splunk · tccontre · Dec 15, 2025 · Dec 15, 2025 · Dec 16, 2025 · Dec 22, 2025
@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 15
-date: '2025-08-22'
+version: 16
+date: '2025-12-16'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -43,6 +43,7 @@ references:
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
 tags:
   analytic_story:
+  - StealC Stealer
   - PlugX
   - Warzone RAT
   - Data Destruction

@@ -1,7 +1,7 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 13
-date: '2025-09-30'
+version: 14
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -51,6 +51,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - CISA AA23-347A
   - Phemedrone Stealer
   - DarkGate Malware

@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 13
-date: '2025-09-30'
+version: 14
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -50,6 +50,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - DarkGate Malware
   - CISA AA23-347A
   - NjRAT

@@ -1,7 +1,7 @@
 name: Windows Chromium Browser with Custom User Data Directory
 id: 4f546cf4-15aa-4368-80f7-940e92bc551e
-version: 2
-date: '2025-09-30'
+version: 3
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -62,6 +62,7 @@ rba:
     type: parent_process_name
 tags:
   analytic_story:
+  - StealC Stealer
   - Malicious Inno Setup Loader
   - Lokibot
   asset_type: Endpoint

@@ -1,7 +1,7 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: 16
-date: '2025-10-14'
+version: 17
+date: '2025-12-16'
 author: Teoderick Contreras, Bhavin Patel Splunk
 data_source:
 - Windows Event Log Security 4663
@@ -61,6 +61,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - Salt Typhoon
   - Earth Alux
   - Quasar RAT

@@ -1,7 +1,7 @@
 name: Windows Credentials from Password Stores Chrome Extension Access
 id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af
-version: 8
-date: '2025-08-22'
+version: 9
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -54,6 +54,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - DarkGate Malware
   - Amadey
   - Meduza Stealer

@@ -1,7 +1,7 @@
 name: Windows Credentials from Password Stores Chrome LocalState Access
 id: 3b1d09a8-a26f-473e-a510-6c6613573657
-version: 16
-date: '2025-10-14'
+version: 17
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -53,6 +53,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - DarkGate Malware
   - Malicious Inno Setup Loader
   - NjRAT

@@ -1,7 +1,7 @@
 name: Windows Credentials from Password Stores Chrome Login Data Access
 id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
-version: 16
-date: '2025-10-14'
+version: 17
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -54,6 +54,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - DarkGate Malware
   - Malicious Inno Setup Loader
   - NjRAT

@@ -1,7 +1,7 @@
 name: Windows File Download Via PowerShell
 id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
-version: 5
-date: '2025-12-04'
+version: 6
+date: '2025-12-16'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -108,6 +108,7 @@ tags:
     - Winter Vivern
     - XWorm
     - Tuoni
+    - StealC Stealer
   asset_type: Endpoint
   mitre_attack_id:
     - T1059.001

@@ -1,7 +1,7 @@
 name: Windows MSIExec Remote Download
 id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda
-version: 11
-date: '2025-09-09'
+version: 12
+date: '2025-12-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -83,6 +83,7 @@ tags:
     - Windows System Binary Proxy Execution MSIExec
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
+    - StealC Stealer
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007

@@ -1,7 +1,7 @@
 name: Windows MSIExec Spawn Discovery Command
 id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-12-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ tags:
     - Windows System Binary Proxy Execution MSIExec
     - Medusa Ransomware
     - Water Gamayun
+    - StealC Stealer
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007

@@ -1,7 +1,7 @@
 name: Windows Non Discord App Access Discord LevelDB
 id: 1166360c-d495-45ac-87a6-8948aac1fa07
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 data_source:
 - Windows Event Log Security 4663
@@ -50,6 +50,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - Snake Keylogger
   - PXA Stealer
   asset_type: Endpoint

@@ -1,7 +1,7 @@
 name: Windows Process Execution From ProgramData
 id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0
-version: '5'
-date: '2025-09-18'
+version: 6
+date: '2025-12-15'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -67,6 +67,7 @@ rba:
     type: parent_process_name
 tags:
   analytic_story:
+  - StealC Stealer
   - SnappyBee
   - XWorm
   - Salt Typhoon

@@ -1,7 +1,7 @@
 name: Windows Query Registry UnInstall Program List
 id: 535fd4fc-7151-4062-9d7e-e896bea77bf6
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -48,6 +48,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - RedLine Stealer
   - Meduza Stealer
   asset_type: Endpoint

@@ -1,7 +1,7 @@
 name: Windows Screen Capture in TEMP folder
 id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
-version: 7
-date: '2025-10-14'
+version: 8
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 11
@@ -55,6 +55,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - Crypto Stealer
   - Braodo Stealer
   - APT37 Rustonotto and FadeStealer

@@ -1,7 +1,7 @@
 name: Windows Suspicious Process File Path
 id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
-version: 17
-date: '2025-10-31'
+version: 18
+date: '2025-12-15'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -76,6 +76,7 @@ rba:
     type: process_name
 tags:
   analytic_story:
+  - StealC Stealer
   - PlugX
   - Water Gamayun
   - Warzone RAT

@@ -1,7 +1,7 @@
 name: Windows Unsecured Outlook Credentials Access In Registry
 id: 36334123-077d-47a2-b70c-6c7b3cc85049
-version: 8
-date: '2025-09-30'
+version: 9
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -54,6 +54,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - StealC Stealer
   - Snake Keylogger
   - Meduza Stealer
   - 0bj3ctivity Stealer

@@ -1,7 +1,7 @@
 name: Windows Unusual Process Load Mozilla NSS-Mozglue Module
 id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd
-version: 3
-date: '2025-09-30'
+version: 4
+date: '2025-12-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -65,6 +65,7 @@ rba:
     type: process_name
 tags:
   analytic_story:
+  - StealC Stealer
   - Quasar RAT
   - 0bj3ctivity Stealer
   - Lokibot

@@ -0,0 +1,20 @@
+name: StealC Stealer
+id: ffe19aee-edd5-4065-871c-bafb681dd7a5
+version: 1
+date: '2025-12-15'
+author: Teoderick Contreras, Splunk
+status: production
+description: StealC is a lightweight information-stealing malware primarily focused on harvesting browser-stored data. It targets popular browsers such as Chrome, Edge, Firefox, and Chromium-based variants to extract saved credentials, cookies, autofill data, browsing history, and session tokens. StealC abuses browser SQLite databases and encryption APIs to decrypt stored passwords, enabling account takeover and further compromise. The malware often runs silently in user context, evading detection through minimal footprint, obfuscation, and rapid data exfiltration to command-and-control servers. Detection typically involves monitoring unauthorized access to browser profile directories, suspicious process behavior interacting with browser credential stores, and outbound network traffic to known StealC infrastructure.
+narrative: StealC emerged as a malware-as-a-service information stealer designed to provide cybercriminals with an easy and low-cost way to harvest sensitive user data. First observed in the wild in the early 2020s, specifically in 2023, it gained popularity due to its simplicity, reliability, and focus on browser-stored information. StealC primarily targets credentials, cookies, and session data from widely used browsers, enabling account hijacking and follow-on attacks. Its modular design and frequent updates allow operators to adapt quickly, making StealC a common payload in phishing campaigns, cracked software installers, and malicious downloads distributed across multiple threat ecosystems.
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
+tags:
+  category:
+  - Data Destruction
+  - Malware
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection