#ShortAndMalicious: StrelaStealer aims for mail credentials

DCSO CyTec Blog
4 min readNov 8, 2022
Strela surface-to-air missile launcher (Source: Wikipedia)

In our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples we come across in our daily hunt for malware.

For the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела” == arrow) which appears to be purpose-built to steal mail login data.

PDB path contained in StrelaStealer samples

DCSO CyTec first discovered StrelaStealer early November 2022 distributed via ISO files with what appears to be Spanish targets based on used lure documents. It is unclear at this point in time if StrelaStealer is part of a targeted attack.

Blog authored by Johann Aydinbas and Axel Wauer.

Execution via polyglot

StrelaStealer samples are distributed in ISO files with varying content. In one instance, StrelaStealer uses a renamed msinfo32.exe to sideload StrelaStealer as slc.dll. Another, more interesting variant distributes StrelaStealer as a DLL/HTML polyglot.

Polyglots files are files that are valid as two or more different file formats. In this case, StrelaStealer uses a file that is both valid as a DLL as well as an HTML page.

Execution of StrelaStealer via polyglot

The ISO file contains two files, one Factura.lnk and the polyglot x.html file. The LNK file then executes x.html twice, once as a DLL and a second time as an HTML file.

Parsed LNK file — command to execute the polyglot

Inspecting x.html then shows that it simply contains HTML code appended to the DLL file:

Appended HTML code

Double-clicking it opens the browser and displays the lure document:

Lure document rendered by Firefox

Malware analysis

StrelaStealer samples are DLL files, with the main functionality triggered by calling its main export function named Strela or s. While its code is not obfuscated, strings are encrypted with a cyclic xor with a hardcoded key:

Hardcoded xor key

Once executed, StrelaStealer attempts to locate and steal mail login data from Thunderbird and Outlook.

For Thunderbird, StrelaStealer searches for logins.json and key4.db in the %APPDATA%\Thunderbird\Profiles\ directory and sends the file contents to its C2.

For Outlook, StrelaStealer enumerates the registry keyHKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ in order to find the values IMAP User, IMAP Server and IMAP Password. StrelaStealer then decrypts the IMAP Password using CryptUnprotectData before sending the triple to its C2.


Communication is done using plain HTTP POSTs, with the payload encrypted using the same xor key as for the strings. C2 server and resource name are hardcoded and so far all samples were configured for the same one:


The IP address is hosted on known Russian bulletproof hosting “Kanzas LLC” with the /24 likely being hosted in Moscow.

Stolen files from Thunderbird are sent home in the following format:

[prefix "FF"]
[DWORD size logins.json]
[contents of logins.json]
[contents of key4.db]

Outlook data uses the following format:

[prefix "OL"]

When sending home data, StrelaStealer checks for the last two bytes of the response to be KH which appears to signal a successful transfer and causes StrelaStealer to quit, otherwise it retries to send the data again after a 1 second sleep.


As usual, you can find below the IoCs. We share a MISP event on our GitHub.

Pdb path:
"C:\Users\Serhii\Documents\Visual Studio 2008\Projects\StrelaDLLCompile\Release\StrelaDLLCompile.pdb
C2 server:


T1003     - Credential Dumping 
T1041 - Exfiltration Over C2 Channel
T1041 - Exfiltration Over Command and Control Channel
T1059.003 - Windows Command Shell
T1071 - Standard Application Layer Protocol
T1566.001 - Spearphishing Attachment
T1574.002 - DLL Side-Loading



DCSO CyTec Blog

We are DCSO, the Berlin-based German cybersecurity company. On this blog, we share our technical research.