Angry Stealer is a sophisticated information-stealer dropper analyzed by CYFIRMA, delivering two payloads (Stepasha.exe and MotherRussia.exe) and exfiltrating a wide range of data via Telegram, with ties to Rage Stealer and a builder tool for creating additional executables. The campaign highlights rebranding, online marketplace promotion (Triamidnjr), and the risk of comprehensive data theft targeting browsers, crypto wallets, VPN credentials, and system details. #AngryStealer #RageStealer #CYFIRMA #Telegram
Keypoints
- CYFIRMA identified a dropper binary designed to deploy “Angry Stealer,” actively advertised on Telegram and online platforms.
- The dropper is a 32-bit Win32 executable written in .NET.
- “Angry Stealer” targets and exfiltrates sensitive data, including browser data, cryptocurrency wallets, VPN credentials, and system information.
- The malware uses Telegram for data exfiltration, bypassing SSL validation.
- “Angry Stealer” is based on the “Rage Stealer” malware, sharing identical code and functionality.
- The second payload, “MotherRussia.exe,” appears to be a builder tool for creating malicious executables.
- Promotional activity across platforms like Triamidnjr and Telegram demonstrates a mature marketplace for such tools and rebranding patterns among operators.
MITRE Techniques
- [T1566] Phishing – “Phishing” used to enable initial access. Quote: “T1566: Phishing”
- [T1566.001] Spear phishing Attachment – “Spear phishing Attachment” used for initial access. Quote: “T1566.001: Spear phishing Attachment”
- [T1059] User Execution – “User Execution” as part of the execution phase. Quote: “T1059: User Execution”
- [T1204.002] Malicious File – Malicious file execution as part of deployment. Quote: “T1204.002: Malicious File”
- [T1027] Obfuscated Files or Information – Obfuscation used to evade defenses. Quote: “T1027: Obfuscated Files or Information”
- [T1082] System Information Discovery – Collecting system information during discovery. Quote: “T1082: System Information Discovery”
- [T1083] File & Directory Discovery – Discovering files and directories for data collection. Quote: “T1083: File & Directory Discovery”
- [T1005] Data from Local System – Exfiltrating data from the local system. Quote: “T1005: Data from Local System”
- [T1113] Screen Capture – Taking screenshots as part of data collection. Quote: “T1113: Screen Capture”
- [T1048] Exfiltration over Alternative Protocol – Data exfiltration over Telegram (alternative protocol). Quote: “T1048: Exfiltration over Alternative Protocol”
Indicators of Compromise
- [File Name] Stepasha.exe – Dropped and executed from Temp; primary data-stealing payload. Example: Stepasha.exe, and 1 more hash
- [File Name] MotherRussia.exe – Dropped and executed from Temp; builder tool for creating executables. Example: MotherRussia.exe
- [MD5] Dropper – 56a579cb88eb4bb93a45b163ab9825d8, and 1 more hash
- [MD5] Stealer – 365BF209A1D5EB01EB38586C51F47817
- [SHA-256] Dropper – c477b037e8fe3ab68b4c1da6f9bfe01e9ea818a5b4f94ed9e2757e25035be06d
- [Domain] Triamidnjr.com – Platform hosting/distributing Angry Stealer content (home page).
- [Domain] Triamidnjr.com – view-product/17-106/Angry-stealer (product page).
- [Domain] t.me/ANGRYSTEALER – Telegram contact/channel for distribution.
- [Domain] t.me/InfoSecSpy – Telegram channel promoting Angry Stealer.
- [Telegram Bot Token] 7111654667:AAFkYkvnCsb8YVJsK4iKBRAyyQO9vyaJa7U – Used for data upload to Telegram.
- [Chat ID] 1435200072 – Telegram chat ID used for exfiltration transcripts.
- [File Path] C:UsersAppDataLocal44_23 – Data collection directory.