: paddr: 69913\r\nASCII: User Agents: paddr: 69936\r\nWe can also sign the malware function that loops over the obfuscated strings to deobfuscate them. A YARA rule based on\r\nboth methods is shared in IoCs \u0026 Technical Details.\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 8 of 21\n\nPacked samples\r\nYARA signatures based on the malware strings or functions are not efficient when the sample is packed using a commercial\r\npacker, a custom loader, embedded in a shellcode, or else. In that scenario, dynamic detection is a valid option.\r\nTo this end, we can use a YARA rule for VirusTotal Livehunt to detect the specific commands executed by Stealc or the\r\nspecific C2 communications, including:\r\n/c timeout /t 5\r\ndel /f /q \"%SAMPLEPATH%\"\r\ndel \"%ProgramData%\\*.dll\"\"\r\n/sqlite3.dll\r\n.php\r\nAs we did above to pivot on this malware family, we can correlate these specific behaviours in a YARA rule using\r\nVirusTotal Livehunt. A YARA rule is shared in IoCs \u0026 Technical Details.\r\nC2 servers\r\nTracking the Stealc C2 servers can be done using the HTTP and HTML default responses which seem to be characteristic.\r\nMost of the scanned C2 servers responds an HTTP 200 status code with an HTML page containing a “404 Forbidden”\r\nApache server on the port 80, as shown below:\r\nHTTP/1.1 200 OK\r\nDate: \u003cREDACTED\u003e\r\nServer: Apache/2.4.41 (Ubuntu)\r\nVary: Accept-Encoding\r\nContent-Length: 145\r\nContent-Type: text/html; charset=UTF-8\r\n\u003chtml\u003e \u003chead\u003e\u003ctitle\u003e404 Forbidden\u003c/title\u003e\u003c/head\u003e \u003cbody\u003e \u003ccenter\u003e\u003ch1\u003e404 Forbidden\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003eapache\u003c/center\u003e \u003c/body\u003e \u003c/html\u003e\r\nTo confirm that a server matching this specific HTML response and an HTTP 200 status code corresponds to a Stealc C2\r\nserver, we can scan some URIs opened on Stealc servers, such as “/modules/” and “/index.php/”.\r\nAt the time of writing, Sekoia.io found 35 active servers associated with Stealc C2 with high confidence (listed below in\r\nIoCs \u0026 Technical Details), and more than 40 Stealc samples.\r\nConclusion\r\nStealc is another fully featured infostealer sold as a MaaS which emerged on underground forums in early 2023.\r\nPlymouth drew on the today’s trendy infostealers on the market (Vidar, Raccoon, Redline and Mars) to develop a malware\r\nthat quickly became popular among Russian-speaking cybercriminals.\r\nSince customers of the Stealc MaaS own a build of its administration panel to host the stealer C2 server and generate stealer\r\nsamples themselves, it is likely that the build will leak into the underground communities in the medium term. For that\r\nmatter Sekoia.io further assess the Plymouth business possibly will not be viable over several years, as Vidar or Raccoon\r\nprojects are. However, it is likely that a cracked version of the Stealc build may be released in the future which may be\r\nused for many years to come.\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 9 of 21\n\nHowever, we expect that the Stealc infostealer will become widespread in the near term, as multiple threat actors add the\r\nmalware to their arsenal while it is poorly monitored. Companies facing stealer compromise need to be aware of this\r\nmalware.\r\nTo provide our customers with actionable intelligence, Sekoia.io analysts will continue to monitor emerging and prevalent\r\ninfostealers, including Stealc.\r\nAnnex\r\nAnnex 1 – Stealc capabilities\r\nTargeted web browsers\r\nWeb browser Path of targeted file Format\r\nGoogle Chrome \\Google\\Chrome\\User Data chrome\r\nGoogle Chrome Canary \\Google\\Chrome SxS\\User Data chrome\r\nChromium \\Chromium\\User Data chrome\r\nAmigo \\Amigo\\User Data chrome\r\nTorch \\Torch\\User Data chrome\r\nVivaldi \\Vivaldi\\User Data chrome\r\nComodo Dragon \\Comodo\\Dragon\\User Data chrome\r\nEpicPrivacyBrowser \\Epic Privacy Browser\\User Data chrome\r\nCocCoc \\CocCoc\\Browser\\User Data chrome\r\nBrave \\BraveSoftware\\Brave-Browser\\User Data chrome\r\nCent Browser \\CentBrowser\\User Data chrome\r\n7Star \\7Star\\7Star\\User Data chrome\r\nChedot Browser \\Chedot\\User Data chrome\r\nMicrosoft Edge \\Microsoft\\Edge\\User Data chrome\r\n360 Browser \\360Browser\\Browser\\User Data chrome\r\nQQBrowser \\Tencent\\QQBrowser\\User Data chrome\r\nCryptoTab \\CryptoTab Browser\\User Data chrome\r\nOpera Stable \\Opera Software opera\r\nOpera GX Stable \\Opera Software opera\r\nMozilla Firefox \\Mozilla\\Firefox\\Profiles firefox\r\nPale Moon \\Moonchild Productions\\Pale Moon\\Profiles firefox\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 10 of 21\n\nOpera Crypto Stable \\Opera Software opera\r\nTargeted browser extensions\r\nCryptocurrency wallet Extension ID\r\nMetaMask djclckkglechooblngghdinmeemkbgci\r\nMetaMask ejbalbakoplchlghecdalmeeeajnimhm\r\nMetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nTronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nBinance Wallet fhbohimaelbohpjbbldcngcnapndodjp\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nCoinbase Wallet extension hnfanknocfeofbddgcijnmhnfnkdnaad\r\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nJaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nMEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nRonin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nNeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nCLV Wallet nhnkbkgjikgcigadomkphalanndcapjk\r\nLiquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nTerra Station Wallet aiifbnbfobpmeekipheeijimdpnlpgpp\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nAuro Wallet(Mina Protocol) cnmamaachppnkjgnildpdmkaakejnhae\r\nPolymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nCoin98 Wallet aeachknmefphepccionboohckonoeemg\r\nEVER Wallet cgeeodpfagjceefieflmdfphplkenlfk\r\nKardiaChain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk\r\nRabby acmacodkjbdgmoleebolmdjonilkdbch\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 11 of 21\n\nPhantom bfnaelmomeimhlpmgjnjophhpkkoljpa\r\nBrave Wallet odbfpeeihdkbihmopkbjmoonfanlbfcl\r\nOxygen fhilaheimglignddkjgofkcbgekhenbh\r\nPali Wallet mgffkfbidihjpoaomajlbgchddlicgpn\r\nBOLT X aodkkagnadcbobfpggfnjeongemjbjca\r\nXDEFI Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf\r\nNami lpfcbjknijpeeillifnkikgncikgfhdo\r\nMaiar DeFi Wallet dngmlblcodfobpdpecaadgfbcggfjfnm\r\nKeeper Wallet lpilbniiabackdjcionkobglmddfbcjo\r\nSolflare Wallet bhhhlbepdkbapadjdnnojkbgioiodbic\r\nCyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nTemple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nGoby jnkelfanjkeadonecabehalmbgpfodjm\r\nRonin Wallet kjmoohlgokccodicjjfebfomlbljgfhk\r\nByone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nOneKey jnmbobjmhlngoefaiojfljckilhhlhcj\r\nDAppPlay lodccjjbdhfakaekdiahmedfbieldgik\r\nSteemKeychain jhgnbkkipaallpehbohjmkbjofjdmeid\r\nBraavos Wallet jnlgamecbpmbajjfhmmmlhejkemejdma\r\nEnkrypt kkpllkodjeloidieedojogacfhpaihoh\r\nOKX Wallet mcohilncbfahbmgdjkbpemcciiolgcge\r\nSender Wallet epapihdplajcdnnkdeiahlgigofloibg\r\nHashpack gjagmgiddbbciopjhllkdnddhcglnemk\r\nEternl kmhcihpebfmpgmihbkipmjlmmioameka\r\nPontem Aptos Wallet phkbamefinggmakgklpkljjmgibohnba\r\nPetra Aptos Wallet ejjladinnckdgjemekebdpeokbikhfci\r\nMartian Aptos Wallet efbglgofoippbgcjepnhiblaibcnclgk\r\nFinnie cjmkndjhnagcfbpiemnkdpomccnjblmj\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 12 of 21\n\nLeap Terra Wallet