A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New Disguise

Aug. 28, 2024, 9:35 a.m.

Tags
infostealer
exfiltration
dropper
rebranded
telegram
2024-08-28
rage stealer
angry stealer
stepasha.exe
motherrussia.exe
External References
Description

CYFIRMA's research team recently identified a sophisticated dropper binary designed to deploy an information stealer, dubbed 'Angry Stealer,' actively advertised on Telegram and other online platforms. The stealer targets sensitive data from browsers, cryptocurrency wallets, VPN credentials, and system details, exfiltrating it via Telegram. Analysis revealed 'Angry Stealer' is based on 'Rage Stealer,' sharing identical code and functionality. The dropper executes two payloads: the primary 'Stepasha.exe' for data theft and the secondary 'MotherRussia.exe,' potentially a builder tool for creating malicious executables.

Date

Published: Aug. 28, 2024, 9:33 a.m.

Created: Aug. 28, 2024, 9:33 a.m.

Modified: Aug. 28, 2024, 9:35 a.m.

Indicators

c477b037e8fe3ab68b4c1da6f9bfe01e9ea818a5b4f94ed9e2757e25035be06d

bb72a4c76034bd0b757b6a1e0c8265868563d11271a22d4ae26cb9fe3584a07d

Download all indicators here!

Attack Patterns

MotherRussia.exe

Stepasha.exe

Rage Stealer

Angry Stealer

T1048

T1113

T1204.002

T1005

T1082

T1566.001

T1083

T1027

T1566

T1059