StealC Stealer

Hello, I noticed a change in the stealer that was not yet covered by the rules. Here I propose a rule for check-in, no matter whether the server answers yes or no. Boundary features the number of bytes in hwid as well as two minus characters at the end of the post request are the detection conditions I propose. If you see fit, you can add a user agent. It is still the same as the URI. Here are two samples with different test and roza builds.

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Stealc (Check-In)";flow: established, to_server; http.method; content: "POST"; http.header; content: "Content-Type: multipart/form-data|3b| boundary="; pcre: "/^[a-zA-Z0-9]{20}\r/R";http.header_names; content:!"Referer|0d 0a|"; http.request_body;content: "--"; depth: 2; content: "|0d0a|Content-Disposition: form-data|3b| name=|22|hwid|22 0d0a 0d0a|"; distance: 20; within: 49; content: "==|0d0a|--"; distance: 30; within: 6; content: "|0d0a|Content-Disposition: form-data|3b| name=|22|build|22 0d0a 0d0a|"; distance: 20; within: 50; content: "--"; distance: 4; content: "--"; distance: 20; within:2; isdataat: !3, relative; threshold: type limit, track by_dst, seconds 300, count 1; reference: md5,26f5d78873413d9682031d39733ae5bd;  reference: url,app.any.run/tasks/a9908b18-0302-4d20-8349-6aca4db61e98; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Stealc,  created_at 2023_08_10; classtype: command-and-control; sid: 1; rev: 1;)

http.user_agent;content: "Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| InfoPath.1)";

I also have a completely detonated sample, which, as it seemed to me, even looks like a loader. There you can write a lot of rules, good luck!

Best regards, Jane!

Please let me make a point here.

The IOC “http://193.233.254.61/loghub/master” has been observed at PrivateLoader detonations in the last days, you can check it at public detonations with the tag “privateloader” and “mystic”.
Was submitted to threatfox at 2023-07-20 06:37:23 as “Mystic Stealer”.

I dont know about traffic analysis, the expert on this matter is Jane and I should trust her at her work and statements based on her knowloedge on this matter.

I believe this is not StealC, and is Mystic Stealer, based on C2 Panels and past telemetry.

On *June 9th, Mystic Stealer announced a big update on its code source, that also affected its behaviour.
Source: Telegram: Contact @mysticstealer_channel
While StealC hasnt have an update since July 6th. Telegram: Contact @stealc_changelog

Is probably that now Mystic Stealer has a very similar log exfiltration than StealC, but this in fact, doesnt make this stealers the same. Also, StealC never had a C2 Panel where they upload logs.

If we go back to IOC http://193.233.254.61/loghub/master, (or other IOCS like http://193.233.49.38/loghub/master) , a c2 panel is present on /login/?next=/
https://pbs.twimg.com/media/F3Mr4OGXIAEXK9s?format=jpg&name=4096x4096

Same panel reported as Mystic stealer Panel by other threat info guys (1) R. on Twitter: “Recent Active #Mystic Stealer #C2 Panel hxxp://23.163.0.179/login/ hxxp://43.154.7.225/login/ hxxp://95.216.32.74/login/ hxxp://135.181.47.95/login/ hxxp://185.252.179.18/login/ hxxp://188.40.116.251/login/ cc: @ViriBack @abuse_ch https://t.co/NYzmljVPsA” / X and being tracked by Viriback ViriBack C2 Tracker, so this cant be StealC

I want to note this is a very dramatic change on Mystic Stealer because exfiltration went from (PID 2492)
Analysis File_pass1234.7z (MD5: 4483D5690270B7692A1AEF79ACF05EF7) Malicious activity - Interactive analysis ANY.RUN

to this Analysis 25e9cb490bf3e68f03053981715cbe0c17bfae17d529d9fe6a5a4e2852ad3101.zip (MD5: FDD9B3D10A7BD1A68A045052F9082063) Malicious activity - Interactive analysis ANY.RUN

What i believe, same threat.

Please use and refer to (Mystic new variant) Analysis 25e9cb490bf3e68f03053981715cbe0c17bfae17d529d9fe6a5a4e2852ad3101.zip (MD5: FDD9B3D10A7BD1A68A045052F9082063) Malicious activity - Interactive analysis ANY.RUN and StealC (PID 1480) (Analysis https://toar.com.br/wp-content/uploads/File_pass1234.7z Malicious activity - Interactive analysis ANY.RUN)

Although we can see a very similar behaviour, lets expose the clear differences:
StealC requests .dlls from C2
StealC uses a .php Uri for exfiltration
Mystic traffic is encrypted (On StealC we can clearly read Content-Disposition: form-data; name=“message”)

Maybe there’s more, they really look the same, but i believe its not. Maybe developers of those malwares are known to each other?, thats a statement i cant verify.

