Maranhão Stealer is a Node.js-based infostealer delivered through pirated software and trojanized video game installers. Threat actors lure victims with cracked or modified game launchers that secretly install the malware on Windows systems. Once installed, Maranhão Stealer harvests sensitive data, such as browser credentials, cookies, cryptocurrency wallets, and other valuable information.
The malware targets common applications and uses evasive techniques, therefore early detection is important to prevent credential theft and data exfiltration. This post demonstrates how to detect the malicious activities of Maranhão Stealer with Wazuh.
Maranhão Stealer behaviour
Maranhão Stealer performs the following actions when it infects a Windows endpoint.
- Executes a command with a double
.tmppattern in its path and loads a DLLisdecmp.dllwhich is the reflective DLL loader used for the injection process. - Uses
attrib.exe +h +sto set hidden and system attributes on malicious files to evade detection. - Executes
wmicqueries to gather system information including system UUID, disk drive information with storage capacity, and graphics card details. - Creates a new Windows Registry key,
updaterin the Windows Registry pathHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runfor persistence. - Executes a PowerShell command to query the
BackupProductKeyDefaultvalue from the Windows registry. - Executes a PowerShell command using
Get-Volumeto enumerate disk drives.
Analyzed sample
| Hash (SHA256) |
| 97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b |
| 439eb3631638c61842a20e47e1a31d3c1e917f37688bc3ccdac67dae030117a6 |
| 16837d2715bc4afb190c08013ba185b4e62dc65fcbd5320f2dfe6f6be2ca9c27 |
Infrastructure
We use the following infrastructure to demonstrate how to detect Maranhão Stealer with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.13.1, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow the instructions in this guide to download and set up the Wazuh virtual machine.
- A Windows 11 victim endpoint with the Wazuh agent 4.13.1 installed and enrolled to the Wazuh server.
Detection with Wazuh
We use the following Wazuh capabilities to detect the known activities associated with Maranhão Stealer:
- Custom detection rules to detect Maranhão Stealer activities.
- Security Configuration Assessment (SCA) to check for the presence of Maranhão Stealer artifacts.
Custom detection rules
We use Sysmon to monitor several system events and create custom detection rules on the Wazuh server to detect the malicious behavior of Maranhão Stealer.
Windows endpoint
Complete these steps to configure the Wazuh agent to capture logs with Sysmon and forward them to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred directory.
3. Download the Sysmon configuration file sysmonconfig.xml using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the directory path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the folder with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file within the <ossec_config> block to capture and forward Sysmon event logs to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Wazuh dashboard
Create custom rules to detect Maranhão Stealer activities on the monitored Windows endpoint. Perform the steps below to add rules to the Wazuh server for analysis.
1. Navigate to Server management > Rules.
2. Click + Add new rules file.
3. Copy and paste the rules below and name the file maranhao_rules.xml, then click Save.
<group name="maranhao,malware,">
<rule id="100201" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)[^"]*\.tmp[^"]*\.tmp</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">(?i)[^"]*\.tmp[^"]*\.tmp</field>
<description>Possible Maranhao malware activity: Detection of double .tmp in command line - possible masquerading</description>
<mitre>
<id>T1036</id>
</mitre>
</rule>
<rule id="100202" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)\.tmp</field>
<field name="win.eventdata.ImageLoaded" type="pcre2">(?i)isdecmp.dll</field>
<description>Possible Maranhao malware activity: isdecmp.dll loaded by .tmp file</description>
<mitre>
<id>T1574.002</id>
</mitre>
</rule>
<rule id="100203" level="15">
<if_sid>92302</if_sid>
<field name="win.eventdata.TargetObject" type="pcre2">Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run</field>
<field name="win.eventdata.details" type="pcre2">updater\.exe</field>
<description>Maranhao malware activity: $(win.eventdata.details) added to the Run Registry to establish persistence.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<rule id="100204" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)attrib\.exe</field>
<field name="win.eventdata.CommandLine" type="pcre2">(?i)\+h.*\+s|\+s.*\+h</field>
<field name="win.eventdata.CommandLine" type="pcre2">crypto|infoprocess</field>
<description>Maranhao malware activity: attrib.exe used to hide a file with +h +s attributes in $(win.eventdata.CurrentDirectory)</description>
<mitre>
<id>T1564.001</id>
</mitre>
</rule>
<rule id="100205" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)cmd\.exe</field>
<field name="win.eventdata.CommandLine" type="pcre2">(?i)wmic.*(os|cpu|csproduct|win32_VideoController|logicaldisk).*get.*(Caption|Name|UUID|FreeSpace|Size|Description)</field>
<field name="win.eventdata.ParentImage" type="pcre2">(?i)updater\.exe</field>
<description>Maranhao malware activity: System fingerprinting via wmic command: $(win.eventdata.commandLine)</description>
<mitre>
<id>T1082</id>
<id>T1059.003</id>
</mitre>
</rule>
<rule id="100206" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)powershell\.exe</field>
<field name="win.eventdata.CommandLine" type="pcre2">(?i)Get-ItemProperty.*SoftwareProtectionPlatform.*BackupProductKeyDefault</field>
<description>Maranhao malware activity: Malicious PowerShell command to retrieve Windows product key from registry</description>
<mitre>
<id>T1552.002</id>
<id>T1059.001</id>
</mitre>
</rule>
<rule id="100207" level="15">
<if_sid>61603</if_sid>
<field name="win.eventdata.Image" type="pcre2">(?i)\.exe</field>
<field name="win.eventdata.CommandLine" type="pcre2">(?i)Get-Volume.*DriveLetter</field>
<field name="win.eventdata.ParentImage" type="pcre2">(?i)updater\.exe</field>
<description>Maranhao malware activity: Disk volume enumeration via PowerShell: $(win.eventdata.commandLine)</description>
<mitre>
<id>T1082</id>
<id>T1059.001</id>
</mitre>
</rule>
</group>
Where:
- Rule ID
100201is triggered when a process with a double.tmppattern in its path loads another module with a double.tmppattern. - Rule ID
100202is triggered when the malware loadsisdecmp.dll. - Rule ID
100203is triggered when a registry value namedupdateris created or modified under a user’sRunkey and its data points to a file namedupdater.exe. - Rule ID
100204is triggered when theattrib.exeutility is executed with the+h+sflags to hide a file whose name containscryptoorinfoprocess. - Rule ID
100205is triggered when the malware executeswmicqueries for system information. - Rule ID
100206is triggered whenpowershell.exeis used to query theBackupProductKeyDefaultvalue from the Windows registry. - Rule ID
100207is triggered when the malware executes a PowerShell command usingGet-Volumeto enumerate disk drives.
