Configuration Extractor and Yara Rule For StealC (written for the MaCo framework)
Stealc-extractor.py <filename>
$ python stealc-extractor.py <filename>
{
"family": "Stealc",
"http": [
{
"uri": "<c2_uri>",
"usage": "c2"
},
...
]
}
9f44a4cbc30e7a05d7eb00b531a9b3a4ada5d49ecf585b48892643a189358526
87ec3dd4160f049b289793c2682f45bba724cc8c39de7094594fde12f5ce0df1
9609e32ef269267943585810008d8779210fad0100cf1b95c86b6172e05df94e
93284d5b4f436b716386268d24c41971dd24c01a1fc1dacab90c19002076ed0b
3b16e7380171ace72014d2c96da0f5e39e3a59b04292ae835810811c9b8993be
cc6b425363d36d3d74b95da4abce17f161a6bb86eec01902059afcb05fe9d108
38a5c69d1ee7c40cdc52172548936ec691f56d84bb413121375d0efa812d7c91
5401590c0dd63cae68769ddba894fd5fc7f5b7bd97acb325f2d9c6c43798a27c
e978871a3a76c83f94e589fd22a91c7c1a58175ca5d2110b95d71b7805b25b8d
20c94af23dc0353f8a739fe593115eeb09cac111dfc50db3fcb6964bbe2abb4e
cc4ce27b042213058ffb13a5078b681dc99e516fb2861b8b3637a25681fd15ec
68afe1c1cef069a7386dd3a8d406d291d0da0ff654a5fc741cce02b7d54a434b
725c345378b23ea61e130597021b2e89382539fcd1f2955ab390bc8ba942c56e
adfa73d1ed1ee1fd6d80fa6bad26ea57a9da66dd3338dd0e9d950cadb413ecd2
88b40d383476cd2ead5f3e57218284c8946fa35e067d0cd9f3ebc4eb633411e5
03833086b4705d343f299c1639db1a242cd508d4f118d55ca427cb1c5517b589
40063d7dfba46d04bbd880cd1b170a6a7097d05afab296bbecd7305a22cbcc09
863de9242d4a88aee981ec1afca31f086103b34e076a3f07fefd2f0bde860c0f
c7f1ee69120e382f15233648f11cf82973545d95db0a1685ecbc3bc6c1213da0
36a8b96235e52a3e4b3d763656ba258841940d5f0b7f8694c4aa20f7026b955f
67e733069b858d3b1755210f96834936db5e61cb94f485027fae194c41d04a60
c7a00603dfaeddc8d9ec3501727b60e31f995995a566b73e3ff2393d5e8c6d20
fae84b18b6dfc22c6cd04e9230c590623c932ff202ab2c27f7d36339e0a4d4e2
a67ebefdcae4ba5d76bce770a4920256e84195bef3a4702d967be7e5b8181c12
ccd4ccab847e1232c40a15950c2d6265583a7b98e1d2090be961ca1bfcf86390
38d7626b9edf7f1cc931eaa1bd36bdb962226c2f5d55e5d1e1dcb559d982c298
62ff60e791cc7bdc6ba1651b2162068b1f6fee54c0b60f8db90d49f701f7b3c8
9feea11c96e8d15ce4ac6b979c309129b38a8cfc73173034b47c588a02f74d34
1565a0a1cf2ad6c0dacb650fff7b178acd2a4107bfe120873b00109dbc248877
a398e940847ee51fa7fed05b1c6b38a47c1668c14616a0f39f56fd314fe92ad8
0873b7a5cfae17a6dfebe6afde535a186b08d76b4b8ef56a129459c56f016729
9378687129de87cdaf8ea57c6255ac57e0bcb9c1822d4effc60b6c2625fc0be0
dd60453985001addc1eef5f94b6f087d9fbdd218fc75b1958d33c2b5bd98ded1
b0ca3e593ccf9b2c355cd712f9d0b994bba2bfd1f5723f33eb60dc1be677fb1f
1d2efbb4daa2e1847da59a69a2632308cee96db8883d369b5bbefb20b84f93dc
6506a462fb49a209a33e36b85b2912b71fa79b318437bc73c08c800800351ceb