aijcbedoijmgnlmjeegjaglmepbmpkpi\r\nTrezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk\r\nAuthenticator bhghoamapcdpbohphigoooaddinpkbai\r\nAuthy gaedmjdfmmahhbjefcbgaolhhanlaolb\r\nEOS Authenticator oeljdldpnmdbchonielidgobddffflal\r\nGAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl\r\nBitwarden nngceckbapebfimnlniiiahkandclblb\r\nKeePassXC oboonakemofpalcgghocfoadofidjkkk\r\nDashlane fdjamakpfbbddfjaooikfcpapjohcfmg\r\nNordPass fooolghllnmhmmndgjiamiiodkpenpbb\r\nKeeper bfogiafebfohielmmehodmfbbebbbpei\r\nRoboForm pnlccmojcmeohlpggmfnbbiapkmbliob\r\nLastPass hdokiejnpimakedhajhdlcegeplioahd\r\nBrowserPass naepdomgkenhinolocfifgehidddafch\r\nMYKI bmikpgodpkclnkgmnpphehdgcimmided\r\nSplikity jhfjfclepacoldmjmkmdlmganfaalklb\r\nCommonKey chgfefjpcobfbnpmiokfjjaglahmnded\r\nZoho Vault igkpcodhieompeloncfnbekccinhapdb\r\nOpera Wallet gojhcdgcpbpfigcaejpfhfegekdgiblk\r\nTargeted desktop cryptocurrency wallets\r\nCryptocurrency\r\nwallet\r\nPath of targeted directory File\r\nBitcoin Core \\Bitcoin\\wallets\\ wallet.dat\r\nBitcoin Core Old \\Bitcoin\\ wallet.dat\r\nDogecoin \\Dogecoin\\ wallet.dat\r\nRaven Core \\Raven\\ wallet.dat\r\nDaedalus Mainnet \\Daedalus Mainnet\\wallets\\ she*.sqlite\r\nBlockstream Green \\Blockstream\\Green\\wallets\\ .\r\nWasabi Wallet \\WalletWasabi\\Client\\Wallets\\ .json\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 13 of 21\n\nEthereum \\Ethereum\\ keystore\r\nElectrum \\Electrum\\wallets\\ .\r\nElectrumLTC \\Electrum-LTC\\wallets\\ .\r\nExodus \\Exodus\\ exodus.conf.json\r\nExodus \\Exodus\\ window-state.json\r\nExodus \\Exodus\\exodus.wallet\\ passphrase.json\r\nExodus \\Exodus\\exodus.wallet\\ seed.seco\r\nExodus \\Exodus\\exodus.wallet\\ info.seco\r\nElectron Cash \\ElectronCash\\wallets\\ .\r\nMultiDoge \\MultiDoge\\ multidoge.wallet\r\nJaxx Desktop (old) \\jaxx\\Local Storage\\ file__0.localstorage\r\nJaxx Desktop \\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\ .\r\nAtomic \\atomic\\Local Storage\\leveldb\\ .\r\nBinance \\Binance\\ app-store.json\r\nBinance \\Binance\\ simple-storage.json\r\nBinance \\Binance\\ .finger-print.fp\r\nCoinomi \\Coinomi\\Coinomi\\wallets\\ .wallet\r\nCoinomi \\Coinomi\\Coinomi\\wallets\\ *.config\r\nAnnex 2 – A Stealc’s infection chain\r\nSekoia.io observed an infection chain distributing Stealc, that consists in the following steps:\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 14 of 21\n\nFigure 7. Cracked software catalogue website (rcc-software[.]com) luring the user to download Stealc sample\r\n1. YouTube videos on stolen accounts describing how to install a cracked software for free and providing a link\r\n(hxxps://rcc-software[.]com/services);\r\n2. From the link provided in the YouTube video, the victim can access a “cracked software catalogue” website;\r\n3. The payload embeds Stealc infostealer. The user downloads it, decompresses the archive using the password 55555\r\nand executes the file “setup.exe” (hxxps://streetlifegaming[.]com/wp-content/uploads/2023/02/Pass_55555_Setup.rar);\r\n4. Stealc communicates to its C2 on 37.220.87[.]65 (https://tria.ge/230212-pkc69adh37).\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nThe list of IoCs is available on Sekoia.io github repository.