A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New Disguise

Aug. 28, 2024, 9:35 a.m.

Description

CYFIRMA's research team recently identified a sophisticated dropper binary designed to deploy an information stealer, dubbed 'Angry Stealer,' actively advertised on Telegram and other online platforms. The stealer targets sensitive data from browsers, cryptocurrency wallets, VPN credentials, and system details, exfiltrating it via Telegram. Analysis revealed 'Angry Stealer' is based on 'Rage Stealer,' sharing identical code and functionality. The dropper executes two payloads: the primary 'Stepasha.exe' for data theft and the secondary 'MotherRussia.exe,' potentially a builder tool for creating malicious executables.

External References

https://www.cyfirma.com/research/a-comprehensive-analysis-of-angry-stealer-rage-stealer-in-a-new-disguise/
https://otx.alienvault.com/pulse/66ceeed3238fc6861197b54f
Tags
infostealer
exfiltration
dropper
rebranded
telegram
2024-08-28
rage stealer
angry stealer
stepasha.exe
motherrussia.exe

Date

  • Created: Aug. 28, 2024, 9:33 a.m.
  • Published: Aug. 28, 2024, 9:33 a.m.
  • Modified: Aug. 28, 2024, 9:35 a.m.

Indicators

  • c477b037e8fe3ab68b4c1da6f9bfe01e9ea818a5b4f94ed9e2757e25035be06d
  • bb72a4c76034bd0b757b6a1e0c8265868563d11271a22d4ae26cb9fe3584a07d
Download all indicators here!

Attack Patterns

  • MotherRussia.exe
  • Stepasha.exe
  • Rage Stealer
  • Angry Stealer
  • T1048
  • T1113
  • T1204.002
  • T1005
  • T1082
  • T1566.001
  • T1083
  • T1027
  • T1566
  • T1059