{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets", "protected": false, "publish_timestamp": "1776783240", "published": true, "threat_level_id": "3", "timestamp": "1776783240", "uuid": "9c2f0dac-7cd7-43ff-9f3a-23a1a82038e3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776769219", "to_ids": false, "type": "text", "uuid": "74ef6daa-9594-4561-a7a7-11fe5d44c283", "value": "StepDrainer is a Malware-as-a-Service (MaaS) platform engineered to steal digital assets from cryptocurrency wallets, including fungible tokens and high-value NFT collections. The malware supports more than 20 blockchain networks and incorporates multiple draining techniques, particularly abusing ERC-20 token permissions and NFT approval mechanisms.\n\nThe platform includes automated asset transfer capabilities, compatibility with widely used mobile wallets, and encrypted logging via Telegram channels for attacker monitoring. StepDrainer is commercially distributed within cybercriminal ecosystems, with pricing models ranging from approximately $750 for full source code access to $150 for a shared version that imposes a 20% commission on successful thefts." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776769219", "to_ids": false, "type": "text", "uuid": "ed31394a-7b13-4b67-a3dd-53723a6ea570", "value": "Name: StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets\nAuthor: AlienVault\nAdversary: \nTags: [\"smart contract\", \"stager api\", \"stepdrainer\", \"maas\", \"infostealer\", \"crypto\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1566\", \"T1204\", \"T1071\", \"T1567\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776581", "to_ids": true, "type": "domain", "uuid": "716980f2-d68d-45a8-89f4-f13a3dbc2d3d", "value": "aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776602", "to_ids": true, "type": "domain", "uuid": "65e54e2a-b651-47f8-bdbf-c88c706e6a7d", "value": "moonscan.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776623", "to_ids": true, "type": "domain", "uuid": "25beecbe-e514-40c6-a611-cd7fa83dfb0b", "value": "scanclaw.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776644", "to_ids": true, "type": "url", "uuid": "e6a3cd6d-ceb3-4f52-ae85-088fc8dd447a", "value": "http://scanclaw.live/KjYQnKB-.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776665", "to_ids": true, "type": "url", "uuid": "5abbad7e-3eb0-4f44-b80a-6f715987f1c6", "value": "http://moonscan.live/7w2NU3Z-.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776686", "to_ids": true, "type": "domain", "uuid": "c9221ec8-d91a-4071-ba7b-00bc4bdaa6e9", "value": "aahdjjsivunugynqjvyfbhqnjekniyfboma.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776770822", "to_ids": false, "type": "link", "uuid": "79b2531e-ef28-4aa6-9697-9b17ed696ca8", "value": "https://otx.alienvault.com/pulse/69e734af1069d427edf013a9/" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776776707", "uuid": "961503b0-a89c-4548-928b-7237d3f4d93e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776776707", "to_ids": true, "type": "md5", "uuid": "03e0ca5f-b409-4ec8-b3ce-a6ca12a2f4f9", "value": "96c2ff1601099c21c598c24e6f43c7c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776773650", "to_ids": true, "type": "sha1", "uuid": "210bbfe8-2063-48e3-803c-46cc45b0bc40", "value": "d78fa2e81b7b5ccf287c793c5a9985caaa0f6162", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776773650", "to_ids": true, "type": "sha256", "uuid": "f852a9a6-d959-4568-ae1a-f74ce9b314da", "value": "7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776773366", "to_ids": true, "type": "ssdeep", "uuid": "a08aeee8-7612-4944-95e7-e4e512b99968", "value": "6144:0ujB8gltIeTM5/S8g6zRh5gDVLU2GIt/KJAsJRrydM147u/lhDlEqH96lm:vhltVM/g61sNUWsSdG7R" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776773366", "to_ids": false, "type": "size-in-bytes", "uuid": "f7061968-3d63-42f5-9878-77b96ed92f25", "value": "656642" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776773366", "to_ids": true, "type": "vhash", "uuid": "475d9eac-ffe1-43c6-b238-6c00f1b1b6ed", "value": "831135f1d26adb9cc5b8b32628d8f5dc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776773366", "to_ids": true, "type": "filename", "uuid": "7a372ce5-6335-4fee-ba2e-e10676b09f6c", "value": "7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91.js" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776773366", "to_ids": false, "type": "text", "uuid": "4ea98106-dd7e-4ba0-ba46-01938101f5e7", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/BrowInjec.Z!MTB\nVT Total Detection:1/62\nFirst Submission:2026-01-07T19:42:38.000000+00:00\nLast Submission:2026-03-18T06:58:54.000000+00:00" } ] } ] } }