The two minus characters at the end of the post are same for both, but stealc uses 6 at the beggining and Mystic only 2. I dont know about Boundary features the number of bytes in hwid.

The loader look on builds can be resumed as a feature of this stealer , that is presented to public as a Loader and morpher on its builds.

I just want to know the thougths of ET team, and with the rules written by Jane, add a new detection to Mystic Stealer, without overlapping with another big threat that is StealC

i should have reported that new behaviour before ^^

I’ll translate:
“The client communicates with the server through a proprietary protocol over TCP, all traffic is encrypted.”
One address is not necessarily one malware.
Thanks for the discussion.

Hey @Jane0sint @g0njxa , this is some great discussion. I believe this may be Stealc based on the C2 responses I’m seeing on some of our internal pcaps. What I looked for was traffic that contained the same URI /loghub/master and found these additional C2 hosts.

193.233.254.61
89.23.103.80
193.233.49.38
94.23.247.129
188.40.116.251
208.91.189.184

Of these hosts only two had C2 panels still up which is the same that was attributed to Mystic here and here.

hxxp://89.23.103.]80/login/?next=/
hxxp://94.23.247.]129/login/?next=/

The reason why I think it is StealC is because if I compare the C2 traffic in my pcap to the traffic in this blog the decoded base64 C2 response matches the StealC format of ‘|’ deliminated values. I stole a copy of screenshots from the blog to show a comparison between my pcap.

Here is a screenshot of StealC traffic from the blog:

Here is what the traffic from my pcap looks like along with the base64 decode C2 Response

Base64: T0sNCmI5NTZhYTlmMGE0NTFmODUzYmVhM2VhMWNiMDUyNDUxZGYyZjhmMmU2MTNkMTcwNzJiNGE3ODU5NGZjYmQzZjh8MXwxfDF8MXwxfDF8MXwxfDF8MQ==

Decoded:
b956aa9f0a451f853bea3ea1cb052451df2f8f2e613d17072b4a78594fcbd3f8|1|1|1|1|1|1|1|1|1|1

The blog continues and shows a secondary C2 response that decodes to a list of browser data to steal.
From the blog:

