Ip stealer
Author: f | 2025-04-23
This is a ip stealer written in python - developers15/Ip-stealer-python
TELLING IP STEALERS THEIR ADRESS ON
BLX stealer, also known as XLABB Stealer is a malware designed to steal sensitive information like credentials, payment data, and cryptocurrency wallets from infected endpoints. It uses advanced evasion techniques, process injection, and file encryption to bypass traditional security tools, making it a serious threat to individuals and organizations. BLX Stealer is actively promoted on platforms like Telegram and Discord and comes in both free and premium versions. This blog post demonstrates how to detect and respond to BLX stealer on an infected Windows endpoint with Wazuh.Behavioral analysis of BLX stealerUpon infecting an endpoint, BLX stealer exhibits the following behaviors:The malware creates a PowerShell script temp.ps1 in the working directory.It starts a command prompt and runs a command that executes the previously created PowerShell script:C:\Windows\system32\cmd.exe /d /s /c “powershell.exe -ExecutionPolicy Bypass -File “Triggers Csc.exe and Cvtres.exe which are both legitimate Microsoft utilities that BLX abuses to compile and manipulate executable files.It executes the decrypted_executable file which is dropped in the %TeMP% folder and the users’ %Startup% folder to ensure persistence.It attempts to discover the victim’s IP and Geolocation details by querying api.ipify.org and geolocation-db.com.Analyzed malware sampleHash algorithmValueMD555bd26a6b610fc1748d0ea905a13f4f0SHA2568c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89InfrastructureWe use the following infrastructure to demonstrate the detection of BLX Stealer with Wazuh:A pre-built ready-to-use Wazuh OVA 4.9.2. Follow this guide to download the virtual machine.A Windows 11 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent. We use the following techniques to detect the BLX Stealer on the infected Windows endpoint:Creating custom detection rules to detect BLX Stealer activities.Using a YARA integration to scan and remove files with malicious patterns.Creating detection rulesWe use Sysmon to monitor critical system events on Windows endpoints, such as process creation, file modifications, registry changes, network connections, and script executions. These events are correlated with custom rules on the Wazuh server to detect malicious behaviors specific to BLX Stealer activities.Windows endpointPerform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.1. Download Sysmon from the Microsoft Sysinternals page.2. Using Powershell with administrator privilege, create a Sysmon folder in the endpoint C:\ folder:> New-Item -ItemType Directory -Path C:\Sysmon3. Extract the compressed Sysmon file to the folder created above C:\Sysmon:> Expand-Archive -Path "\Sysmon.zip" -DestinationPath "C:\Sysmon"Replace with the path where Sysmon.zip was downloaded.4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon using the Powershell command below:> wget -Uri -OutFile C:\Sysmon\sysmonconfig.xml5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges: > cd C:\Sysmon > .\Sysmon64.exe -accepteula -i sysmonconfig.xml6. Add the following configuration within the block of the C:\Program Files (x86)\ossec-agent\ossec.conf file: Microsoft-Windows-Sysmon/Operational This is a ip stealer written in python - developers15/Ip-stealer-python By Madalynn Carr Report LokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family was originally written in C++ and targets Windows devices. LokiBot was first advertised in 2015 on underground markets in Eastern Europe, however it was not common to see it in the wild until 2018. Since then, LokiBot has remained in the top five malware families delivered through phishing emails.HistoryLokiBot first surfaced in March of 2015 on underground hacking forums by a hacker with an alias of “lokistov”, who is also known as “Carter”. This can be seen in Figure 1, where LokiBot was originally posted on an underground form. LokiBot was originally advertised as a “Resident Loader and Password and CryptoCoin-wallet stealer.” It is assumed that lokistov is from a non-English speaking country, specifically an ex-USSR country. LokiBot was being sold for upwards of $450 USD or $540 USD in the current economy this report was written, depending on whether the buyer wanted the stealer or the loader, as well as other add-ons such as a change in the C2 (Command and