StilachiRAT Malware Analysis - Statical technical inspection + debugging threat quick analysis + threat intelligence (OSINT)

Main analysis points:

SQLite queries
Infostealing
Information details about the victim machine gathering
PureBasic development
Volume information gathering
Anti-debugging, Anti-VM and anti-sandbox
MySQL exposed service related to C&C IP address associated to the C&C domain

In this article we are going to see some evidences and interesting details gathered with a debugging analysis overview, quick technical static inspection of the DLL first stage of the new StilachiRAT threat discovered by Microsoft Incident Response researchers.

First of all we can see the library has been developed with PureBasic and has an high entropy coefficient for the .text section, which contains CPU instructions.

The threat performs a lot SQLite3 queries to gather information about the victim user, the victim machine and sensitive data, for example browser data and clipboard (through regex evaluations). StilachiRAT executes plenty of SELECT * FROM queries to obtain data from specific tables, we can see also UPDATE queries to rename tables.

Here is the call to the functions of VFS registering before performing the SQLite queries:

Here are the ordinals called by the library itself and the exported functions:

Here is the function of setting directory with SQLite exported function to set the temp_directory or data_directory based on the type parameter:

The result is then stored and obtained through a BLOB object:

Here is the exported function to set and configure the SQLite database connection and some queries related to insertions of data in SQLite database tables and DELETE queries to remove tuples with WHERE conditions. Some SELECT queries have ORDER BY statements to make sorts, there is also a reference in exported functions to sqlite3_data_count which can give the number of columns of the selected row of the results of the statement. There is a reference to the deprecated function sqlite3_aggregate_count.

Here are some function calls ("GetDriveTypeA", "GetVolumeInformation" and "ZwQueryVolumeInformationFile") to gather volume information about the victim machine:

An hardlink is created to create links with files during SQLite enumaterations and queries executions with the function "CreateHardLinkW":

File types and file paths by names are obtained:

The malware gets evidence of possible debuggers, performance counter and timestamp most probably for anti-VM and anti-sandbox purposes but also analysis evasions.

The victim ID combined with the public key of the threat actor is stored under a CLSID:

Here are the references to "GetSystemDirectory", "GetSystemInfo" function and TempPath to establish data and information gathering process:

Information and details managed with SQLite can be dealt with JSON objects:

Here's a reference to regex objects and expressions used by StilachiRAT to deal with Clipboard gathered data and cryptocurrencies blockchains details:

SQLite also supports API database connections calls:

The connections established by StilachiRAT have as Proxy-agent "FarmProxy 1.0"

The threat performs sleeps for some executions modules, especially for C&C communications most probably for evasion and there is an enumeration of opened windows (with the function "EnumChildWindows") and sent to the C&C:

The C&C IP address 194.195.89[.]47 has been registered by Packethub S.A. in Japan and is related to a Synology NAS QuickConnect domain:

The C&C domain app[.]95560[.]cc is recognized as malicious by OSINT sources and related to Spam:

The IP address, related to the domain in question 27.50.59[.]126 has been registered by CTG Server Ltd. in Hong Kong and has the following ports opened: 22 (SSH), 80 (HTTP), 443 (HTTPS), 888 (HTTP), 3306 (MySQL), 28552 (HTTP).