From my pcap along with base64 decoded response:
Base64: T0sNCkdvb2dsZSBDaHJvbWV8JWxvY2FsYXBwZGF0YSVcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8TWljcm9zb2Z0IEVkZ2V8JWxvY2FsYXBwZGF0YSVcTWljcm9zb2Z0XEVkZ2VcVXNlciBEYXRhfENocm9taXVtfCVsb2NhbGFwcGRhdGElXENocm9taXVtXFVzZXIgRGF0YXxPcGVyYXwlbG9jYWxhcHBkYXRhJVxPcGVyYSBTb2Z0d2FyZXxDaHJvbWVQbHVzfCVsb2NhbGFwcGRhdGElXE1hcGxlU3R1ZGlvXENocm9tZVBsdXNcVXNlciBEYXRhfElycGF0aGl1bXwlbG9jYWxhcHBkYXRhJVxJcnBhdGhpdW1cVXNlciBEYXRhfDdTdGFyfCVsb2NhbGFwcGRhdGElXDdTdGFyXDdTdGFyXFVzZXIgRGF0YXxDZW50QnJvd3NlcnwlbG9jYWxhcHBkYXRhJVxDZW50QnJvd3NlclxVc2VyIERhdGF8Q2hlZG90fCVsb2NhbGFwcGRhdGElXENoZWRvdFxVc2VyIERhdGF8Vml2YWxkaXwlbG9jYWxhcHBkYXRhJVxWaXZhbGRpXFVzZXIgRGF0YXxLb21ldGF8JWxvY2FsYXBwZGF0YSVcS29tZXRhXFVzZXIgRGF0YXxFbGVtZW50cyBCcm93c2VyfCVsb2NhbGFwcGRhdGElXEVsZW1lbnRzIEJyb3dzZXJcVXNlciBEYXRhfEVwaWMgUHJpdmFjeSBCcm93c2VyfCVsb2NhbGFwcGRhdGElXEVwaWMgUHJpdmFjeSBCcm93c2VyXFVzZXIgRGF0YXxVcmFufCVsb2NhbGFwcGRhdGElXHVDb3pNZWRpYVxVcmFuXFVzZXIgRGF0YXxTbGVpcG5pcnwlbG9jYWxhcHBkYXRhJVxGZW5yaXIgSW5jXFNsZWlwbmlyNVxzZXR0aW5nXG1vZHVsZXNcQ2hyb21pdW1WaWV3ZXJ8Q2l0cmlvfCVsb2NhbGFwcGRhdGElXENhdGFsaW5hR3JvdXBcQ2l0cmlvXFVzZXIgRGF0YXxDb293b258JWxvY2FsYXBwZGF0YSVcQ29vd29uXENvb3dvblxVc2VyIERhdGF8TGllYmFvfCVsb2NhbGFwcGRhdGElXGxpZWJhb1xVc2VyIERhdGF8UUlQIFN1cmZ8JWxvY2FsYXBwZGF0YSVcUUlQIFN1cmZcVXNlciBEYXRhfE9yYml0dW18JWxvY2FsYXBwZGF0YSVcT3JiaXR1bVxVc2VyIERhdGF8Q29tb2RvIERyYWdvbnwlbG9jYWxhcHBkYXRhJVxDb21vZG9cRHJhZ29uXFVzZXIgRGF0YXxBbWlnb3wlbG9jYWxhcHBkYXRhJVxBbWlnb1xVc2VyXFVzZXIgRGF0YXxUb3JjaHwlbG9jYWxhcHBkYXRhJVxUb3JjaFxVc2VyIERhdGF8WWFuZGV4IEJyb3dzZXJ8JWxvY2FsYXBwZGF0YSVcWWFuZGV4XFlhbmRleEJyb3dzZXJcVXNlciBEYXRhfENvbW9kb3wlbG9jYWxhcHBkYXRhJVxDb21vZG9cVXNlciBEYXRhfDM2MEJyb3dzZXJ8JWxvY2FsYXBwZGF0YSVcMzYwQnJvd3NlclxCcm93c2VyXFVzZXIgRGF0YXxNYXh0aG9uM3wlbG9jYWxhcHBkYXRhJVxNYXh0aG9uM1xVc2VyIERhdGF8Sy1NZWxvbnwlbG9jYWxhcHBkYXRhJVxLLU1lbG9uXFVzZXIgRGF0YXxTcHV0bmlrfCVsb2NhbGFwcGRhdGElXFNwdXRuaWtcU3B1dG5pa1xVc2VyIERhdGF8TmljaHJvbWV8JWxvY2FsYXBwZGF0YSVcTmljaHJvbWVcVXNlciBEYXRhfENvY0NvY3wlbG9jYWxhcHBkYXRhJVxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8VXJhbnwlbG9jYWxhcHBkYXRhJVxVcmFuXFVzZXIgRGF0YXxDaHJvbW9kb3wlbG9jYWxhcHBkYXRhJVxDaHJvbW9kb1xVc2VyIERhdGF8TWFpbC5SdXwlbG9jYWxhcHBkYXRhJVxNYWlsLlJ1XEF0b21cVXNlciBEYXRhfEJyYXZlIEJyb3dzZXJ8JWxvY2FsYXBwZGF0YSVcQnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YXxPcGVyYXwlYXBwZGF0YSVcT3BlcmEgU29mdHdhcmVcT3BlcmEgU3RhYmxl

Decoded base64:
OK Google Chrome|%localappdata%\Google\Chrome\User Data|Microsoft Edge|%localappdata%\Microsoft\Edge\User Data|Chromium|%localappdata%\Chromium\User Data|Opera|%localappdata%\Opera Software|ChromePlus|%localappdata%\MapleStudio\ChromePlus\User Data|Irpathium|%localappdata%\Irpathium\User Data|7Star|%localappdata%\7Star\7Star\User Data|CentBrowser|%localappdata%\CentBrowser\User Data|Chedot|%localappdata%\Chedot\User Data|Vivaldi|%localappdata%\Vivaldi\User Data|Kometa|%localappdata%\Kometa\User Data|Elements Browser|%localappdata%\Elements Browser\User Data|Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data|Uran|%localappdata%\uCozMedia\Uran\User …

The matching admin panel is definitely interesting and muddies the water quite a bit. Let me know if I’ve overlooked anything but I’ll get these sigs in today as StealC but we can always update the name if needed!

@Jane0sint

2047625 - ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
2047626 - ET MALWARE Win32/Amadey Payload Request (GET) M1
2047627 - ET MALWARE Win32/Amadey Payload Request (GET) M2

Have a great weekend everyone!

Sorry to open this crate again, but i want to add this research from scaler on October regarding Mystic Stealer

Mystic Stealer Revisited | ThreatLabz (zscaler.com)

We were not that far

I assume you don’t have a mystic without /loghub/master?

I have nothing and I want nothing to be modified, I just read that and I wanted to share it here because it is a more updated analysis than the ones we were looking in August.

Have a nice day!

This is not good. The simplest solution would be to process the URI and add tags based on this. And do both Stealc/Vidar and Stealc/Mystic

Hi, can I ask you to add a link to this discussion in the rules 2047625?

reference:url,community.emergingthreats.net/t/purelogs-stealer/;

Hi Jane, updated signatures will go out today!

JT