Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

How to analyze Stealer with ANY.RUN

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 269
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1412
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1848
comments 0

What is stealer malware?

Stealer malware is a type of Trojan malware that is designed to steal sensitive information from a victim's computer, including:

  • Login credentials for online accounts, such as banking, social media, and email accounts.
  • Financial information, such as credit card numbers and bank account numbers.
  • Personal information, such as names, addresses, and Social Security numbers.
  • Intellectual property, such as trade secrets and customer data.

Stealers are often distributed through phishing email attachments and links, malicious websites, and even infected USB drives.

Stealer malware is a serious threat to businesses and individuals alike. It can not only compromise victims’ privacy but also enable threat actors to undertake further harmful activities, such as ransomware attacks or data breaches.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What can a stealer do to a computer?

The core functionality of stealer malware can vary depending on its type. However, the most common features include:

  • Information theft: Such malware can steal a wide range of sensitive data from an infected computer, including passwords and credit card numbers, email contacts, messaging app data, browser history and cookies.
  • File theft: It can also exfiltrate personal files and business files from the compromised computer to the attacker’s server.
  • Recording keystrokes: Many stealers are equipped with the ability to track the keyboard activity of the victim.
  • Taking screenshots: Stealer malware can take screenshots of the victim's computer screen.
  • Spreading through network connections: Some types of stealer malware can spread to other computers on the same network.
  • Cryptocurrency theft: Stealer malware can be used to get hold of victims’ crypto.
  • Dropping other malware: Some stealers can have an additional functionality of deploying extra payloads on the infected system.

Some types of stealer malware can be designed for a specific purpose. For instance, Laplas Clipper is a form of stealer that exclusively targets cryptocurrency users. This malicious operation involves gaining access to the clipboard in order to identify cryptocurrency addresses. The attacker then manipulates the addresses by replacing them with similar ones, deceiving the victim into unknowingly sending their funds directly into the attacker's wallet.

How do stealers spread?

In the case of stealer malware, phishing emails constitute the main attacker vector employed by threat actors. They create and distribute deceptive and fraudulent emails that aim to trick unsuspecting recipients into taking actions that could compromise their digital security. Most of the time, such messages mimic those sent by trusted sources, such as banks or popular online services, making them difficult to identify.

Once the recipient falls prey to the phishing email and clicks on the malicious link or opens the suspicious attachment, a stealer can infiltrate their computer system, which can eventually lead to financial loss to identity theft.

Alternatively, criminals often utilize fake websites, advertised through Google Ads, as well as pirated software that has built-in malware. There are also stealers that are usually dropped by loaders, including SmokeLoader, which is a modular malicious software intended for gaining initial foothold on a compromised system to deliver other payloads, including stealers.

How can a stealer gain access to a computer?

Let’s see how a typical malware password stealer accesses a system using the sample of RedLine uploaded to the ANY.RUN sandbox for analysis. The infection chain begins with the victim downloading a malicious file, which can be an Office document or an executable (often inside an archive).

Once the user launches the file, an execution process begins, which leads to the stealer being deployed on the system. The malware then creates a child process that is responsible for the malicious activity itself. This can involve stealing information from the compromised including passwords, and sending the collected data to the command and control server (C2) operated by the attacker. The information transmitted can be encrypted.

The lifecycle of RedLine The lifecycle of RedLine demonstrated by ANY.RUN

What are examples of the most persistent stealers today?

The ever-evolving threat landscape is constantly shifting, with stealers that are popular today potentially disappearing completely tomorrow. To stay updated on the latest developments in malware and collect new IOCs and samples, utilize ANY.RUN’s Malware Trends Tracker.

These are the most persistent stealers according to the service:

  • RedLine: This stealer poses a significant threat to users by collecting their private information and distributing various damaging programs. It is a versatile malware that can pull data from browsers and other applications.
  • Formbook: It is an infostealer that is available as a service practically to anyone who is interested in how to get the password stealer malware. FormBook is designed to extract different types of information from compromised systems. Additionally, it has the ability to search for, access, and manipulate files, as well as capture screenshots.
  • Arkei: Another stealer available as a Malware-as-a-Service that, once installed, is capable of pulling browser autosave forms, login credentials and passwords, files, and cryptocurrency wallets from the infected machine.
  • Agent Tesla: A spyware, which discreetly gathers data regarding the activities of its targets by capturing keystrokes and monitoring user interactions. It is deceptively promoted as genuine software. See how Agent Tesla infection takes place and collect IOCs using its sample uploaded to ANY.RUN.

Agent Tesla process tree Agent Tesla’s process tree demonstrated by ANY.RUN

How can I detect a stealer?

Stealers are an extremely widespread type of malware that is often challenging to detect because of their evasive behavior. On top of that, due to lax security policies, many organizations fall victim to phishing campaigns that cause their information to be exposed to attackers.

To prevent infection, organizations have to maintain strong security posture including by using sandboxing solutions. By uploading any suspicious file or URL to the ANY.RUN malware sandbox, you can quickly identify whether they pose any threat, as well as receive a stealer malware intelligence report containing IOCs and other information required for future detection.

ANY.RUN lets users interact with files, links, and the infected system in a safe VM environment like they would on a normal computer to ensure comprehensive analysis.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More