Threat Intel Report: Oski / Stealc Stealer — Analyzing a Credential-Stealing Trojan via ANY.RUN & VirusTotal
Platform: CyberDefenders
Challenge: Oski
Category: Threat Intelligence
Difficulty: Easy
Tools: VirusTotal, ANY.RUN, MalConf
Achievement: Proof of Completion
1. Executive Summary
Incident Type: Credential Stealer / Information Theft Trojan
Malware Family: Stealc (Oski lineage)
An accountant at the target company received a phishing email with the subject “Urgent New Order.” The attached invoice file appeared to be a PowerPoint presentation, but it triggered the download of a malicious executable. The SIEM flagged the download event, and subsequent investigation revealed the file was a Stealc information stealer — a commodity malware sold on underground forums that specifically targets browser credentials, cookies, crypto wallets, and other sensitive data.
This lab uses cloud-based threat intelligence platforms (VirusTotal and ANY.RUN) rather than local reverse-engineering, reflecting the real-world workflow of a Tier-1 SOC analyst: pivot off a file hash, correlate behavioral reports, and extract actionable intelligence without ever needing to execute the sample locally.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| MD5 | 12c1842c3ccafe7408c23ebf292ee3d9 | Stealc sample — VPN.exe |
| SHA-256 | a040a0af8697e30506218103074c7d6ea77a84ba3ac1ee5efae20f15530a19bb | Stealc sample — VPN.exe |
| SHA-1 | 4b1af84cc11a8b1e290a18a4222a49526eeadd10 | Stealc sample — VPN.exe |
| IPv4 | 171.22.28.221 | C2 Server |
| URL | http://171.22.28.221/5c06c05b7b34e8e6.php | C2 Callback Endpoint |
| URL | http://171.22.28.221/9e226a84ec50246d/sqlite3.dll | First dependency download (sqlite3.dll) |
| Encryption Key | 5329514621441247975720749009 | RC4 key for traffic encryption |
| File Name | VPN.exe | Filename on disk at time of execution |
| Self-Delete | timeout /t 5 & del /f /q "...\VPN.exe" & del "C:\ProgramData\*.dll" & exit | Cleanup command post-exfiltration |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Defense Evasion | Masquerading | T1036 |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 |
| Execution | Windows Command Shell | T1059.003 |
| Credential Access | Credentials from Password Stores | T1555 |
| Credential Access | Credentials from Web Browsers | T1555.003 |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
2. Phase 1: Malware Creation Time (Q1)
Objective: Determine the creation time of the malware using static analysis data from the ANY.RUN sandbox report.
The lab provides a hash.txt file containing the MD5 hash of the suspicious binary: 12c1842c3ccafe7408c23ebf292ee3d9. This is our primary pivot point for platform lookups. Searching this hash on ANY.RUN reveals a public sandbox report with full static information.
Q1: What was the time of malware creation?
Findings:
The ANY.RUN Static Information panel provides the PE header EXIF data extracted directly from the binary. The TimeStamp field reads: 2022:09:28 17:40:46+00:00.
The +00:00 suffix confirms this is already in UTC — no timezone conversion is needed.
Additional static attributes worth noting:
| Field | Value | Significance |
|---|---|---|
| MachineType | Intel 386+ | 32-bit executable — runs on all Windows architectures |
| PEType | PE32 | Standard 32-bit PE format |
| ImageFileCharacteristics | No relocs, 32-bit | No ASLR support — loads at a fixed base address |
| LinkerVersion | 10 | Compiled with Visual Studio 2010-era linker |
| CodeSize | 240,640 bytes | Compact for a full-featured stealer |
The absent relocation table (No relocs) means ASLR has no effect on this binary. This is a deliberate design choice common in stealer malware: ASLR bypass is unnecessary when targeting credential databases on disk rather than exploiting memory vulnerabilities. It also makes static analysis easier since addresses are predictable.
Analyst Note:
PE timestamps can be forged by malware authors to mislead analysts. However, when the timestamp is consistent with other intelligence (compilation artifacts, first submission dates, code maturity), it provides a reasonable approximation of when the sample was built. Cross-reference with first submission dates on VirusTotal and MalwareBazaar for corroboration.
Answer Q1:
2022-09-28 17:40
3. Phase 2: C2 Server Identification (Q2 & Q3)
Objective: Identify the Command and Control server the malware communicates with, and determine the first library it requests post-infection.
Q2: Which C2 server does the malware in the PPT file communicate with?
Q3: What is the first library that the malware requests post-infection?
