2025-12-22 (MONDAY): STEALC FROM FILES IMPERSONATING CRACKED VERSIONS OF POPULAR SOFTWARE

ASSOCIATED FILES:

• 2025-12-22-IOCs-for-StealC-infection.txt.zip   1.4 kB   (1,385 bytes)
• 2025-12-22-StealC-files.zip   20.2 MB   (20,183,148 bytes)
• 2025-12-22-traffic-from-StealC-infection.zip   46.2 MB   (46,246,925 bytes)

NOTES:

• We used to see Lumma Stealer from this type of download, but now it's StealC v2.

 

2025-12-22 (MONDAY): STEALC FROM FILES IMPERSONATING CRACKED VERSIONS OF POPULAR SOFTWARE

TRAFFIC LEADING TO THE INITIAL FILE DOWNLOAD:

- Page from site claiming to have cracked version of popular software
- hxxps[:]//gorcerie[.]com/the-impact-of-clear-excess-formats-on-business-performance-and-data-integrity/?[info removed]
- hxxps[:]//media.maxdatahost1[.]lat/share/download?AH2hSGmZbAUAWGgCAFVTFwASAAAAAADc/[name of software]&rar
- hxxps[:]//arch2.megafilehost8[.]mom/e/get/0dW2euBOrmIidUcl3Q7OBgzi/application.zip

EXAMPLE OF STEALC TRAFFIC AFTER RUNNING EXE EXTRACTED FROM THE DOWNLOADED FILE:

- hxxp[:]//37.221.66[.]166/4a815a53876a4172.php  <-- repeated HTTP POST requests

ASSOCIATED FILES

- SHA256 hash: fd885e2a9fa8b945850f42fe2a27fdd75b377c34b77b12af2366d38e90062af3
- File size: 15,228,803 bytes
- File name: application.7z
- File type: 7-zip archive data, version 0.4
- File description: Initial download, a password-protected 7-zip archive
- Password: 4650

- SHA256 hash: 8d46297b6191e44ff42975839bd767662622aed84e1d0025b05e171f55ff015e
- File size: 895,382,766 bytes
- File name: appFile.exe
- File type: PE32+ executable (GUI) x86-64, for MS Windows
- File description: Extracted from the 7-zip archive, an inflated 64-bit EXE padded with null bytes

- SHA256 hash: b2f7371fa7599c9e72d7e3f4129741b8d240a4b8b00e2e889835c57c66f21848
- File size: 30,796,046 bytes
- File type: PE32+ executable (GUI) x86-64, for MS Windows
- File description: The above 64-bit EXE with most of the null bytes removed

 

IMAGES

Shown above:  Example of page with URL to download the initial file.

 

Shown above:  Using the URL to download the initial file, a password-protected 7-zip archive.

 

Shown above:  Opening the password-protected 7-zip archive.

 

Shown above:  Characteristics of the inflated EXE within the 7-zip archive.

 

Shown above:  StealC traffic after running the inflated EXE.

 

Shown above:  TCP stream of the StealC traffic.

 

Click here to return to the main page.