BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

How to analyze Stealer with ANY.RUN

Top malware of this type

Family
Type
Trend changes
Tasks overall
  • 2

    Laplas Clipper

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,53,0,0,0,0,0,0,0,0,0,0
    114
    50
  • 3

    Lumma

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,403,437,1376,511,91,163,233,520,1940,3351
    19
    8617
  • 4

    Azorult

    Stealer
    0,0,0,0,56,144,202,377,387,462,329,413,303,295,197,250,376,272,214,157,118,154,131,152,109,148,90,163,197,100,138,66,67,95,37,64,52,29,15,39,53,18,31,32,27,57,65,29,41,32,33,41
    21
    7565
  • 5

    PureLogs

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,29,21,20,25,320,71,66
    93
    325
  • 6

    StrelaStealer

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,573,93,4
    80
    609
  • 7

    MetaStealer

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,62,40,339,507,810,573
    46
    2371
  • 8

    DeerStealer

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,110,18
    98
    224
  • 9

    Fabookie

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,59,179,174,36,2,42,5,3,0,0,2
    94
    315
  • 10

    Pony

    Stealer
    0,0,96,204,253,305,429,336,165,363,276,203,266,300,248,105,246,124,99,112,72,100,56,69,121,84,61,109,113,51,126,57,108,50,27,44,53,36,34,50,77,23,31,20,7,32,14,18,32,20,28,55
    24
    7110
  • 11

    Mars Stealer

    Stealer
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,49,46,38,5,30,1,2,4,3
    105
    123
  • Last Seen at

    Recent blog posts

    post image
    How TI Feeds Support Organizational Performan...
    watchers 123
    comments 0
    post image
    Recent Cyber Attacks Discovered by ANY.RUN: O...
    watchers 407
    comments 0
    post image
    Notifications in Threat Intelligence Lookup 
    watchers 881
    comments 0

    What is stealer malware?

    Stealer malware is a type of Trojan malware that is designed to steal sensitive information from a victim's computer, including:

    • Login credentials for online accounts, such as banking, social media, and email accounts.
    • Financial information, such as credit card numbers and bank account numbers.
    • Personal information, such as names, addresses, and Social Security numbers.
    • Intellectual property, such as trade secrets and customer data.

    Stealers are often distributed through phishing email attachments and links, malicious websites, and even infected USB drives.

    Stealer malware is a serious threat to businesses and individuals alike. It can not only compromise victims’ privacy but also enable threat actors to undertake further harmful activities, such as ransomware attacks or data breaches.

    Get started today for free

    Analyze malware and phishing in a fully-interactive sandbox

    Create free account

    What can a stealer do to a computer?

    The core functionality of stealer malware can vary depending on its type. However, the most common features include:

    • Information theft: Such malware can steal a wide range of sensitive data from an infected computer, including passwords and credit card numbers, email contacts, messaging app data, browser history and cookies.
    • File theft: It can also exfiltrate personal files and business files from the compromised computer to the attacker’s server.
    • Recording keystrokes: Many stealers are equipped with the ability to track the keyboard activity of the victim.
    • Taking screenshots: Stealer malware can take screenshots of the victim's computer screen.
    • Spreading through network connections: Some types of stealer malware can spread to other computers on the same network.
    • Cryptocurrency theft: Stealer malware can be used to get hold of victims’ crypto.
    • Dropping other malware: Some stealers can have an additional functionality of deploying extra payloads on the infected system.

    Some types of stealer malware can be designed for a specific purpose. For instance, Laplas Clipper is a form of stealer that exclusively targets cryptocurrency users. This malicious operation involves gaining access to the clipboard in order to identify cryptocurrency addresses. The attacker then manipulates the addresses by replacing them with similar ones, deceiving the victim into unknowingly sending their funds directly into the attacker's wallet.

    How do stealers spread?

    In the case of stealer malware, phishing emails constitute the main attacker vector employed by threat actors. They create and distribute deceptive and fraudulent emails that aim to trick unsuspecting recipients into taking actions that could compromise their digital security. Most of the time, such messages mimic those sent by trusted sources, such as banks or popular online services, making them difficult to identify.

