This is the open version of Stealc Malware Technical Analysis Report. If you want to download it as a PDF click here.
[/vc_column_text][vc_column_text]
File Name: hbmix.file
MD5: c4f3a39d7d4b75e5aeab50c5ddd24a64
SHA-1: cb83ac380db99c67a26baebcd8773a81b1901eed
SHA256: 6d9df22ed6d7844b938c9b2c3f413e2c7e3306a047dc807fdca6d0edbc2d2528[/vc_column_text][vc_column_text]
Introduction
Stealc is packed with pkr_ce1a, a malicious packer. It uses such techniques to avoid antiviruses and complicate analysis. It also uses antianalysis techniques such as string obfuscation and detecting analysis tools. Stealc aims to steal information from the victim’s machine like web browser data, blockchain wallets’ browser extension ID and their information.[/vc_column_text][vc_column_text]
Technical Analysis
This section covers technical findings discovered during analysis.[/vc_column_text][vc_column_text]
Process Flow Diagram
Analyzed Stealec sample extracts and executes first stage shellcode in-memory. Extracted shellcode decodes Stealc payload and executes malicious code in executable memory section. Unpacked malware payload then executes a second stage shellcode in order to perform anti virtualization and analysis techniques. If mentioned checks have passed, malware establishes communication with command and control server. Otherwise, shellcode terminates execution.
Execution diagram of analyzed Stealc sample has been given in the figure below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19080″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
Anti Analysis Techniques
Stealc malware uses some anti-analysis techniques such as packing, obfuscation, and anti-virtualization.
Packing Method
Analyzed Stealc sample dynamically extracts a shellcode into executable memory page and executes it during runtime. After allocation functions are called and memory alignment is done, packer uses a far jump to execute shellcode, since it is not created in new thread/process, it cannot be caught by API breakpoints. Jump made by packer to shellcode can be seen in the screenshot below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19081″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]Shellcode mentioned in Figure 2, extracts and executes Stealc payload in-memory. Jump made by shellcode to malicious Stealc executable can be seen in the figure below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19082″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
String Obfuscation
Apart from in-memory executions made by packer, analyzed Stealc samples uses code, string, API obfuscation and junk codes in order to harden reverse engineering. String obfuscation is achieved by Base64 and RC4 algorithms. Code block used for string obfucation is available in the debugger screenshot below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19083″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]Obfuscated functions are resolved into function table in memory. Following image shows handle retrieval routine of deobfuscated WinAPI calls.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19084″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
Anti Analysis Artifacts
The malware payload contains a shellcode which detects analysis tools. It extracts at runtime and checks analysis artifacts. If it detects anything, terminates the program.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19085″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
C&C Communication
At first victim machine identifier sent to command and control server, malware adds a keyword (such as browsers, plugins etc.) in order to receive configuration from command and control server. Targeted list of applications and other configurations are received in Base64 encoded format. Following image shows first contact made with command and control server.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19086″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]Exfiltrated information are sent to command and control server with HTTP POST request in Base64 encoded format. Following screenshot shows request sent by victim device.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19087″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]Stealc malware downloads 7 legitimate third-party DLLs from the C&C server.
- sqlite3.dll
- freebl3.dll
- mozglue.dll
- msvcp40.dll
- nss3.dll
- softokn3.dll
- vcruntime140.dll
[/vc_column_text][vc_column_text]
Capabilities
Following subsections includes current list of applications targeted by Stealc malware. Since targeted list of applications are received from command and control server, list of targeted apps might differ based on command and control server response and malware build.[/vc_column_text][vc_column_text]
Targeted web browsers
List of web browsers and their file paths checked by Stealc malware are given in the table below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19089″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
Targeted browser extensions
List of browser extensions and their extension identifiers checked by Stealc malware are given in the table below.[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19095″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_single_image image=”19092″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
Targeted desktop cryptocurrency wallets
List of cryptocurrency wallets and their file paths checked by Stealc malware are given in the table below.
[/vc_column_text][vc_empty_space height=”10px”][vc_single_image image=”19091″ img_size=”full” add_caption=”yes” alignment=”center”][vc_empty_space height=”10px”][vc_column_text]
YARA Rule
rule stealc_packed{
meta:
packer = “pkr_ce1a”
reference = “https://malwarology.substack.com/p/malicious-packer-pkr_ce1a”
source = “brandefense.io”
classification = “TLP:CLEAR”
hash = “6d9df22ed6d7844b938c9b2c3f413e2c7e3306a047dc807fdca6d0edbc2d2528”
author = “theatha”
strings:
$hex01 = {d0 d7 e8 41}
$hex02 = {8d 78 4f 3f}
$hex03 = {a6 63 e3 2e}
$hex04 = {1f 5d 97 2e}
$hex05 = {a3 bd 8b 14}
$hex06 = {e1 cb 17 4c}
$hex07 = {bd 84 97 60}
$hex08 = {76 d6 10 3b}
$hex09 = {6b ab e2 5d}
$hex010 = {7d 27 35 5f}
$hex011 = {2d c6 3e 1b}
$hex012 = {41 a2 61 0e}
$hex013 = {b8 24 b3 40}
$hex014 = {2c 12 11 7b}
$hex015 = {e6 b6 20 5f}
condition:
all of them and filesize > 200KB and filesize < 300KB
}
rule stealc_unpacked
{
meta:
malware = “Stealc”
source = “brandefense.io”
classification = “TLP:CLEAR”
hash = “d4610dbc68a5840a8099f8ad7e38cf4ac12c136288b21d5a03240ac667197850”
author = “theatha”
strings:
$func = {8B 48 F8 83 C0 F0 C7 00 01 00 00 00 85 C9 74 0A 83 39 00}
$str01 = “Network Info:” ascii
$str02 = “- IP: IP?” ascii
$str03 = “- Country: ISO?” ascii
condition:
uint16(0) == 0x5A4D and ($func or 3 of ($str*))
}[/vc_column_text][vc_column_text]
Conclusion
Stealc malware poses a significant cybersecurity threat. Its advanced evasion techniques and adaptability make it difficult to detect and mitigate. The consequences of Stealc malware can result in financial loss, identity theft, and reputational damage. Proactive security measures, such as regular updates, network monitoring, and employee awareness training, are crucial to counter this threat. Collaboration, information sharing, and continual research are necessary to stay ahead of the evolving Stealc malware and protect against its detrimental effects.[/vc_column_text][vc_column_text]
You can find the YARA Rule on our GitHub repo.
[/vc_column_text][vc_empty_space][/vc_column][/vc_row]