Findings:
The VirusTotal Relations tab reveals exactly two contacted URLs — both pointing to the same infrastructure:
| URL | Detections | Purpose |
|---|---|---|
http://171.22.28.221/5c06c05b7b34e8e6.php | 16/95 | Primary C2 callback endpoint — receives stolen data |
http://171.22.28.221/9e226a84ec50246d/sqlite3.dll | 11/97 | First library download — SQLite3 DLL for parsing browser databases |
This two-URL structure reveals Stealc’s operational model clearly:
- Stage 1 — C2 Registration: On first execution,
VPN.exesends a beacon to the.phpendpoint, registering the victim and receiving a configuration payload with targeting parameters - Stage 2 — First Library Request: The malware immediately downloads
sqlite3.dll— SQLite is the database format used by Chrome, Firefox, Edge, and every other modern browser to store saved passwords and cookies - Stage 3 — Data Exfiltration: Harvested credentials, session cookies, and system information are RC4-encrypted and POSTed back to the same PHP gate
For Q2 — C2 Server:
The full C2 URL is http://171.22.28.221/5c06c05b7b34e8e6.php.
For Q3 — First Library:
The first library requested post-infection is sqlite3.dll, downloaded from http://171.22.28.221/9e226a84ec50246d/sqlite3.dll. Rather than bundling sqlite3.dll inside the executable (which would make it more easily signatured and increase file size), Stealc downloads it at runtime from the C2 server — a technique that keeps the initial dropper lean and avoids including easily-detected libraries in the file.
MITRE ATT&CK Reference:
The C2 callback maps to T1071.001 — Application Layer Protocol: Web Protocols. Stealc uses HTTP (not HTTPS) for C2 — meaning the traffic is unencrypted at the transport layer, even though the payload is RC4-encrypted (see Phase 3). This creates a detection opportunity: HTTP POST requests to a bare IP address with a hex-string PHP filename should be considered highly suspicious in enterprise environments.
Detection Opportunity:
Both URLs are flagged by 11–16 vendors, meaning they appear in most commercial threat intel feeds. Block171.22.28.221at the perimeter firewall immediately and create a DNS sinkhole entry. Query your SIEM for all historical connections to this IP to identify every potentially compromised host.
Answer Q2:
http://171.22.28.221/5c06c05b7b34e8e6.php
Answer Q3:
sqlite3.dll
4. Phase 3: RC4 Encryption Key (Q4)
Objective: Extract the RC4 key used by the malware to decrypt its base64-encoded configuration string, as shown in the ANY.RUN MalConf report.
Q4: What RC4 key is used by the malware to decrypt its base64-encoded string?
Findings:
The ANY.RUN MalConf (Malware Configuration) panel automatically parses the extracted Stealc configuration from the running process (PID 3484, VPN.exe):
| Field | Value |
|---|---|
| PID/Process | (3484) VPN.exe |
| C2 | http://171.22.28.221/5c06c05b7b34e8e6.php |
| RC4 Key | 5329514621441247975720749009 |
| Cleanup String | " & del "C:\ProgramData\*.dll" & exit |
RC4 in Stealc:
Stealc uses RC4 (Rivest Cipher 4) to decrypt its base64-encoded configuration strings at runtime. This serves two purposes:
- Obfuscation: The C2 URL, target file paths, and string constants are stored encrypted in the binary — making static analysis harder and bypassing simple string-based YARA rules
- Traffic encryption: The RC4 key also encrypts the exfiltrated data payload before it is POSTed to the PHP gate
RC4 is a poor choice cryptographically (it has known biases and vulnerabilities), but malware authors continue using it because it is trivially simple to implement, has near-zero computational overhead, and is sufficient for the intended purpose of defeating casual network inspection. Knowing the key (5329514621441247975720749009), a defender can decrypt captured HTTP POST bodies from infected hosts to recover what data was stolen.
Forensic Note:
The cleanup string visible in the MalConf panel —del "C:\ProgramData\*.dll"— is the first hint of Stealc’s anti-forensics behavior. After exfiltration, the malware deletes all DLL dependencies it downloaded (includingsqlite3.dll) fromC:\ProgramData. This significantly reduces on-disk forensic artifacts post-infection.
Answer Q4:
5329514621441247975720749009
5. Phase 4: MITRE ATT&CK — Credential Theft Technique (Q5)
Objective: Identify the main MITRE ATT&CK technique (not sub-techniques) the malware uses to steal the user’s password, as shown in the ANY.RUN sandbox report.
Q5: What is the main MITRE technique (not sub-techniques) the malware uses to steal the user’s password?
Findings:
The ANY.RUN MITRE ATT&CK matrix has been clicked on the Credential Access column, revealing the technique detail popup for T1555 — Credentials from Password Stores.
