StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

March 18, 2025, 9:58 a.m.

Description

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credentials, establishes command-and-control communication, executes remote commands, achieves persistence through Windows services, monitors RDP sessions, collects clipboard data, and employs anti-forensic measures. StilachiRAT's capabilities include system reconnaissance, digital wallet targeting, credential theft, command execution, and clipboard monitoring. The analysis reveals its potential for cryptocurrency theft and system manipulation.

External References

https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/
https://otx.alienvault.com/pulse/67d8a06929a383efc5db4f71
Tags
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring

Date

  • Created: March 17, 2025, 10:21 p.m.
  • Published: March 17, 2025, 10:21 p.m.
  • Modified: March 18, 2025, 9:58 a.m.

Indicators

  • 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb
  • app.95560.cc
Download all indicators here!

Attack Patterns

  • StilachiRAT
  • CVE-2023-36884