Stealer
A list of malware stealer.
Authors
| Authors and/or Contributors |
|---|
| raw-data |
Nocturnal Stealer
It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.
Internal MISP references
UUID e7080bce-99b5-4615-a798-a192ed89bd5a which can be used as unique global reference for Nocturnal Stealer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | March 2018. |
Related clusters
To see the related clusters, click here.
TeleGrab
The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.
Internal MISP references
UUID a6780288-24eb-4006-9ddd-062870c6feec which can be used as unique global reference for TeleGrab in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | March 2018. |
AZORult
It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.
Internal MISP references
UUID a646edab-5c6f-4a79-8a6c-153535259e16 which can be used as unique global reference for AZORult in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan - webarchive
- https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers - webarchive
- https://malware.lu/articles/2018/05/04/azorult-stealer.html - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| date | July 2018. |
Vidar
Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.
Internal MISP references
UUID 045ab0d5-2f08-4fcd-af47-81c1143fa5fb which can be used as unique global reference for Vidar in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | Dec 2018. |
Ave Maria
Information stealer which uses AutoIT for wrapping.
Internal MISP references
UUID f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c which can be used as unique global reference for Ave Maria in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | Jan 2019. |
HackBoss
A cryptocurrency-stealing malware distributed through Telegram
Internal MISP references
UUID ebc1c15d-3e27-456e-9473-61d92d91bda8 which can be used as unique global reference for HackBoss in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | April 2021. |
Prynt Stealer
Prynt Stealer is an information stealer that has the ability to capture credentials that are stored on a compromised system including web browsers, VPN/FTP clients, as well as messaging and gaming applications. Its developer based the malware code on open source projects including AsyncRAT and StormKitty. Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims. Its author added a backdoor Telegram channel to collect the information stolen by other criminals.
Internal MISP references
UUID 8f5a452a-4056-4004-bc9a-4c11cb8cf2b4 which can be used as unique global reference for Prynt Stealer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
DarkEye
Nearly identical to Prynt Stealer with a few differences. DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a “free” Prynt Stealer builder.
Internal MISP references
UUID 46bff4ad-09fe-4ac5-803e-daa3b73e3aaf which can be used as unique global reference for DarkEye in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
WorldWind
Prynt Stealer variant that appear to be written by the same author. It is nearly identical to Prynt Stealer with a few minor differences. While Prynt Stealer is the most popular brand name for selling the malware, WorldWind payloads are the most commonly observed in-the-wild.
Internal MISP references
UUID d410b534-07a4-4190-b253-f6616934bea6 which can be used as unique global reference for WorldWind in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
DarkCloud Stealer
Stealer is written in Visual Basic.
Internal MISP references
UUID e550f534-dc8b-4f94-a276-ce3d5d9c8115 which can be used as unique global reference for DarkCloud Stealer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Album Stealer
The Zscaler ThreatLabz research team has spotted a new information stealer named Album. Album Stealer is disguised as a photo album that drops decoy adult images while performing malicious activity in the background. The threat group launching these attacks may be located in Vietnam.
Internal MISP references
UUID 7f95ebda-2c7b-49a4-ad57-bd5766a1f651 which can be used as unique global reference for Album Stealer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Rhadamanthys
According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.
Internal MISP references
UUID 9eb2a417-2bb6-496c-816b-bccb3f3074f6 which can be used as unique global reference for Rhadamanthys in MISP communities and other software using the MISP galaxy
External references
- https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 - webarchive
- https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ - webarchive
- https://www.malware-traffic-analysis.net/2023/01/03/index.html - webarchive
- https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
Sordeal-Stealer
Python-based Stealer including Discord, Steam...
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sordeal-Stealer.
| Known Synonyms |
|---|
Sordeal |
Sordeal Stealer |
Internal MISP references
UUID 0266302b-52d3-44da-ab63-a8a6f16de737 which can be used as unique global reference for Sordeal-Stealer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Mars Stealer
Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesn’t use CRT, STD.
Internal MISP references
UUID 64e51712-89d6-4c91-98ac-8907eafe98c6 which can be used as unique global reference for Mars Stealer in MISP communities and other software using the MISP galaxy
External references
- https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer - webarchive
- https://3xp0rt.com/posts/mars-stealer/ - webarchive
- https://cyberint.com/blog/research/mars-stealer/ - webarchive
- https://isc.sans.edu/diary/rss/28468 - webarchive
- https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468 - webarchive
- https://blog.morphisec.com/threat-research-mars-stealer - webarchive
- https://cert.gov.ua/article/38606 - webarchive
- https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique - webarchive
- https://blog.sekoia.io/mars-a-red-hot-information-stealer/ - webarchive
- https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/ - webarchive
- https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer - webarchive
- https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/ - webarchive
- https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer - webarchive
- https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html - webarchive
- https://www.kelacyber.com/information-stealers-a-new-landscape/ - webarchive
- https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/ - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf - webarchive
- https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view - webarchive
- https://threatmon.io/mars-stealer-malware-analysis-2022/ - webarchive
- https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf - webarchive
- https://3xp0rt.com/posts/mars-stealer/forum.png - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Oski Stealer
The Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims.
Internal MISP references
UUID 54b61c7e-8ced-4b90-a295-62102bfd4f32 which can be used as unique global reference for Oski Stealer in MISP communities and other software using the MISP galaxy
External references
- https://malpedia.caad.fkie.fraunhofer.de/details/win.oski - webarchive
- https://twitter.com/albertzsigovits/status/1160874557454131200 - webarchive
- https://www.bitdefender.com/blog/labs/ - webarchive
- https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer - webarchive
- https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601 - webarchive
- https://yoroi.company/en/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/ - webarchive
- https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view - webarchive
- https://www.rapid7.com/solutions/unified-mdr-xdr-vm/ - webarchive
- https://3xp0rt.com/posts/mars-stealer/ - webarchive
- https://cyberint.com/blog/research/mars-stealer/ - webarchive
- https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468 - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
WARPWIRE
WARPWIRE is a JavaScript-based credential stealer
Internal MISP references
UUID b581b182-505a-4243-9569-c175513c4441 which can be used as unique global reference for WARPWIRE in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|