StealC Malware Analysis
What is StealC?
"Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline." -malpedia
Loader
Searching out stealc in malware bazaar, I found out 15mb stealc malware, it is 64 bit .NET assembly. It was highly obfuscated which made it so hard to analyze, but after finding the pattern, I could write a custom script in C# to deobfuscate it:
The thing is, in (almost) every method of executable, it calls a bunch of empty functions (actually they have 4 instructions but they do nothing):
and every time, it ends with calling different method from start, which does exactly same things.
Using these information, I could deobfuscate and lower file size to 7-8mb, which made things easier (I didn't recover whole flow of executable I just removed these empty functions and all references to them).
After all these deobfuscation, I found out the important part in tree177 method:
As you can see, even after removing all empty functions, there is still 1 called from tree177:
Which also calls Wrenly for decryption:
Of course, I didn't have to write whole new code for this to decrypt and save binaries, I can just run (in vm) and save binaries after decryption. It drops 2 files, first one is another 64 bit .NET assembly and other one is 64 bit C++ compiled binary.
When we check out .NET assembly, it is just another highly obfuscated binary which is used by our first loader binary to load C++ compiled executable. As it is all it does, I didn't bother to deobfuscate it, it has nothing else to do.
StealC
Now, we are left with actual stealer with a lot of functionalities. I also uploaded file to malware bazaar in case, someone needs to check it out by himself, I also deobfuscated some parts of (not so clean but still understandable) malware and I will put reference to it at the end of the page, which you can download and check it out in ghidra.
Static
Executable has 92 imports from kernel32, including LoadLibraryA, GetProcAddress (which will be only ones directly used by malware). It is going to use these 2 functions to load other libraries and find address of functions to call them in a stealthy way (only for static analysis).
First Part
The malware starts with decrpting scripts using custom decrpytion technique and load libraries, get address of functions and call them in a stealthy way. I decrypted them and renamed DATAs, after doing all these, it checks the time and continues accordingly, which I manually changed value in dynamic analysis to continue.
Second Part
This part of the malware is a lot more obfuscated and have more functionality (basically main part).
It starts with same technique as first part and next asks the C2 from response, which responds with a encrypted string.
and decrypted opcode can be:
in total: "success", "access token", "self delete", "take screenshot", "loader", "steal steam", "steal outlook", "browsers", "plugins", "files", "blocked".
The values are set accordingly and it can do things like:
etc. I didn't list everything but I resolved, decrpyted every function/string possible and uploaded it to github, in case someone needs to improve it more.