FOCUS MODE
EXTRACT IOC
Threat Research

Autopsy of a Failed Stealer: StealC v2

iocOne
Autopsy of a Failed Stealer: StealC v2
StealC is a prominent C++ stealer that has been operational since 2022, with the recent release of version 2 in March 2025. This update introduces enhancements such as server-side decryption for Chrome-based browser cookies and improved data security measures. Key features include a time-bomb mechanism, file targeting, and a complex HWID generation method to track infected machines. Affected: browsers, Windows systems

Keypoints :

  • StealC v1 sold for 00; only 5 copies were released.
  • Version 2 introduces server-side decryption and brute-forcing of crypto plugins.
  • Data transfer is encrypted with an RC4-based algorithm.
  • The stealer uses Windows event objects to manage execution.
  • Includes a “time bomb” feature that stops execution after a certain date.
  • Self-deletion and screenshot capabilities are optional within the build configuration.
  • Payload types include standard executables, PowerShell scripts, and MSI packages.
  • HWID generation is based on the system’s volume serial number.
  • C2 communication is initially Base64-encoded.
  • The stealer can forcibly terminate processes to access locked browser files.
  • File targeting is specified through CSIDL values related to common folders.
  • Detection capabilities are available through Yara rules.

MITRE Techniques :

  • T1071.001: Application Layer Protocol: Web Protocols – Uses HTTP for C2 communication.
  • T1070.001: Indicator Removal on Host: File Deletion – Self-deletion of its executable.
  • T1036: Masquerading – Tricks user by disguising as legitimate files.
  • T1055: Process Injection – Injects payloads into existing processes, such as Chrome.
  • T1027: Obfuscated Files or Information – Uses encrypted strings and RC4 encryption.
  • T1082: System Information Discovery – Generates HWID based on system information.

Indicator of Compromise :

  • [IP Address] 45.93.20.64
  • [IP Address] 91.92.46.133
  • [IP Address] 91.211.250.177
  • [Hash] 841d0ebecc7dc7b7e06433fcd0cbbec911fa127fee34bfc7c34c946f84aee1ef
  • [Hash] 83e88d4eaf52cdde6dc48343490b03e7bee74be3c1558e481c18ee61ae71607e

Full Story: https://medium.com/@traclabs_/autopsy-of-a-failed-stealer-stealc-v2-a4e32da04396?source=rss——reverse_engineering-5

Views: 34

Tags: BROWSER, WINDOWS, PAYLOAD, MONITOR, CRYPTO, DISCOVERY