I StealC You: Tracking the Rapid Changes to StealC

    Friday, May 2, 2025 In: Threat Research Print

    Date: 05/02/2025

    Severity: Medium

    Summary

    The report examines the rapid evolution of the StealC malware, with a focus on version 2 (released in March 2025). Notable upgrades include a streamlined C2 protocol, RC4 encryption, and new payload delivery options such as MSI packages and PowerShell scripts. A revamped control panel enables tailored payload deployment based on geolocation, HWID, and installed software. Enhanced capabilities like multi-monitor screenshots, a unified file grabber, and server-side credential brute-forcing underscore StealC V2’s increased sophistication and threat potential.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://45.93.20.64/c090b39aa5004512.php

    http://45.93.20.28/3d15e67552d448ff.php

    http://88.214.48.93/ea2cb15d61cc476f.php

    Hash

    0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8c

    e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3

    a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385

    27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dc

    dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4

    87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "http://88.214.48.93/ea2cb15d61cc476f.php" or siteurl like "http://88.214.48.93/ea2cb15d61cc476f.php" or url like "http://88.214.48.93/ea2cb15d61cc476f.php" or domainname like "http://45.93.20.28/3d15e67552d448ff.php" or siteurl like "http://45.93.20.28/3d15e67552d448ff.php" or url like "http://45.93.20.28/3d15e67552d448ff.php" or domainname like "http://45.93.20.64/c090b39aa5004512.php" or siteurl like "http://45.93.20.64/c090b39aa5004512.php" or url like "http://45.93.20.64/c090b39aa5004512.php"

    Detection Query 2

    sha256hash IN ("0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8c","27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dc","87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f","e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3","a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385","dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4")

    Reference:  

    https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc#indicators-of-compromise--iocs-


    Tags

    MalwareSTEALCCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.