Researchers Discover Numerous Samples of Information Stealer ‘Stealc’ in the Wild

Researchers Discover Numerous Samples of Information Stealer ‘Stealc’ in the Wild

DOWNLOAD PDF

SUMMARY
Stealc is an information stealer malware now being advertised on the dark web in a Malware as a Service (MaaS) model. According to a report from SEKOIA, the malware creators tout Stealc as a fully functional and useable stealer, based on the Vidar, Raccoon, Mars, and RedLine stealers.

TECHNICAL DETAILS
The Stealc malware is being touted as a rival to Vidar and Raccoon stealers. Since January, 35 Command and Control (C2) servers and more than 40 Stealc samples have been found in the wild. Its objective is to steal data from browsers, browser extensions, desktop crypto wallets, email clients, and messaging apps.

Stealc features also include:
– a file grabber that can be configured to target particular files,
– a loader that enables the attacker to infect the victim with malware,
– the ability to customize data collection to a specific target, and
– a fully functional administrative panel.

INDICATORS OF COMPROMISE (IoCs)
Stealc C2 servers:
• 185.143.223[.]136
• 94.131.99[.]185
• 65.109.131[.]183
• 45.87.153[.]50
• 179.43.162[.]94
• 194.87.31[.]146
• 94.142.138[.]11
• 23.88.116[.]117
• 95.217.143[.]99
• 185.242.87[.]149
• 194.4.51[.]160
• 5.75.138[.]201
• 185.130.46[.]214
• 167.235.62[.]105
• 185.247.184[.]7
• 179.43.162[.]89
• 91.228.225[.]46
• 179.43.162[.]2
• 77.246.156[.]93
• 84.246.85[.]80
• 185.5.248[.]95
• 146.70.161[.]51
• 85.239.54[.]29
• 91.215.85[.]188
• 77.91.124[.]7
• 37.120.238[.]190
• 37.220.87[.]65
• 45.136.49[.]247
• 45.136.50[.]69
• 45.136.51[.]61
• 45.144.29[.]176
• 65.109.3[.]34
• 94.142.138[.]48
• 95.216.112[.]83
• 195.74.86[.]37
• 162.0.238[.]10
• 666palm[.]com
• 777palm[.]com
• aa-cj[.]com
• fff-ttt[.]com
• moneylandry[.]com