\r\nStealc C2 servers\r\n185.143.223[.]136\r\n94.131.99[.]185\r\n65.109.131[.]183\r\n45.87.153[.]50\r\n179.43.162[.]94\r\n194.87.31[.]146\r\n185.247.184[.]7\r\n179.43.162[.]89\r\n91.228.225[.]46\r\n179.43.162[.]2\r\n77.246.156[.]93\r\n84.246.85[.]80\r\n45.136.50[.]69\r\n45.136.51[.]61\r\n45.144.29[.]176\r\n65.109.3[.]34\r\n94.142.138[.]48\r\n95.216.112[.]83\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 15 of 21\n\n94.142.138[.]11\r\n23.88.116[.]117\r\n95.217.143[.]99\r\n185.242.87[.]149\r\n194.4.51[.]160\r\n5.75.138[.]201\r\n185.130.46[.]214\r\n167.235.62[.]105\r\n185.5.248[.]95\r\n146.70.161[.]51\r\n85.239.54[.]29\r\n91.215.85[.]188\r\n77.91.124[.]7\r\n37.120.238[.]190\r\n37.220.87[.]65\r\n45.136.49[.]247\r\n195.74.86[.]37\r\n162.0.238[.]10\r\n666palm[.]com\r\n777palm[.]com\r\naa-cj[.]com\r\nfff-ttt[.]com\r\nmoneylandry[.]com\r\nStealc C2 URLs\r\nhxxp://146.70.161[.]51/273d9c8034a95cb4.phphxxp://162.0.238[.]10/752e382b4dcf5e3f.php\r\nhxxp://176.124.192[.]200/bef7fb05c9ef6540.php\r\nhxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php\r\nhxxp://185.5.248[.]95/api.php\r\nhxxp://666palm[.]com/bca98681abf8e1ab.php\r\nhxxp://777palm[.]com/bef7fb05c9ef6540.php\r\nhxxp://94.142.138[.]48/f9f76ae4bb7811d9.php\r\nhxxp://95.216.112[.]83/413a030d85acf448.php\r\nhxxp://aa-cj[.]com/6842f013779f3d08.php\r\nhxxp://fff-ttt[.]com/984dd96064cb23d7.php\r\nhxxp://moneylandry[.]com/bef7fb05c9ef6540.php\r\nhxxp://94.142.138[.]48/f9f76ae4bb7811d9.php\r\nhxxp://185.247.184[.]7/8c3498a763cc5e26.php\r\nhxxps://185.247.184[.]7/8c3498a763cc5e26.php\r\nhxxp://23.88.116[.]117/api.php\r\nhxxp://95.216.112[.]83/413a030d85acf448.php\r\nhxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php\r\nhxxp://185.5.248[.]95/c1377b94d43eacea.php\r\nhxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/mozglue.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/msvcp140.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/nss3.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/softokn3.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/sqlite3.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/vcruntime140.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/freebl3.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/mozglue.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/msvcp140.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/nss3.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/softokn3.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/sqlite3.dll\r\nhxxp://162.0.238[.]10/dbe4ef521ee4cc21/vcruntime140.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/freebl3.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/mozglue.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/nss3.dll\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 16 of 21\n\nhxxp://179.43.162[.]2/3461133978273cb9/softokn3.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/vcruntime140.dll\r\nhxxp://185.5.248[.]95/libs/freebl3.dll\r\nhxxp://185.5.248[.]95/libs/mozglue.dll\r\nhxxp://185.5.248[.]95/libs/msvcp140.dll\r\nhxxp://185.5.248[.]95/libs/nss3.dll\r\nhxxp://185.5.248[.]95/libs/softokn3.dll\r\nhxxp://185.5.248[.]95/libs/sqlite3.dll\r\nhxxp://185.5.248[.]95/libs/vcruntime140.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/freebl3.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/mozglue.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/msvcp140.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/nss3.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/softokn3.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/sqlite3.dll\r\nhxxp://666palm[.]com/54fbf4b9ffe8c98d/vcruntime140.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/freebl3.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/mozglue.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/msvcp140.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/nss3.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/softokn3.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/sqlite3.dll\r\nhxxp://777palm[.]com/2ccaf544c0cf7de7/vcruntime140.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/freebl3.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/mozglue.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/nss3.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/softokn3.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/sqlite3.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/vcruntime140.dll\r\nhxxp://95.216.112[.]83/5840871afdb84f06/sqlite3.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/freebl3.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/mozglue.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/msvcp140.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/nss3.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/softokn3.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/sqlite3.dll\r\nhxxp://aa-cj[.]com/1b8df000d02ce631/vcruntime140.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/freebl3.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/mozglue.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/msvcp140.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/nss3.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/softokn3.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/sqlite3.dll\r\nhxxp://fff-ttt[.]com/a02fc2187db8cd88/vcruntime140.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/freebl3.dll\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 17 of 21\n\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/mozglue.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/msvcp140.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/nss3.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/softokn3.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/sqlite3.dll\r\nhxxp://moneylandry[.]com/2ccaf544c0cf7de7/vcruntime140.dll\r\nhxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll\r\nhxxp://5.75.138[.]201/9026ac2a280e901d/softokn3.dll\r\nhxxp://23.88.116[.]117/libs/sqlite3.dll\r\nhxxp://185.247.184[.]7/b00dc1fe53045ca1/sqlite3.dll\r\nhxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll\r\nhxxp://95.216.112[.]83/5840871afdb84f06/mozglue.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll\r\nhxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll\r\nhxxp://185.5.248[.]95/libs/mozglue.dll\r\nStealc SHA256 (standalone samples)\r\n1e09d04c793205661d88d6993cb3e0ef5e5a37a8660f504c1d36b0d8562e63a2\r\n77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d\r\n87f18bd70353e44aa74d3c2fda27a2ae5dd6e7d238c3d875f6240283bc909ba6\r\nMore IoCs are available in the Sekoia.io Intelligence Center.\r\nYARA rules\r\nYARA rules are available on Sekoia.io github repository.\r\nStatic detection\r\nrule infostealer_win_stealc {\r\n meta:\r\n malware = \"Stealc\"\r\n description = \"Find standalone Stealc sample based on decryption routine or characteristic strings\"\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1\r\n classification = \"TLP:CLEAR\"\r\n hash = \"77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d\"\r\n strings:\r\n $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfusca\r\n $str01 = \"------\" ascii\r\n $str02 = \"Network Info:\" ascii\r\n $str03 = \"- IP: IP?\" ascii\r\n $str04 = \"- Country: ISO?\" ascii\r\n $str05 = \"- Display Resolution:\" ascii\r\n $str06 = \"User Agents:\" ascii\r\n $str07 = \"%s\\\\%s\\\\%s\" ascii\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 18 of 21\n\ncondition:\r\n uint16(0) == 0x5A4D and ($dec or 5 of ($str*))\r\n}\r\nDynamic detection using VirusTotal Livehunt\r\nimport \"vt\"\r\nrule infostealer_win_stealc_behaviour {\r\n meta:\r\n malware = \"Stealc\"\r\n description = \"Find Stealc sample based characteristic behaviors\"\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1\r\n classification = \"TLP:CLEAR\"\r\n hash = \"3feecb6e1f0296b7a9cb99e9cde0469c98bd96faed0beda76998893fbdeb9411\"\r\n condition:\r\n for any cmd in vt.behaviour.command_executions : (\r\n cmd contains \"\\\\*.dll\"\r\n ) and\r\n for any cmd in vt.behaviour.command_executions : (\r\n cmd contains \"/c timeout /t 5 \u0026 del /f /q\"\r\n ) and\r\n for any c in vt.behaviour.http_conversations : (\r\n c.url contains \".php\"\r\n )\r\n}\r\nSuricata rules\r\nSuricata signatures are available on Sekoia.io github repository.