    Once the recipient falls prey to the phishing email and clicks on the malicious link or opens the suspicious attachment, a stealer can infiltrate their computer system, which can eventually lead to financial loss to identity theft.

    Alternatively, criminals often utilize fake websites, advertised through Google Ads, as well as pirated software that has built-in malware. There are also stealers that are usually dropped by loaders, including SmokeLoader, which is a modular malicious software intended for gaining initial foothold on a compromised system to deliver other payloads, including stealers.

    How can a stealer gain access to a computer?

    Let’s see how a typical malware password stealer accesses a system using the sample of RedLine uploaded to the ANY.RUN sandbox for analysis. The infection chain begins with the victim downloading a malicious file, which can be an Office document or an executable (often inside an archive).

    Once the user launches the file, an execution process begins, which leads to the stealer being deployed on the system. The malware then creates a child process that is responsible for the malicious activity itself. This can involve stealing information from the compromised including passwords, and sending the collected data to the command and control server (C2) operated by the attacker. The information transmitted can be encrypted.

    The lifecycle of RedLine The lifecycle of RedLine demonstrated by ANY.RUN

    What are examples of the most persistent stealers today?

    The ever-evolving threat landscape is constantly shifting, with stealers that are popular today potentially disappearing completely tomorrow. To stay updated on the latest developments in malware and collect new IOCs and samples, utilize ANY.RUN’s Malware Trends Tracker.

    These are the most persistent stealers according to the service:

    • RedLine: This stealer poses a significant threat to users by collecting their private information and distributing various damaging programs. It is a versatile malware that can pull data from browsers and other applications.
    • Formbook: It is an infostealer that is available as a service practically to anyone who is interested in how to get the password stealer malware. FormBook is designed to extract different types of information from compromised systems. Additionally, it has the ability to search for, access, and manipulate files, as well as capture screenshots.
    • Arkei: Another stealer available as a Malware-as-a-Service that, once installed, is capable of pulling browser autosave forms, login credentials and passwords, files, and cryptocurrency wallets from the infected machine.
    • Agent Tesla: A spyware, which discreetly gathers data regarding the activities of its targets by capturing keystrokes and monitoring user interactions. It is deceptively promoted as genuine software. See how Agent Tesla infection takes place and collect IOCs using its sample uploaded to ANY.RUN.

    Agent Tesla process tree Agent Tesla’s process tree demonstrated by ANY.RUN

    How can I detect a stealer?

    Stealers are an extremely widespread type of malware that is often challenging to detect because of their evasive behavior. On top of that, due to lax security policies, many organizations fall victim to phishing campaigns that cause their information to be exposed to attackers.

    To prevent infection, organizations have to maintain strong security posture including by using sandboxing solutions. By uploading any suspicious file or URL to the ANY.RUN malware sandbox, you can quickly identify whether they pose any threat, as well as receive a stealer malware intelligence report containing IOCs and other information required for future detection.

    ANY.RUN lets users interact with files, links, and the infected system in a safe VM environment like they would on a normal computer to ensure comprehensive analysis.

    Try ANY.RUN for free – request a demo!

    HAVE A LOOK AT

    LokiBot screenshot
    LokiBot
    lokibot loader trojan
    LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
    Read More
    DarkCloud screenshot
    DarkCloud
    darkcloud
    DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.
    Read More
    Ficker Stealer screenshot
    Ficker Stealer
    ficker fickerstealer stealer
    Ficker Stealer is a malware that steals passwords, files, credit card details, and other types of sensitive information on Windows systems. It is most often distributed via phishing emails and can perform keylogging, process injection, and browser tracking.
    Read More
    Predator the Thief screenshot
    Predator the Thief
    predator trojan stealer
    Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.
    Read More
    PureLogs screenshot
    PureLogs
    purelogs
    PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks.
    Read More
    DeerStealer screenshot
    DeerStealer
    deerstealer
    DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
    Read More