The popup shows:
- Technique: T1555 — “Credentials from Password Stores”
- Description: “Adversaries may search for common password storage locations to obtain user credentials… Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.”
- Sub-technique dropdown: “Credentials from Web Browsers” (T1555.003)
- Permissions required: Administrator
The question asks for the main technique (not sub-techniques) — the answer is T1555.
What T1555 means for Stealc in practice:
Stealc’s credential theft works by systematically targeting every credential storage location on the victim system:
- Browser saved passwords: Chrome (
Login Data), Firefox (logins.json), Edge — all stored in SQLite databases, which is whysqlite3.dllis the first downloaded dependency - Browser cookies/sessions: Session tokens for webmail, banking, social media — importable into attacker browsers to take over authenticated sessions without knowing passwords
- Browser autofill: Names, addresses, credit card numbers stored by browser autocomplete
- Cryptocurrency wallet extensions: MetaMask, Phantom, Coinbase Wallet — storing wallet seeds in browser profile directories
- Password manager browser extensions: If any are installed, their locally cached data may be accessible
The reason T1555.003 (Credentials from Web Browsers) is the sub-technique, while T1555 is the parent, is that Stealc doesn’t limit itself only to browsers — it targets any credential storage it can access.
MITRE ATT&CK Reference:
T1555 — Credentials from Password Stores is the primary tactic. The dependency onsqlite3.dllis what makes sub-technique T1555.003 so precise: every modern browser uses SQLite as its storage format, and Stealc exploits this universal design choice to harvest credentials across all browsers simultaneously.
Answer Q5:
T1555
6. Phase 5: DLL Deletion Target Directory (Q6)
Objective: Identify the directory the malware targets for deletion of all DLL files, as visible in the ANY.RUN child process analysis.
Q6: Which directory does the malware target for the deletion of all DLL files?
Findings:
The ANY.RUN process tree reveals the complete cleanup command executed by Stealc after data exfiltration. VPN.exe (PID 3484) spawns cmd.exe (PID 2780) with the following command line:
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\AppData\Local\Temp\VPN.exe" & del "C:\ProgramData\*.dll" & exit
Breaking down the command:
| Command Component | Purpose |
|---|---|
timeout /t 5 | Wait 5 seconds — ensures VPN.exe has fully exited before deletion begins |
del /f /q "...\AppData\Local\Temp\VPN.exe" | Force delete (/f) the main executable, quietly (/q) |
del "C:\ProgramData\*.dll" | Delete ALL downloaded DLL files from C:\ProgramData |
exit | Close the cmd.exe process itself |
For Q6 — the target directory:
The command del "C:\ProgramData\*.dll" confirms the malware targets C:\ProgramData for DLL deletion. This is where Stealc downloads and temporarily stores its dependency DLLs (including sqlite3.dll) during the credential theft phase. Post-exfiltration, it deletes everything from that directory to eliminate forensic evidence.
C:\ProgramData is chosen deliberately — it is a world-writable directory accessible to standard user processes without requiring elevated privileges, making it a convenient staging area that also survives across user account switches.
Forensic Indicator:
If you image a potentially infected machine andC:\ProgramDatacontains no.dllfiles or has suspiciously recent deletion timestamps, this is consistent with a Stealc infection that has already completed its run. Combine with Windows Event Log ID 4663 (object deletion audit) and Sysmon Event ID 23 (file deletion) for confirmation.
Answer Q6:
C:\ProgramData
7. Phase 6: Self-Delete Timer (Q7)
Objective: Determine how many seconds the malware waits before self-deleting after successfully exfiltrating data.
Q7: After successfully exfiltrating the user’s data, how many seconds does it take for the malware to self-delete?
Findings (from the same process screenshot above):
The answer is directly visible in the cmd.exe command line shown in the process details panel:
timeout /t 5 & del /f /q ...
The timeout /t 5 argument instructs Windows’ built-in TIMEOUT.EXE to wait exactly 5 seconds before the subsequent deletion commands execute. The ANY.RUN process details panel explicitly flags this with the warning: “Uses TIMEOUT.EXE to delay execution” (mapped to T1059.003 — Windows Command Shell).
Why 5 seconds?
The timeout delay solves a fundamental problem with self-deletion: a Windows process cannot delete a file it is currently running from. If VPN.exe attempts to del VPN.exe while it is still executing, the operating system will return an “Access Denied” error because the file handle is still open.
Stealc’s solution:
- Spawn
cmd.exeas a child process with the cleanup command VPN.exeexits — releasing the file handle onVPN.execmd.exewaits 5 seconds to ensure the parent is fully terminated and file handles are releasedcmd.exethen successfully deletesVPN.exeand all DLL filescmd.exeexits itself
This is a textbook anti-forensics technique that leaves minimal on-disk artifacts. A post-infection investigation of the disk would find no malicious executable — making it significantly harder to determine what ran, when, and what data was stolen.
