Analytics Story: StealC Stealer

Date: 2025-12-15 ID: ffe19aee-edd5-4065-871c-bafb681dd7a5 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

StealC is a lightweight information-stealing malware primarily focused on harvesting browser-stored data. It targets popular browsers such as Chrome, Edge, Firefox, and Chromium-based variants to extract saved credentials, cookies, autofill data, browsing history, and session tokens. StealC abuses browser SQLite databases and encryption APIs to decrypt stored passwords, enabling account takeover and further compromise. The malware often runs silently in user context, evading detection through minimal footprint, obfuscation, and rapid data exfiltration to command-and-control servers. Detection typically involves monitoring unauthorized access to browser profile directories, suspicious process behavior interacting with browser credential stores, and outbound network traffic to known StealC infrastructure.

Why it matters

StealC emerged as a malware-as-a-service information stealer designed to provide cybercriminals with an easy and low-cost way to harvest sensitive user data. First observed in the wild in the early 2020s, specifically in 2023, it gained popularity due to its simplicity, reliability, and focus on browser-stored information. StealC primarily targets credentials, cookies, and session data from widely used browsers, enabling account hijacking and follow-on attacks. Its modular design and frequent updates allow operators to adapt quickly, making StealC a common payload in phishing campaigns, cracked software installers, and malicious downloads distributed across multiple threat ecosystems.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
Windows Chromium Browser with Custom User Data Directory	Virtualization/Sandbox Evasion	Anomaly
Windows Credential Access From Browser Password Store	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows File Download Via PowerShell	PowerShell, Ingress Tool Transfer	Anomaly
Windows MSIExec Remote Download	Msiexec	TTP
Windows MSIExec Spawn Discovery Command	Msiexec	TTP
Windows Non Discord App Access Discord LevelDB	Query Registry	Anomaly
Windows Process Execution From ProgramData	Match Legitimate Resource Name or Location	Hunting
Windows Query Registry UnInstall Program List	Query Registry	Anomaly
Windows Screen Capture in TEMP folder	Screen Capture	TTP
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Resource Name or Location	TTP
Windows Unsecured Outlook Credentials Access In Registry	Unsecured Credentials	Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module	CMSTP	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Source: GitHub | Version: 1