\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"SEKOIA.IO Malware Stealc POST request: hwid, build\"; \\\r\nflow:established,to_server; http.method; content:\"POST\"; http.uri; content:\".php\"; depth:21; http.content_type; \\\r\ncontent:\"multipart/form-data|3B| boundary=----\"; http.request_body; content:\"Content-Disposition: form-data|3B| name=|22|h\r\noffset: 26 ; depth: 45; content:\"Content-Disposition: form-data|3B| name=|22|build|22|\"; reference:url, \\\r\nblog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \\\r\nclasstype:trojan-activity; sid:001; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"SEKOIA.IO Malware Stealc POST request: token, message\"; \\\r\nflow:established,to_server; http.method; content:\"POST\"; http.uri; content:\".php\"; depth:21; http.content_type; \\\r\ncontent:\"multipart/form-data|3B| boundary=----\"; http.request_body; content:\"Content-Disposition: form-data|3B| \\\r\nname=|22|token|22|\"; offset: 26 ; depth: 46; content:\"Content-Disposition: form-data|3B| name=|22|message|22|\"; \\\r\nthreshold: type limit, track by_src, seconds 180, count 1; reference:url, \\\r\nblog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; \\\r\nclasstype:trojan-activity; sid:002; rev:1; metadata:created_at 2023_02_17, updated_at 2023_02_17;)\r\nMITRE ATT\u0026CK TTPs\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 19 of 21\n\nTactic Technique\r\nExecution T1059.003 – Command and Scripting Interpreter: Windows Command Shell\r\nExecution T1106 – Native API\r\nExecution T1129 – Shared Modules\r\nDefence Evasion T1027 – Obfuscated Files or Information\r\nDefence Evasion T1027.007 – Obfuscated Files or Information: Dynamic API Resolution\r\nDefense Evasion T1036 – Masquerading\r\nDefense Evasion T1055 – Process Injection\r\nDefense Evasion T1070 – Indicator Removal: File Deletion\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1622 – Debugger Evasion\r\nCredential Access T1539 – Steal Web Session Cookie\r\nCredential Access T1552.001 – Unsecured Credentials: Credentials In Files\r\nCredential Access\r\nT1555.003 – Credentials from Password Stores: Credentials from Web\r\nBrowsers\r\nDiscovery T1012 – Query Registry\r\nDiscovery T1016 – System Network Configuration Discovery\r\nDiscovery T1057 – Process Discovery\r\nDiscovery T1082 – System Information Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1518 – Software Discovery\r\nDiscovery T1614 – System Location Discovery\r\nCollection T1005 – Data from Local System\r\nCollection T1113 – Screen Capture\r\nCollection T1119 – Automated Collection\r\nCollection T1132.001 – Data Encoding: Standard Encoding\r\nCommand and\r\nControl\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nExfiltration T1020 – Automated Exfiltration\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 20 of 21\n\nExfiltration T1041 – Exfiltration Over C2 Channel\r\nTable 2. MITRE ATT\u0026CK TTPs related to Stealc infostealer\r\nDiscover a demo of our XDR platform\r\nLet’s get started!\r\nThank you for reading this blogpost. You can also consult other results of surveys carried out by our analysts on the\r\necosystem of infostealers :\r\nShare\r\nCTI Cybercrime Malware Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/" ], "report_names": [ "stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434576, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fecf784608fe2916ea520f43880a8c743f421229.pdf", "text": "https://archive.orkl.eu/fecf784608fe2916ea520f43880a8c743f421229.txt", "img": "https://archive.orkl.eu/fecf784608fe2916ea520f43880a8c743f421229.jpg" } }