BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

How to analyze Stealer with ANY.RUN

Top malware of this type

Trend changes
Tasks overall
  • 2


  • 3


  • 4


  • 5

    Predator the Thief

  • 6


  • 7


  • 8


  • 9


  • 10

    Ficker Stealer

  • 11

    Laplas Clipper

  • Last Seen at

    Recent blog posts

    post image
    What Are the 3 Types of Threat Intelligence D...
    watchers 149
    comments 0
    post image
    Expert Q&A: Aaron Fillmore on his Cyberse...
    watchers 161
    comments 0
    post image
    Malware Trends Report: Q2, 2024 
    watchers 1630
    comments 0

    What is stealer malware?

    Stealer malware is a type of Trojan malware that is designed to steal sensitive information from a victim's computer, including:

    • Login credentials for online accounts, such as banking, social media, and email accounts.
    • Financial information, such as credit card numbers and bank account numbers.
    • Personal information, such as names, addresses, and Social Security numbers.
    • Intellectual property, such as trade secrets and customer data.

    Stealers are often distributed through phishing email attachments and links, malicious websites, and even infected USB drives.

    Stealer malware is a serious threat to businesses and individuals alike. It can not only compromise victims’ privacy but also enable threat actors to undertake further harmful activities, such as ransomware attacks or data breaches.

    Get started today for free

    Easily analyze emerging malware with ANY.RUN interactive online sandbox

    Register for free

    What can a stealer do to a computer?

    The core functionality of stealer malware can vary depending on its type. However, the most common features include:

    • Information theft: Such malware can steal a wide range of sensitive data from an infected computer, including passwords and credit card numbers, email contacts, messaging app data, browser history and cookies.
    • File theft: It can also exfiltrate personal files and business files from the compromised computer to the attacker’s server.
    • Recording keystrokes: Many stealers are equipped with the ability to track the keyboard activity of the victim.
    • Taking screenshots: Stealer malware can take screenshots of the victim's computer screen.
    • Spreading through network connections: Some types of stealer malware can spread to other computers on the same network.
    • Cryptocurrency theft: Stealer malware can be used to get hold of victims’ crypto.
    • Dropping other malware: Some stealers can have an additional functionality of deploying extra payloads on the infected system.

    Some types of stealer malware can be designed for a specific purpose. For instance, Laplas Clipper is a form of stealer that exclusively targets cryptocurrency users. This malicious operation involves gaining access to the clipboard in order to identify cryptocurrency addresses. The attacker then manipulates the addresses by replacing them with similar ones, deceiving the victim into unknowingly sending their funds directly into the attacker's wallet.

    How do stealers spread?

    In the case of stealer malware, phishing emails constitute the main attacker vector employed by threat actors. They create and distribute deceptive and fraudulent emails that aim to trick unsuspecting recipients into taking actions that could compromise their digital security. Most of the time, such messages mimic those sent by trusted sources, such as banks or popular online services, making them difficult to identify.

    Once the recipient falls prey to the phishing email and clicks on the malicious link or opens the suspicious attachment, a stealer can infiltrate their computer system, which can eventually lead to financial loss to identity theft.

    Alternatively, criminals often utilize fake websites, advertised through Google Ads, as well as pirated software that has built-in malware. There are also stealers that are usually dropped by loaders, including SmokeLoader, which is a modular malicious software intended for gaining initial foothold on a compromised system to deliver other payloads, including stealers.

    How can a stealer gain access to a computer?

    Let’s see how a typical malware password stealer accesses a system using the sample of RedLine uploaded to the ANY.RUN sandbox for analysis. The infection chain begins with the victim downloading a malicious file, which can be an Office document or an executable (often inside an archive).

    Once the user launches the file, an execution process begins, which leads to the stealer being deployed on the system. The malware then creates a child process that is responsible for the malicious activity itself. This can involve stealing information from the compromised including passwords, and sending the collected data to the command and control server (C2) operated by the attacker. The information transmitted can be encrypted.

    The lifecycle of RedLine The lifecycle of RedLine demonstrated by ANY.RUN

    What are examples of the most persistent stealers today?

    The ever-evolving threat landscape is constantly shifting, with stealers that are popular today potentially disappearing completely tomorrow. To stay updated on the latest developments in malware and collect new IOCs and samples, utilize ANY.RUN’s Malware Trends Tracker.

    These are the most persistent stealers according to the service:

    • RedLine: This stealer poses a significant threat to users by collecting their private information and distributing various damaging programs. It is a versatile malware that can pull data from browsers and other applications.
    • Formbook: It is an infostealer that is available as a service practically to anyone who is interested in how to get the password stealer malware. FormBook is designed to extract different types of information from compromised systems. Additionally, it has the ability to search for, access, and manipulate files, as well as capture screenshots.
    • Arkei: Another stealer available as a Malware-as-a-Service that, once installed, is capable of pulling browser autosave forms, login credentials and passwords, files, and cryptocurrency wallets from the infected machine.
    • Agent Tesla: A spyware, which discreetly gathers data regarding the activities of its targets by capturing keystrokes and monitoring user interactions. It is deceptively promoted as genuine software. See how Agent Tesla infection takes place and collect IOCs using its sample uploaded to ANY.RUN.

    Agent Tesla process tree Agent Tesla’s process tree demonstrated by ANY.RUN

    How can I detect a stealer?

    Stealers are an extremely widespread type of malware that is often challenging to detect because of their evasive behavior. On top of that, due to lax security policies, many organizations fall victim to phishing campaigns that cause their information to be exposed to attackers.

    To prevent infection, organizations have to maintain strong security posture including by using sandboxing solutions. By uploading any suspicious file or URL to the ANY.RUN malware sandbox, you can quickly identify whether they pose any threat, as well as receive a stealer malware intelligence report containing IOCs and other information required for future detection.

    ANY.RUN lets users interact with files, links, and the infected system in a safe VM environment like they would on a normal computer to ensure comprehensive analysis.

    Try ANY.RUN for free – request a demo!


    Arkei screenshot
    arkei stealer
    Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
    Read More
    Azorult screenshot
    azorult trojan rat
    AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
    Read More
    Blank Grabber screenshot
    Blank Grabber
    Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.
    Read More
    DarkCloud screenshot
    DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.
    Read More
    Exela Stealer screenshot
    Exela Stealer
    exela exelastealer
    Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.
    Read More
    Fabookie screenshot
    Fabookie is an infostealer malware that was first observed as early as October 2021. The threat is known for targeting account credentials of Facebook users. The collected information is then sold by the attackers to other criminals. Fabookie is often distributed via loaders such as SmokeLoader.
    Read More

    Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy