Still on Nostr: Finally got around to taking a look at StealcV2 today after a few weeks that it's ...
Finally got around to taking a look at StealcV2 today after a few weeks that it's been out
Initial loader (536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56)
-> CF obfuscated shellcode (bdace8aba0dbcac81811d833605fadc157ed95864537d5bf1fc28f125becef1f )
-> Rust-based (1.85.1) loader/injector (f6ce652432d8baf56195c49d34ad89bd7cf933a6af864973f7b03e6bb3acc88e)
-> StealcV2 payload (a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2)
Looks like it might have been a major rewrite? I'm not sure I haven't closely compared it against the StealcV1 yet. Strings are Base64 RC4 encoded. The RC4 patterns used in the binary currently causes false negative in capa at the moment - I've filed an issue accordingly.
We also wrote a new YARA rule to detect StealcV2 on stream as well. Surprisingly, my heuristics-based Chromium ABE stealer YARA rule we wrote half a year ago still matches this sample and other known StealcV2 samples.
C2
- 91.92.46[.]133/8f11bd01520293d6.php
Samples, IoCs, and more
https://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-26 #threathunting #stealc
Published at
2025-04-26 06:35:38Event JSON
{
"id": "e264ad2dfe9fe5e24a3a3909ef8d58199c75208087c4f55067608bee41becbf5",
"pubkey": "6b3b9e7f61cdf2ee3defb5930b7f8be364c6d9b1787fc454b94ce0a1b7754dd1",
"created_at": 1745649338,
"kind": 1,
"tags": [
[
"t",
"threathunting"
],
[
"t",
"stealc"
],
[
"imeta",
"url https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/402/874/861/396/311/original/2d49d5439f6372d0.png",
"m image/png",
"dim 1920x1080",
"blurhash UUFh*F0J~V9a4;S$aes,xt$%NGs:NE%1Rko3"
],
[
"proxy",
"https://infosec.exchange/users/still/statuses/114402875076671358",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "Finally got around to taking a look at StealcV2 today after a few weeks that it's been out\n\nInitial loader (536a64b3267c5056b261d71324793571d02a8714bcb8f395927f72f77d004f56) \n-\u003e CF obfuscated shellcode (bdace8aba0dbcac81811d833605fadc157ed95864537d5bf1fc28f125becef1f )\n-\u003e Rust-based (1.85.1) loader/injector (f6ce652432d8baf56195c49d34ad89bd7cf933a6af864973f7b03e6bb3acc88e)\n-\u003e StealcV2 payload (a26095cf5fff9a7ec04c3fd3fb60372f38f3dc300addf4983e0ce4f7490ef7b2)\n\nLooks like it might have been a major rewrite? I'm not sure I haven't closely compared it against the StealcV1 yet. Strings are Base64 RC4 encoded. The RC4 patterns used in the binary currently causes false negative in capa at the moment - I've filed an issue accordingly.\n\nWe also wrote a new YARA rule to detect StealcV2 on stream as well. Surprisingly, my heuristics-based Chromium ABE stealer YARA rule we wrote half a year ago still matches this sample and other known StealcV2 samples.\n\nC2\n- 91.92.46[.]133/8f11bd01520293d6.php \n\nSamples, IoCs, and more \nhttps://github.com/Still34/malware-lab/tree/main/reworkshop/2025-04-26 \n\n#threathunting #stealc\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/114/402/874/861/396/311/original/2d49d5439f6372d0.png",
"sig": "9d83e387819e5d532f7e600c51de41b55180849f84ec67bfa16376556746c9c331097fd73b4559351e6d406ce7d0d614ec5d12e38a717a23b0357b20ee1c04e7"
}
