StilachiRAT- A Cryptocurrency Wallet Stealer

Microsoft Incident Response researchers have discovered a powerful new remote access trojan (RAT) called StilachiRAT with sophisticated capabilities for credential theft and cryptocurrency wallet.

Technical Capabilities

System reconnaissance: Executes WMI queries via WQL to gather system information and hardware identifiers, creating a unique device fingerprint derived from system serial numbers and attacker RSA keys.

Cryptocurrency targeting: Enumerates Chrome extensions by querying registry path \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings for 20 specific wallet extensions, with particular focus on Tron blockchain credentials popular in Asia

Credential theft: Extracts and decrypts saved credentials from Google Chrome by accessing the browser’s encryption key using targeted SQL queries.

API Obfuscation: Implements sophisticated API obfuscation by storing precomputed API checksums in XOR-masked lookup tables, dynamically resolving function pointers at runtime with additional XOR masking to prevent memory scanning.

Stealth operations: Employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading techniques.

Persistence: Achieves persistence through Windows service control manager and uses watchdog threads to ensure it reinstalls if removed.

Remote control: Supports various commands from C2 servers, such as rebooting system, clearing logs, TCP socket manipulations and application execution.

Indicators of Compromise (IOCs)

File Hashes

SHA-256: 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb (WWStartupCtrl64.dll)

Network Indicators

• C2 Domain: app.95560[.]cc
• C2 IP Address: 194.195.89[.]47
• TCP Communication Ports: 53, 443, 16000

Registry Artifacts

• Creation of unique device ID under CLSID registry key
• Modification of service control settings for persistence

Detection Opportunities

• Monitor for suspicious outbound TCP connections to ports 53, 443, 16000
• Event IDs 7045/7040 (service installation/modification)
• Event IDs 1102/104 (security/system log clearing)

Conclusion

While Microsoft has not pinned StilachiRAT to a specific threat actor, its sophisticated capabilities suggest a well-funded operation with financial motives. The malware’s focus on cryptocurrency wallets, particularly those popular in Asia, shows potential geographic targeting indicator.

Related Reading: The Essential Crypto Security Tools

Follow us on X and Linkedin for the latest cybersecurity news.

Source: hxxps[://]www[.]microsoft[.]com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/