4. Click Reload to apply the changes. Click Confirm when prompted.
Detection results
The alerts below are generated on the Wazuh dashboard when Maranhão Stealer is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.
1. Navigate to Agents management > Summary and select the Windows agent.
2. Click on Threat Hunting and select the Events tab.
3. Click + Add filter. Then filter for rule.groups in the Field field. Select is one of in the Operator field.
4. Add the filters maranhao and malware in the Values field.
5. Click Save.
Security configuration assessment (SCA)
The Wazuh SCA module evaluates system configurations by comparing them against a predefined set of rules and benchmarks. It performs checks that test system hardening, detect vulnerable software, and validate configuration policies on a monitored endpoint. The SCA module helps organizations enhance their security posture, thus ensuring compliance with industry standards and reducing the risk of security breaches.
Windows endpoint
We configure the Wazuh SCA module to check for the presence of Maranhão Stealer artifacts on the Windows endpoint.
1. Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:
> New-Item -Path "C:\Program Files (x86)\" -Name "sca_policies" -ItemType Directory
Note
Custom SCA policy files created inside the default Wazuh rule set folder are not retained after upgrades. Hence, the C:\Program Files (x86)\sca_policies folder is created outside the Wazuh agent installation folder for persistence.
2. Create a file maranhao_stealer_check.yml in the C:\Program Files (x86)\sca_policies folder:
> New-Item -Path 'C:\Program Files (x86)\sca_policies\maranhao_stealer_check.yml' -ItemType File
3. Add the following content to the C:\Program Files (x86)\sca_policies\maranhao_stealer_check.yml file:
# Security Configuration Assessment
# Audit for Maranhao Stealer malware
# Copyright (C) 2025, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
policy:
id: "maranhao_stealer_malware"
file: "maranhao_stealer_check.yml"
name: "Maranhao Stealer malware Windows OS check"
description: "Detecting Maranhao Stealer malware artifacts and persistence mechanisms"
requirements:
title: "Checking for Maranhao Stealer malware on Windows based systems"
description: "Requirements for running the audit policy under a Windows platform"
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SAM\SAM'
checks:
- id: 78000
title: "Maranhao stealer artifact: Checking for Maranhao Stealer installation directory"
description: "Check for the presence of the malicious installation directory"
remediation: "Investigate and remove the Microsoft Updater directory. Investigate and delete HKCU/Software/Microsoft/Windows/CurrentVersion/Run/updater from the Windows Registry"
condition: all
rules:
- 'not d:C:\Users\<USERNAME>\AppData\Local\Programs\Microsoft Updater'
- id: 78001
title: "Maranhao Stealer artifact: Checking for main executable (updater.exe)"
description: "Check for the presence of the main Maranhao executable in the AppData directory"
remediation: "Investigate and remove the updater executable"
condition: all
rules:
- 'not f:C:\Users\<USERNAME>\AppData\Local\Programs\Microsoft Updater\updater.exe'
- id: 78002
title: "Maranhao Stealer artifact: Checking for hidden cryptographic key file (crypto.key)"
description: "Check for the presence of the hidden crypto key file."
remediation: "Investigate and remove the crypto key file"
condition: all
rules:
- 'not f:C:\Users\<USERNAME>\AppData\Local\Programs\Microsoft Updater\crypto.key'
Note
Replace <USERNAME> with the username of the logged-in user.
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:
<policies> <policy>C:\Program Files (x86)\sca_policies\maranhao_stealer_check.yml</policy> </policies>
5. Restart the Wazuh agent for the changes to take effect:
> Restart-Service -Name WazuhSvc
Visualizing the scan results
1. Navigate to the Configuration Assessment page on the Wazuh dashboard.
2. Select the monitored Windows endpoint, then select Maranhao Stealer malware Windows OS check to view the scan results.
A Failed result indicates that the Maranhão Stealer artifacts were detected on the endpoint. Conversely, a Passed result indicates that the Maranhão Stealer artifacts were not detected and that the endpoint meets this SCA policy criteria.
The screenshot below displays SCA alerts generated on the Wazuh dashboard when artifacts associated with Maranhão Stealer are detected.
Conclusion
Maranhão Stealer targets widely used applications and employs advanced evasion techniques to avoid detection. Wazuh detects Maranhão Stealer through log enrichment with Sysmon, custom detection rules, and Wazuh SCA capabilities.
Consult the Wazuh documentation to refine your setup or explore its capabilities. Join our community, where our team and other Wazuh users assist with any questions related to Wazuh.