Keypoints
- Threat researcher Yogesh Londhe identified a non-obfuscated C# sample called “Sharpil RAT.exe” that connects to a Telegram bot for C2 and data collection.
- Sharpil RAT accepts commands (e.g., /browsers, /system, /return, /exit) parsed from Telegram API JSON and performs targeted data-gathering actions.
- Separate samples named sharp_build.exe were found and attributed to a new family “Sharp Stealer” that shares code style and Telegram exfiltration.
- Sharp Stealer is a .NET app using the Ionic Framework, BCrypt crypto functions, renaming obfuscation, and code/components resembling Umbral and Echelon stealers.
- Both tools collect system info, browser data, Discord tokens, gaming platform cookies/accounts (Steam, Epic, Roblox, VimeWorld, Minecraft), messengers, VPN configs, FTP data, and crypto wallets, archive the results, and send them to a Telegram chat.
- Samples and seller artifacts (Telegram channel) were publicly observable (VirusTotal submissions); sample hashes for Sharpil RAT and Sharp Stealer are listed as IOCs.
- The project appears immature: limited underground presence, no sandbox/AV-evasion checks, and minimal concealment from antivirus engines.
MITRE Techniques
- [T1102] Use of Web Service – The malware “immediately attempts to establish a connection with a Telegram bot.” [‘…immediately attempts to establish a connection with a Telegram bot.’]
- [T1071.001] Application Layer Protocol: Web Protocols – The sample parses JSON from the Telegram Bot API to extract command text using ParseLastMessage. [‘…parses a JSON string and extracts the value associated with the last occurrence of the “text” in the JSON object received from Telegram bot API.’]
- [T1041] Exfiltration Over C2 Channel – Collected files are archived and transmitted directly to a Telegram chat controlled by the attacker. [‘…transmits data directly to a chat with a Telegram bot.’]
- [T1555.003] Credentials from Web Browsers – The malware searches installed browsers and harvests stored credentials and cookies from multiple browser vendors. [‘…Search installed browsers’]
- [T1082] System Information Discovery – The /system command enumerates username, clipboard, CPU, RAM, GPU, IP geolocation, BSSID, HDD, MAC, BIOS caption and writes them to Information.txt. [‘/system System information: username, clipboard, CPU, RAM, GPU, IP Geolocation, BSSID, HDD, MAC address, BIOS caption. All data get saved in Information.txt’]
- [T1113] Screen Capture – The stealer captures screenshots as part of collected system artifacts (screenshot listed among saved system data). [‘…Screenshot…’]
- [T1115] Clipboard Data – The tool collects clipboard contents during system information gathering. [‘…clipboard…’]
- [T1027] Obfuscated Files or Information – Sharp Stealer uses class/field renaming and other obfuscation techniques to hinder analysis. [‘…classes and fields renaming as an obfuscation’]
Indicators of Compromise
- [File hash] Malicious executable hashes – Sharpil RAT: 1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef; Sharp Stealer examples: 42efd817539480fb44da60d797908869af796df6bfb700980709ccf483e92b96, b6e763d6b886308df0e0c3e9342dd83dba88d68eb312e0540b24d8dcdcaa1920 (and 1 more hash)
- [File name] Observed filenames – “Sharpil RAT.exe” (C# sample connecting to Telegram), “sharp_build.exe” (Sharp Stealer sample submitted to VirusTotal).
- [Telegram channel/bot] C2 and seller presence – Telegram channel “СТИЛЛЕР | SHARP PROJECT | ПРИВАТНЫЙ СОФТ” and associated Telegram bot used for command delivery and data exfiltration.
The malware ecosystem described comprises two related .NET artifacts: a C# sample labeled “Sharpil RAT.exe” that acts as a Telegram-controlled agent and a separate product (“sharp_build.exe”) distributed as “Sharp Stealer.” Both initiate immediate connections to a Telegram bot and implement a ParseLastMessage routine to extract the last ‘text’ field from the Telegram Bot API JSON; commands such as /browsers and /system trigger targeted collection routines that enumerate installed browsers, capture system details (username, clipboard, CPU, RAM, GPU, IP geolocation, BSSID, HDD, MAC, BIOS), and save results to Information.txt.
Sharp Stealer’s implementation leverages the Ionic Framework and BCrypt APIs, applies class/field renaming obfuscation, and reuses JSON handlers and BCrypt interaction patterns from Umbral and sender components reminiscent of Echelon. Collected artifacts—including browser cookies and credentials, Discord sessions/tokens, game platform accounts (Steam, Epic, Roblox, Ubisoft, VimeWorld, Minecraft), messenger data, VPN config files, FTP credentials, and crypto wallet data—are written to separate files, archived together, and exfiltrated to the attacker’s Telegram chat as proof-of-theft screenshots and zip archives.
From an analyst perspective, the codebase is readable enough to trace functionality despite obfuscation; observable indicators include the filenames and submitted hashes (listed above) and public VirusTotal submissions. The project’s current maturity is low: it lacks sandbox/AV-evasion checks and has minimal underground market footprint, but its Telegram-based C2 and broad game-oriented data collection make it a notable threat to gamer accounts and associated services.
Read more: https://www.gdatasoftware.com/blog/2024/04/37894-sharp-info-stealer