FOCUS MODE
EXTRACT IOC
Threat Research

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | Microsoft Security Blog

iocOne
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | Microsoft Security Blog
In November 2024, Microsoft Incident Response uncovered StilachiRAT, a remote access trojan that employs sophisticated evasion techniques and data exfiltration capabilities, targeting sensitive information such as credentials, digital wallet data, and clipboard contents. StilachiRAT establishes command-and-control connectivity with remote servers, and Microsoft has issued guidance to bolster defenses against this growing threat. Affected: Microsoft environments, users of Google Chrome and cryptocurrency wallets.

Keypoints :

  • StilachiRAT is a novel remote access trojan discovered by Microsoft in November 2024.
  • The RAT employs sophisticated techniques for evading detection and persistently residing in affected environments.
  • It is capable of exfiltrating sensitive user data, including browser credentials and cryptocurrency wallet information.
  • StilachiRAT establishes command-and-control connectivity over TCP ports 53, 443, or 16000.
  • The malware can execute a wide range of commands, including credential theft, system reboots, and log clearing.
  • Microsoft has not attributed StilachiRAT to any specific threat actor as of now.
  • Mitigation guidance has been shared to help defend against this threat.
  • Anti-forensics techniques employed by StilachiRAT include event log clearing and sandbox evasion.
  • Microsoft recommends security hardening measures to prevent initial compromises.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: StilachiRAT communicates over TCP ports 53, 443, or 16000 for C2 connectivity, avoiding detection.
  • T1060 – Registry Run Keys / Startup Folder: StilachiRAT ensures persistence by modifying Windows services and using watchdog threads.
  • T1135 – Network Share Discovery: The malware monitors RDP sessions for lateral movement and exploits privileges for user impersonation.
  • T1083 – File and Directory Discovery: It gathers system information, including OS details and running applications, for profiling the target.
  • T1583 – Acquire Infrastructure: The malware establishes connections with its C2 servers for executing commands.
  • T1027 – Obfuscated Files or Information: StilachiRAT uses API-level obfuscation techniques to evade analysis and detection.

Indicator of Compromise :

  • [SHA-256] 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb – WWStartupCtrl64.dll
  • [IP Address] 194.195.89[.]47 – C2 server IP address
  • [Domain] app.95560[.]cc – C2 server domain

Full Story: https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/

Tags: IMPACT, CREDENTIAL, DISCOVERY, RECONNAISSANCE, LEARN, HUNT, XDR, HUNTING