MITRE ATT&CK Reference:
This maps to T1070.004 — Indicator Removal: File Deletion. Combined with the DLL cleanup, Stealc systematically removes every artefact of its presence within 5 seconds of completing its data theft — a complete self-cleaning operation.
Developer Note:
Despite self-deletion, the behavior trail remains in EDR telemetry: process creation logs (Sysmon Event ID 1), network flow logs showing the HTTP POST to the C2, and file deletion events (Sysmon ID 23). This is why behavioral logging is non-negotiable — the binary being gone does not mean the investigation is over.
Answer Q7:
5
8. Full Attack Chain Summary
| Phase | Kill Chain Stage | Technique | Evidence |
|---|---|---|---|
| 1 | Delivery | Phishing email with malicious invoice attachment | “Urgent New Order” lure targeting accountant |
| 2 | Execution | User executes “VPN.exe” | Masqueraded as VPN software (T1036) |
| 3 | C2 Registration | HTTP beacon to .php gate | http://171.22.28.221/5c06c05b7b34e8e6.php |
| 4 | First Library Request | Downloads sqlite3.dll from C2 | Required for browser DB parsing (first library post-infection) |
| 5 | Credential Theft | Browser / password store harvesting | T1555 — Credentials from Password Stores |
| 6 | Data Exfiltration | RC4-encrypted POST to C2 | Key: 5329514621441247975720749009 |
| 7 | DLL Cleanup | Deletes all DLLs from C:\ProgramData | del "C:\ProgramData\*.dll" |
| 8 | Self-Delete | Removes VPN.exe after 5-second delay | timeout /t 5 & del /f /q (T1070.004) |
9. Remediation & Mitigation Recommendations
Immediate Response
- Block
171.22.28.221at perimeter firewall (all ports/protocols) - Search SIEM for all historical connections to
171.22.28.221— every host that connected is potentially compromised - Force password resets for all accounts logged into the compromised machine — credentials are already exfiltrated
- Invalidate browser sessions by revoking session cookies for critical services (email, VPN, cloud accounts, banking)
- Alert the crypto team if any cryptocurrency wallet browser extensions were accessible on the infected machine
Detection Rules
- Alert on HTTP POST to bare IP addresses using hex-string PHP filenames (e.g., matching
/[a-f0-9]{16}\.php) - Alert on downloads of
sqlite3.dllfrom external/non-trusted sources toC:\ProgramData - Alert on
cmd.exespawningtimeout.exefollowed bydelcommands — this specific chain is a high-confidence Stealc indicator - Monitor
C:\ProgramDatafor DLL creation followed by deletion within 60–120 seconds
Long-Term Hardening
- Email filtering: Block or sandbox archive attachments from external senders containing executables
- Web proxy: Enable deep packet inspection for HTTP (non-HTTPS) traffic to catch cleartext C2 callbacks
- Credential Manager: Discourage browser-saved passwords; deploy a corporate password manager with centralized control
- MFA everywhere: Even if credentials are stolen, MFA prevents account takeover
- EDR coverage: Ensure full process creation, file, and network telemetry on all endpoints
10. Conclusion
The Oski/Stealc lab reinforces a core truth about commodity malware: simplicity is a feature, not a bug. Stealc doesn’t need zero-day exploits or sophisticated obfuscation to be highly effective. The entire attack chain completes in under 64 seconds (per the ANY.RUN sandbox timeline):
- Leverages a trusted application name (
VPN.exe) to bypass user suspicion - Downloads a single legitimate library (
sqlite3.dll) at runtime — avoiding bundling detectable dependencies - Exfiltrates RC4-encrypted credentials to a raw IP address PHP gate
- Self-deletes and cleans up all evidence within 5 seconds of exfiltration
By the time most automated alerts fire, the damage is done and the malware is gone. This is why the SOC’s response velocity and pre-positioned detection rules matter more than reactive incident response.
Key Takeaways for the SOC:
- Creation timestamps anchor the threat timeline. Knowing a sample was compiled in September 2022 helps correlate it with known campaigns and threat actor activity from that period.
- The first library download is a signature behavior. Any process downloading
sqlite3.dllfrom an external IP should trigger an immediate alert — this behavioral indicator survives hash changes across Stealc variants. - Self-deleting malware still leaves traces. Focus on network logs, process creation events, and memory forensics. The binary being gone doesn’t mean the investigation is over — behavioral telemetry persists even when files don’t.
Analysis Date: April 5, 2026
Analyst: El OMARI Zakaria