Stealc C2 URLs:
• hxxp://146.70.161[.]51/273d9c8034a95cb4.php
• hxxp://162.0.238[.]10/752e382b4dcf5e3f.php
• hxxp://176.124.192[.]200/bef7fb05c9ef6540.php
• hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php
• hxxp://185.5.248[.]95/api.php
• hxxp://666palm[.]com/bca98681abf8e1ab.php
• hxxp://777palm[.]com/bef7fb05c9ef6540.php
• hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php
• hxxp://95.216.112[.]83/413a030d85acf448.php
• hxxp://aa-cj[.]com/6842f013779f3d08.php
• hxxp://fff-ttt[.]com/984dd96064cb23d7.php
• hxxp://moneylandry[.]com/bef7fb05c9ef6540.php
• hxxp://94.142.138[.]48/f9f76ae4bb7811d9.php
• hxxp://185.247.184[.]7/8c3498a763cc5e26.php
• hxxps://185.247.184[.]7/8c3498a763cc5e26.php
• hxxp://23.88.116[.]117/api.php
• hxxp://95.216.112[.]83/413a030d85acf448.php
• hxxp://179.43.162[.]2/d8ab11e9f7bc9c13.php
• hxxp://185.5.248[.]95/c1377b94d43eacea.php
• hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/mozglue.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/msvcp140.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/nss3.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/softokn3.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/sqlite3.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/vcruntime140.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/freebl3.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/mozglue.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/msvcp140.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/nss3.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/softokn3.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/sqlite3.dll
• hxxp://162.0.238[.]10/dbe4ef521ee4cc21/vcruntime140.dll
• hxxp://179.43.162[.]2/3461133978273cb9/freebl3.dll
• hxxp://179.43.162[.]2/3461133978273cb9/mozglue.dll
• hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll
• hxxp://179.43.162[.]2/3461133978273cb9/nss3.dll
• hxxp://179.43.162[.]2/3461133978273cb9/softokn3.dll
• hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll
• hxxp://179.43.162[.]2/3461133978273cb9/vcruntime140.dll
• hxxp://185.5.248[.]95/libs/freebl3.dll
• hxxp://185.5.248[.]95/libs/mozglue.dll
• hxxp://185.5.248[.]95/libs/msvcp140.dll
• hxxp://185.5.248[.]95/libs/nss3.dll
• hxxp://185.5.248[.]95/libs/softokn3.dll
• hxxp://185.5.248[.]95/libs/sqlite3.dll
• hxxp://185.5.248[.]95/libs/vcruntime140.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/freebl3.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/mozglue.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/msvcp140.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/nss3.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/softokn3.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/sqlite3.dll
• hxxp://666palm[.]com/54fbf4b9ffe8c98d/vcruntime140.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/freebl3.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/mozglue.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/msvcp140.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/nss3.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/softokn3.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/sqlite3.dll
• hxxp://777palm[.]com/2ccaf544c0cf7de7/vcruntime140.dll
• hxxp://94.142.138[.]48/54982f23330528c2/freebl3.dll
• hxxp://94.142.138[.]48/54982f23330528c2/mozglue.dll
• hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll
• hxxp://94.142.138[.]48/54982f23330528c2/nss3.dll
• hxxp://94.142.138[.]48/54982f23330528c2/softokn3.dll
• hxxp://94.142.138[.]48/54982f23330528c2/sqlite3.dll
• hxxp://94.142.138[.]48/54982f23330528c2/vcruntime140.dll
• hxxp://95.216.112[.]83/5840871afdb84f06/sqlite3.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/freebl3.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/mozglue.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/msvcp140.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/nss3.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/softokn3.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/sqlite3.dll
• hxxp://aa-cj[.]com/1b8df000d02ce631/vcruntime140.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/freebl3.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/mozglue.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/msvcp140.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/nss3.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/softokn3.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/sqlite3.dll
• hxxp://fff-ttt[.]com/a02fc2187db8cd88/vcruntime140.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/freebl3.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/mozglue.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/msvcp140.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/nss3.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/softokn3.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/sqlite3.dll
• hxxp://moneylandry[.]com/2ccaf544c0cf7de7/vcruntime140.dll
• hxxp://94.142.138[.]48/54982f23330528c2/msvcp140.dll
• hxxp://5.75.138[.]201/9026ac2a280e901d/softokn3.dll
• hxxp://23.88.116[.]117/libs/sqlite3.dll
• hxxp://185.247.184[.]7/b00dc1fe53045ca1/sqlite3.dll
• hxxp://146.70.161[.]51/58d66e64beb49702/freebl3.dll
• hxxp://95.216.112[.]83/5840871afdb84f06/mozglue.dll
• hxxp://179.43.162[.]2/3461133978273cb9/sqlite3.dll
• hxxp://179.43.162[.]2/3461133978273cb9/msvcp140.dll

Stealc SHA256:
• 1e09d04c793205661d88d6993cb3e0ef5e5a37a8660f504c1d36b0d8562e63a2
• 77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d
• 87f18bd70353e44aa74d3c2fda27a2ae5dd6e7d238c3d875f6240283bc909ba6

RECOMMENDATIONS
• Prohibit or disable credential storing in browsers and web applications.
• Discovering such campaigns will be greatly aided by maintaining the current detection and response systems (EDR/MDR/XDR, etc.).
• C2 and exfiltration activity can be identified by using DNS monitoring and netflow analysis.
• DLP solutions may also be able to identify data exfiltration due to the malware’s behavior of sending data as it’s identified instead of in bulk.

 

REFERENCES
https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/#h-conclusion
https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.html

CONTACT US