Technical Analysis of Marco Stealer

    Friday, February 6, 2026 In: Threat Research Print

    Date: 02/06/2026

    Severity: High

    Summary

    Labz identified Marco Stealer in June 2025 as an information stealer targeting browser data, crypto wallets, and sensitive local and cloud files. It profiles infected systems by collecting hardware IDs, OS versions, IP addresses, and geolocation details. The malware uses named pipes to coordinate communication between its internal components. To evade analysis, it decrypts encrypted strings only at runtime and checks for tools like Wireshark, x64dbg, and Process Hacker. Exfiltrated data is encrypted with AES-256 and transmitted to C2 servers via HTTP POST requests.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://217.156.50.228:8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exe

    http://107.189.25.189:49259/receive

    http://45.74.19.20:49259/receive

    Hash : 

    34deb6594098545d7ffb98844f0790bf

    3a3e8f6bc70748a39ffc047b3c86a665

    5eb91d1ad26c7eced894e34710aaa28e

    1042affb0ca6758ca0043112cdc7eda2

    a98fa5fba55e470750ae74186c15fa73

    33dd8a5e234d911391cc8c301dc4a606

    49ab8d4c55b7f64eaba699ef0dc9054b

    661a5465d9a322276ebc414f39891a8b

    028604d6aa556de2ae4ca6b31e600677

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://107.189.25.189:49259/receive" or url like "http://107.189.25.189:49259/receive" or siteurl like "http://107.189.25.189:49259/receive" or domainname like "http://217.156.50.228:8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exe" or url like "http://217.156.50.228:8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exe" or siteurl like "http://217.156.50.228:8185/LoqnOOuuIsTIYfkrdsfL/eUelHAyY.exe" or domainname like "http://45.74.19.20:49259/receive" or url like "http://45.74.19.20:49259/receive" or siteurl like "http://45.74.19.20:49259/receive"

    Detection Query 2 :

    md5hash IN ("5eb91d1ad26c7eced894e34710aaa28e","34deb6594098545d7ffb98844f0790bf","3a3e8f6bc70748a39ffc047b3c86a665","49ab8d4c55b7f64eaba699ef0dc9054b","1042affb0ca6758ca0043112cdc7eda2","661a5465d9a322276ebc414f39891a8b","33dd8a5e234d911391cc8c301dc4a606","028604d6aa556de2ae4ca6b31e600677","a98fa5fba55e470750ae74186c15fa73")

    Reference:

    https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer#introduction


    Tags

    MalwareMarco StealerCrypto walletsInfostealerExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.