Control) IP address. After release, every week lokistov would publish an update until 2017, when lokistov released LokiBot V2. Since then, they have not updated the forums for LokiBot V1. Shortly after, the LokiBot source code was leaked around 2018 and is now being sold on forums for as low as $80 USD. There are two theories of how this happened. One is that somebody reversed the original LokiBot and gathered the source code, then published the cracked version of the malware. The other theory is that lokistov got hacked themselves, and the hacker published the stolen version. Figure 1: Original Posting of LokiBot by Lokistov. LokiBot became a popular malware choice for threat actors due to theComments
BLX stealer, also known as XLABB Stealer is a malware designed to steal sensitive information like credentials, payment data, and cryptocurrency wallets from infected endpoints. It uses advanced evasion techniques, process injection, and file encryption to bypass traditional security tools, making it a serious threat to individuals and organizations. BLX Stealer is actively promoted on platforms like Telegram and Discord and comes in both free and premium versions. This blog post demonstrates how to detect and respond to BLX stealer on an infected Windows endpoint with Wazuh.Behavioral analysis of BLX stealerUpon infecting an endpoint, BLX stealer exhibits the following behaviors:The malware creates a PowerShell script temp.ps1 in the working directory.It starts a command prompt and runs a command that executes the previously created PowerShell script:C:\Windows\system32\cmd.exe /d /s /c “powershell.exe -ExecutionPolicy Bypass -File “Triggers Csc.exe and Cvtres.exe which are both legitimate Microsoft utilities that BLX abuses to compile and manipulate executable files.It executes the decrypted_executable file which is dropped in the %TeMP% folder and the users’ %Startup% folder to ensure persistence.It attempts to discover the victim’s IP and Geolocation details by querying api.ipify.org and geolocation-db.com.Analyzed malware sampleHash algorithmValueMD555bd26a6b610fc1748d0ea905a13f4f0SHA2568c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89InfrastructureWe use the following infrastructure to demonstrate the detection of BLX Stealer with Wazuh:A pre-built ready-to-use Wazuh OVA 4.9.2. Follow this guide to download the virtual machine.A Windows 11 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent. We use the following techniques to detect the BLX Stealer on the infected Windows endpoint:Creating custom detection rules to detect BLX Stealer activities.Using a YARA integration to scan and remove files with malicious patterns.Creating detection rulesWe use Sysmon to monitor critical system events on Windows endpoints, such as process creation, file modifications, registry changes, network connections, and script executions. These events are correlated with custom rules on the Wazuh server to detect malicious behaviors specific to BLX Stealer activities.Windows endpointPerform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.1. Download Sysmon from the Microsoft Sysinternals page.2. Using Powershell with administrator privilege, create a Sysmon folder in the endpoint C:\ folder:> New-Item -ItemType Directory -Path C:\Sysmon3. Extract the compressed Sysmon file to the folder created above C:\Sysmon:> Expand-Archive -Path "\Sysmon.zip" -DestinationPath "C:\Sysmon"Replace with the path where Sysmon.zip was downloaded.4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon using the Powershell command below:> wget -Uri -OutFile C:\Sysmon\sysmonconfig.xml5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges: > cd C:\Sysmon > .\Sysmon64.exe -accepteula -i sysmonconfig.xml6. Add the following configuration within the block of the C:\Program Files (x86)\ossec-agent\ossec.conf file: Microsoft-Windows-Sysmon/Operational
2025-04-15By Madalynn Carr Report LokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family was originally written in C++ and targets Windows devices. LokiBot was first advertised in 2015 on underground markets in Eastern Europe, however it was not common to see it in the wild until 2018. Since then, LokiBot has remained in the top five malware families delivered through phishing emails.HistoryLokiBot first surfaced in March of 2015 on underground hacking forums by a hacker with an alias of “lokistov”, who is also known as “Carter”. This can be seen in Figure 1, where LokiBot was originally posted on an underground form. LokiBot was originally advertised as a “Resident Loader and Password and CryptoCoin-wallet stealer.” It is assumed that lokistov is from a non-English speaking country, specifically an ex-USSR country. LokiBot was being sold for upwards of $450 USD or $540 USD in the current economy this report was written, depending on whether the buyer wanted the stealer or the loader, as well as other add-ons such as a change in the C2 (Command and Control) IP address. After release, every week lokistov would publish an update until 2017, when lokistov released LokiBot V2. Since then, they have not updated the forums for LokiBot V1. Shortly after, the LokiBot source code was leaked around 2018 and is now being sold on forums for as low as $80 USD. There are two theories of how this happened. One is that somebody reversed the original LokiBot and gathered the source code, then published the cracked version of the malware. The other theory is that lokistov got hacked themselves, and the hacker published the stolen version. Figure 1: Original Posting of LokiBot by Lokistov. LokiBot became a popular malware choice for threat actors due to the
2025-04-23Why can't I install Face Swap - Face Stealer?The installation of Face Swap - Face Stealer may fail because of the lack of device storage, poor network connection, or the compatibility of your Android device. Therefore, please check the minimum requirements first to make sure Face Swap - Face Stealer is compatible with your phone.How to download Face Swap - Face Stealer old versions?APKPure provides the latest version and all the older versions of Face Swap - Face Stealer. You can download any version you want from here: All Versions of Face Swap - Face StealerWhat's the file size of Face Swap - Face Stealer?Face Swap - Face Stealer takes up around 29.8 MB of storage. It's recommended to download APKPure App to install Face Swap - Face Stealer successfully on your mobile device with faster speed.What language does Face Swap - Face Stealer support?Face Swap - Face Stealer supports isiZulu,中文,Việt Nam, and more languages. Go to More Info to know all the languages Face Swap - Face Stealer supports.
2025-04-17A variant of the Epsilon Stealer, indicating that the Iluria Stealer is also an indirect variant of the Epsilon Stealer/SonicGlyde.Recent DevelopmentOn May 11, 2024, “Ykg,” who claimed to be the developer of Iluria Stealer, announced version 2 of the Iluria Stealer with various subscription plans available.EXTERNAL THREAT LANDSCAPE MANAGEMENTThe Nikki Stealer channel has transitioned to Iluria Stealer. Their Discord channel has a strong user base of Portuguese speakers. The owner of Iluria Stealer, ‘Ykg’, is the former CEO of Nikki Stealer, as claimed in his Discord bio.While investigating his YouTube channel, we discovered another website registered with Hostinger, which is similar to the nikkistealer[.]shop.The developer transformed the Nikki Stealer discord channel into the Iluria Stealer channel and began promoting it. He also created a new Telegram channel for this purpose, which currently has 21 users (albeit no activity).List of IOCsNo.Indicator (SHA-256)Remarks1b66ce85c6942855970fe939a31459e5b7489e6d2c4bbe0d9d89cb8a863082e1cIluria Stealer2api[.]nikkistealer[.]shopDomain3Badgeshop[.]siteDomain4865d5423ec49f96d005cb0b1561a966d8b66f3f2fec7f10a8738d97ffb711990Similar Malware58681456f3f5829f67a2d429b7095715b1b65a7be1aa5e90b9ec5945aa22a099bSimilar MalwareMITRE ATT&CK TTPsNo.TacticsTechnique1Execution (TA0002)T1047: Windows Management Instrumentation T1059: Command and Scripting Interpreter2Persistence (TA0003)T1547.001: Registry Run Keys / Startup FolderT1574.002: DLL Side-Loading3Privilege Escalation (TA0004)T1055: Process Injection T1547.001: Registry Run Keys / Startup Folder4Defense Evasion (TA0005)T1036: MasqueradingT1055: Process InjectionT1574.002: DLL Side-Loading6Discovery (TA0007)T1012: Query Registry T1057: Process Discovery T1018: Remote System Discovery T1082: System Information Discovery7Collection (TA0009)T1114: Email Collection8Command and Control (TA0011)T1573: Encrypted Channel T1071: Application Layer ProtocolCONCLUSIONIn summary, the Nikki Stealer group has now become the Iluria Stealer, and while their Discord channel is full of Portuguese speakers, both of their websites are hosted by Hostinger. The owner claims to be the former CEO of Nikki Stealer in their
2025-03-29