maskgramstealer

Overview

MinGW-w64 PE64 infostealer cluster first observed in May–June 2026. Targets Windows user-profile directories for wallet seed phrases and cryptocurrency recovery files, captures screenshots, harvests system information, and exfiltrates via Telegram-style HTTPS channels. Distinguished from earlier MinGW infostealers by a hardcoded user_ Telegram ID, a Chrome User-Agent masquerade, and (in newer variants) an in-memory PE export-hash API resolver.

Build Stack

• Language / Toolchain: C/C++ compiled with MinGW-w64 GCC, binutils 2.41
• Arch: PE32+ x86-64, Windows console subsystem, stripped
• Timestamp: Fabricated dates (May 2026) — suggest builder automation or repacking
• IAT: Sparse; many critical APIs (network, file-system) resolved dynamically at runtime
• Signing: None
• Anti-analysis: None observed. No packing, no anti-VM, no anti-debug.

Capabilities

• wallet-seed-regex-file-scanning
• screenshot-jpg-capture
• machineguid-system-fingerprinting
• user-profile-directory-enumeration
• json-like-payload-serialization
• process-injection-CreateRemoteThread
• telegram-user-id-hardcoded
• chrome-user-agent-masquerade
• runtime-api-resolution-export-hash
• string-decryption-xor-lut

Deploy / TTPs

Notable Analyses

• abeaa63b report — abeaa63b, maskgramstealer, first observed with export-hash resolver
• af6e1f46 report — af6e1f46, direct sibling (no export-hash resolver), triage-labeled unclassified-pe64-clipper
• maskgramstealer-vs-unclassified-pe64-clipper — delta sheet between siblings