Stealc Malware Checks Everything — Even the Screen Resolution

Summary

This week, the SonicWall Capture Labs threat research team reviewed a sample of Stealc malware. This is an infostealer that digs through a victim’s system to extract credentials from browsers, cryptocurrency wallets and fileshare servers. Processes are monitored, as well as keystrokes, active windows and mouse clicks. It will also disable security applications and change network settings to allow for proxy connections. Every part of the system hardware and Windows settings are enumerated, down to the resolution of the monitor.

Technical Overview

The file is detected as a standard executable without a packer or protector. However, the ‘.text’ section is, in fact, packed.

[Link]

Figure 1: Initial file detection

[Link]

Figure 2: Main section of the executable (.text) is packed

Much of the program is obfuscated before runtime, as shown below. Once loaded into a debugger, these strings will be decoded. While the ‘resources’ section of the file is identified as being in Turkish, these strings are simply encoded. Beyond obfuscation, Stealc has a number of evasive capabilities, including: extended sleep, processor feature check, debugger check, locale and system time checks. It also uses VirtualProtect to create guard pages during runtime.

[Link]

Figure 3: Obfuscated section of code

System queries begin with Stealc performing a check on the locale using WMI, svchost and multiple API calls within the program itself. This is followed by a complete enumeration of system hardware, software, user accounts, network connections and configurations, and registry keys.

The following items are specifically targeted:

• Browsers: Internet Explorer, Firefox, Chrome, Opera, Brave
• Wallets: Monero
• SaaS: Azure, AWS
• Programs: Word, Outlook, FileZilla, OneDrive, Steam, Telegram, Pidgin, Discord
• Archive types: zip, zoo, arc, lzh, arj, gz, tgz, tox

During execution, test keys will be written to the registry. If successful, the test keys will be deleted and “valid” keys are written. Stealc will enumerate the entire system via standard methods (QueryInformationVolume, QueryNameInformationFile, GetSystemInfo) as well as searching the registry for entries in the ‘\Microsoft\Windows\CurrentVersion\Uninstall\’ node.

[Link]

[Link]

Figures 4, 5: IP address, generated URL and malware agent name

While the malware has a hardcoded IP address within the file, it also has the capability of generating URLs. During testing, the generated URL address was ‘http://62.204.41.177/edd20096ecef326d.php’.

[Link]

Figure 6: SQL command for URL selection

PowerShell commands were found to invoke a network connection, though this was not observed during testing.

[Link]

Figure 7: PowerShell command string for downloading

The IP address contacted by the malware is still up as of the time of this alert, responding to a POST request that includes the following data:

boundary=—-BKJEGDGIJECGCBGCHDG,