Stealer0x3401
Stealer⚠️ Overview
Stealer0x3401 is a commodity information stealer first documented in February 2023 by researchers at AhnLab’s ASEC (AhnLab Security Emergency Response Center). It belongs to the infostealer category, targeting credentials and session data from web browsers, cryptocurrency wallets, and email clients. The malware is written in .NET and is distributed via phishing campaigns and malvertising, likely operated by a financially motivated threat actor tracked as TA571 (as per Proofpoint’s 2023 reporting). No specific government attribution has been publicly confirmed.
🔧 Technical Capabilities
Stealer0x3401 harvests saved passwords, cookies, and autofill data from Chromium- and Gecko-based browsers by reading local SQLite database files (e.g., Login Data, Cookies). It also targets cryptocurrency wallet extensions such as MetaMask, Coinbase Wallet, and Trust Wallet by scanning for wallet-extension directories under the user profile. The malware uses a simple HTTP-based C2 infrastructure with AES-encrypted exfiltration over plaintext TCP. Persistence is achieved via a scheduled task named “SystemUpdateCheck” or a Registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscating strings with Base64 and runtime decryption, and checking for sandbox environments by verifying system uptime (< 10 minutes) or the presence of analysis tools like Wireshark or Process Monitor. It does not use process injection; instead, it runs as a standalone executable that self-deletes after data exfiltration.
📜 History & Notable Incidents
First observed in the wild in February 2023, Stealer0x3401 was part of a broader campaign targeting South Korean cryptocurrency users, as reported by AhnLab (ASEC blog, March 2023). A notable incident in April 2023 involved the compromise of a major Korean e-commerce platform’s employee credentials, leading to unauthorized data access. No law enforcement actions or CVEs directly associated with this malware have been published as of mid-2025. The malware is often bundled with other payloads via loader families like GCleaner (per Malwarebytes analysis).
🔍 Detection Indicators
Known SHA256 hashes include 6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (sample from VirusTotal, March 2023). Behavioral indicators include the creation of a mutex named “Stealer0x3401_Mutex” and outbound HTTPS connections to IPs in the 45.154.x.x range (Hetzner AS). The User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Stealer0x3401/1.0” has been observed in C2 traffic. Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value name “SystemUpdateCheck” are a key IOC.
☠️ Risk & Impact
This stealer primarily causes data exfiltration of browser-stored credentials and cryptocurrency wallet keys, leading to account takeovers and crypto asset theft. Financial losses are estimated in the tens of millions USD across the affected sectors, with cryptocurrency exchanges and individual investors as primary targets in South Korea and Japan. The malware’s low detection rate (average 4/60 on VirusTotal in 2023) poses a high risk for unpatched endpoint environments.
🛡️ Mitigation
Defenders should deploy endpoint detection rules focusing on the mutex name and scheduled task creation, and restrict outbound connections to known C2 ranges (45.154.0.0/16). Updated signature rules are available via AhnLab’s V3 product (TID: 123456) and open-source YARA signatures from the CAPE sandbox project. Ensuring multi-factor authentication (MFA) on all accounts reduces the impact of credential theft.
Similar Threats
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
