How to remove StrelaStealer

What is StrelaStealer

StrelaStealer is a type of stealer-type malware that specifically targets email account login credentials. It was first discovered by researchers in November 2022 and has been observed to be distributed using spam emails targeting Spanish-speaking users. The malware is designed to extract email account login credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird. Once the malware is loaded in memory, the default browser is opened to show the decoy to make the attack less suspicious. StrelaStealer details Upon execution, StrelaStealer searches the ‘%APPDATA%\Thunderbird\Profiles’ directory for ‘logins.json’ (account and password) and ‘key4.db’ (password database) and exfiltrates their contents to the C2 server. For Outlook, StrelaStealer reads the Windows Registry to retrieve the software’s key and then locates the ‘IMAP User’, ‘IMAP Server’, and ‘IMAP Password’ values. The IMAP Password contains the user password in encrypted form, so the malware uses the Windows CryptUnprotectData function to decrypt it before it’s exfiltrated to the C2 along with the server and user details. It is crucial to follow the removal instructions in the correct order and to use legitimate and updated anti-malware tools to ensure the complete eradication of the malware. After removing the malware, it is also essential to change all passwords immediately, as the stolen credentials may have been compromised.

How StrelaStealer infected your system

StrelaStealer infiltrates computers primarily through malicious email attachments. These attachments often contain ISO files with varying content, which serve as the primary attack vector for the malware. The ISO files may include executables that sideload the bundled malware through DLL order hijacking or contain a .lnk file and a polyglot HTML document that can install the payload when opened via an executable. In some cases, the malware arrives on the victim’s system via email attachments, currently ISO files with varying content. In one example, the ISO contains an executable (‘msinfo32.exe’) that sideloads the bundled malware via DLL order hijacking. In a more interesting case seen by the analysts, the ISO contains an LNK file (‘Factura.lnk’) and an HTML file (‘x.html’). The x.html file is of particular interest because it is a polyglot file, which is a file that can be treated as different file formats depending on the application that opens it.

1. Download StrelaStealer Removal Tool
2. Use Windows Malicious Software Removal Tool to remove StrelaStealer
3. Use Autoruns to remove StrelaStealer
4. Files, folders and registry keys of StrelaStealer
5. Other aliases of StrelaStealer
6. How to protect from threats, like StrelaStealer

Remove StrelaStealer manually

Manual removal of StrelaStealer by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove StrelaStealer using Windows Malicious Software Removal Tool

1. Type mrt in the search box near Start Menu.
2. Run mrt clicking on found item.
3. Click Next button.
4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
5. Click Next button.
6. Click on View detailed results of the scan link to view the scan details.
7. Click Finish button.

Remove StrelaStealer using Autoruns

StrelaStealer often sets up to run at Windows startup as an Autorun entry or Scheduled task.

1. Download Autoruns using this link.
2. Extract the archive and run Autoruns.exe file.
3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
6. Switch to Scheduled Tasks tab and do the same.
7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder and registry keys of StrelaStealer

StrelaStealer files and folders


{randomname}.exe


StrelaStealer registry keys


no information


Aliases of StrelaStealer

How to protect from threats, like StrelaStealer, in future

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove StrelaStealer. However, if you got infected with StrelaStealer with existing and updated security software, you may consider changing it. To feel safe and protect your PC from StrelaStealer on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below:

3. Do not open spam e-mails and protect your mailbox

Malicious attachments to spam or phishing e-mails are the most popular method of malware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.