9a2d9f3a38b91199d060632298283ca6f0f4e166952adbd31d3f824a622daa93
dc7f3a22dabb560428ed5f62eb881c3643f85bdad454befadba0c051904fce0f
d7f7dfc24c9af485c5bd79d3276c138882630c351a331d12baa2d1b80ae4e71b
d4c5fd6cc44b488d7a4c8c15ee0a293b4251cfbb0d768b7054d2b2a862667fe2
aa7ae5c236a01e6334fce8e3e05f0a53b6de0c5150d76db7b03d1ddb52290540
8f1acc0b78f398052d3189bddef8856de9e1f3c81b4b1fc172d229823f5dfad6
6395d1c477082e898941bd5926140627c415220620d4b50fb516c18f675ee778
d10ad3051b29d1f53852cc9995ee03ec07f163c0b9d1caf62327bf4d46d803a7
cb467533376a6032f8ffd985a04123f9d708306ecc451db463b87b0d46fd7fc5
df605613cc7ce4fc01a1dc2e9578751e4c2d28a29cffbeac745d4cb2aa9cd9a1
038a54d0e765a4c93175d4e61a4c76fb9267d5120fdfa0f634e5bfdbcdc58529
4e29be4d05a449afc456fdc2d1b27b82d932124c888dd1ae595b41ee5b1905e4
611cb1d5427023aa4ac8b7b0d1cb1b67ec560a1e482ba99b762fd419ce1121da
2924a3879bdb3f7fb2d742fda5b37f568e00263700da8d8f10ad79e0f174637c
de77684b0d117580f4d706125a8de124e56d74ed0fa3ea271338096d1d2a87f1
9aea77b8db52c6df8d8aebf2ae6c54ede2c1f9f0a0b1d3a6c9e5fa8cd92f7401
1fc3facbad6d2f656c2d9fc14a3f6f6d194e040735928ca3440ac90547a02251
d6f17b0d47c38b05fdbbc7184d5afea1e0f756f9c7dc5a8a4acb9a0806f297ad
15c200013d5017dd6b3e49a94cfdca93d0312e7768849025558e618ac1f25a36
40cf7a0db480dd80e1c2e6f8b6a92eb997a5a318656ef4367832928de11886bc
3add327f7f00884d014d9d943b86cc8dafe2978eac6a45c171d2c1ff114b2c4b
32f427f7888a90b82597ed359ca339642d31f3bd54e01a41c2b6de5fa3be83be
11a4d950c18b1e65c593d5ae5f5f26b9f4fdd24adb0063bb53dd2dc2564c94ac
fe6edbc42a1b391d80eac4c06b5dd169cebbc353f67a6e1d780770be829ce27e
a8fa9df53885c5c0e53b6d0500e54deea962efa736e19b1c788100f267b3d339
227280b687fa048607a2c892ca033384473c27d5f997906bcfa9fa7f8d348906
68df3853b8938450f68c93411ab591a8c14bea7ef362e87464e37b1a5c649d61
6505e01eb396031ba1f58401f0f76b71ad3d15e2936f50a91f9b26c6e8ad5d33
ed1b2030183a5075f336a25484081026a35f51be183834bc4d5896491a9d6ac7
31aa5ac9dbbe520dda49898aaa49f5288e6c75aa7303730cc00ccdecead50e34
ad7d718117391c90dc8e2434a1230fbba0e6b6102b219699587c1051a93e1801
4b52fadf6f4f8b84454ce066e3c8193c68eb47e5036fd9a94ddbf7e72dc6089b
6ea043b46dec0d1bd540d0f1718d10b524580bb5cd9e40166c2b6fa39a2a935f
adbcfae1701daa92c30451d293828ad7e7f1a8351d7e200c150a62a1fba0b695
fe4ee7803a9db6b0358467b642357a61f10e81c1114c68a232fdfa395dd8ef41
59468c7b28ad543b3f8da825d1e71fad66ca0e0523a94c0aab84ad4a3b8400c5
74ff68245745b9d4cec9ef3c539d8da15295bdc70caa6fdb0632acdd9be4130a
c0541c65480fc76bcb5d3051a09fc37ac3b142cffb9610bc18dc126019244578
421121f293bf1b811c874b88b73d8a3a079108ba8ae0a9e2a7b171eca9bf3107
fca68d95a6ac7335900e37e651c90069b92023b7b6e157d9a159dc2796fc2915