STX RAT

What kind of malware is STX?

STX is a remote access Trojan (RAT) that cybercriminals were observed spreading through fake or trojanized software installers. The RAT steals passwords, browser data, crypto-wallet details, and other sensitive information after connecting to its command-and-control server. It also uses anti-detection and anti-analysis techniques.

STX malware

More about STX

First, STX checks if it is running inside a virtual machine (VM). It looks for signs of popular VM programs like VirtualBox, VMware, and QEMU and files, registry keys, drivers, or services installed by those programs. If it finds any of them, it closes itself. This helps the RAT avoid detection.

The malware also checks if it is being analyzed by security tools (such as Avast, Trend Micro, Sophos, Symantec, and others). It looks for a debugger and ensures it is running via PowerShell or MSBuild. If not, it exists. Then, STX hides its own window from the Taskbar and Alt+Tab menu. It looks for the Windows Terminal window and changes its settings so it stays hidden.

Once STX has gone through the initial steps, it can carry out various malicious actions. The RAT can update itself by downloading and running new malware from the attackers. It can steal saved credentials, remove itself, and delete persistence files. Also, it can run PowerShell scripts, programs, DLL files, or shellcode directly in memory.

Furthermore, the RAT gives attackers a hidden remote desktop to secretly control the infected device. Cybercriminals can type keys, move the mouse, scroll, and paste text on the hidden desktop. It can also switch between hidden desktops. The malware can also route traffic through the victim's device.

STX can steal saved usernames and passwords from browsers like Brave, Chrome, Edge, and Firefox. It can also collect browser cookies, saved Windows Vault credentials, and login details from FTP programs like FileZilla, WinSCP, and Cyberduck. The malware also looks for desktop cryptocurrency wallets such as Electrum, Bitcoin-Qt, and Litecoin-Qt.

Additionally, the RAT makes itself run even after the infected computer restarts. It uses PowerShell or MSBuild to secretly run its code in memory. It can also trick Windows system features into launching hidden scripts.

Threat Summary:
Name	STX remote access trojan
Threat Type	Remote Administration Trojan (RAT)
Detection Names	Avast (MalwareX-gen [Trj]), Combo Cleaner (Gen:Variant.StxRat.1), ESET-NOD32 (Win64/Agent.IJZ Trojan), Kaspersky (HEUR:Trojan.Win64.OutPack.gen), Microsoft (Trojan:Win32/Egairtigado!rfn), Full List (VirusTotal)
Symptoms	RATs are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Possible distribution methods	Compromised websites, malicious links, infected installers.
Damage	Stolen passwords and banking information, identity theft, the victim's computer added to a botnet, additional infections, financial loss.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Conclusion

STX is malware designed to avoid detection and stay hidden on infected systems. It checks for virtual machines, debuggers, and security tools, and exits if it detects analysis. Once active, it can steal passwords and other sensitive data and give attackers remote control of the device.

Victims of STX attacks may have their devices infected with more malware, have personal data or money stolen, have their accounts hijacked, and encounter other issues. If detected on a device, the RAT should be removed immediately. Here are more examples of RATs: AtlasCross, CrySome, and CrystalX.

How did STX infiltrate my computer?

It is known that STX was delivered using a compromised CPUID website where legitimate download links were replaced with malicious ones. Users who downloaded and executed the infected installers unknowingly run the RAT on their devices. The malware was hidden within legitimate programs, using a technique that tricks Windows into running a malicious DLL.

Threat actors were also observed using a VBScript downloaded from a browser, which ran a JScript file to download and extract an archive containing STX. The archive contained the malware and a PowerShell loader that ran it directly in memory to avoid detection. This RAT was also spread via fake FileZilla download sites that hosted infected installers.

How to avoid installation of malware?

Only download software from official websites or trusted app stores, and stay away from pirated programs, cracks, or key generators. Keep your operating system and applications updated to the latest versions.

Be cautious with unexpected emails or messages, especially from unknown senders that include links or attachments. If anything looks suspicious, avoid opening it. Do not click on pop-ups, ads, or prompts from untrusted websites, and never allow notifications from questionable pages.

If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

DOWNLOAD Combo Cleaner

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

What is STX?
STEP 1. Manual removal of STX malware.
STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2 Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3 Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4 In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5 Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My device is infected with STX malware, should I format my storage device to get rid of it?

Doing so will remove STX completely, but it will also deletes all data on the device. It is usually better to try a trusted anti-malware tool like Combo Cleaner first before taking more drastic steps.

What are the biggest issues that malware can cause?

Malware can steal sensitive information, encrypt files, download additional malicious software, and carry out other harmful actions. This may lead to financial loss, identity theft, unauthorized access to accounts or devices, and even permanent data loss.

What is the purpose of STX?

STX can steal passwords, cookies, information from crypto wallets, and other sensitive data. It also allows attackers to remotely control the device and launch additional attacks by downloading and running additional malware.

How did STX infiltrate my computer?

STX was spread through compromised and fake software download sites as well as malicious scripts. Users activated it by running infected installers or files disguised as legitimate programs. It was delivered using techniques that hide the malware inside seemingly legitimate software.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner is able to detect and remove many threats. However, more advanced malware can sometimes hide deeper in the system, so running a full system scan is highly recommended.