Vector Stealer-RDP-Malware-KGB Crypter

Vector Stealer: A Gateway for RDP Hijacking

Evasive Malware Targeting Remote Desktop Files

Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.

Cyble Research and Intelligence Labs (CRIL) spotted a malware named ‘Vector Stealer’, capable of stealing .rdp files. Stealing RDP files can enable TAs (Threat Actors) to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access.

RDP hijacking enables TAs to gain unauthorized remote access to a victim’s system without credentials, allows for lateral movement, and creates opportunities for additional attacks.

VectorStealer surfaced in cybercrime forums in the second half of 2022. The Threat Actor (TA) behind this stealer mainly operates through a web panel and a Telegram channel.

The figure below shows the web panel of VectorStealer.

Figure 1 – VectorStealer Web Panel

The TA has claimed the following on their web panel:

“The VectorStealer can recover sensitive information from all major browsers, including Firefox, Chrome, and Safari. It can also steal Discord tokens and sensitive files and gather basic information about the infected computer.”

This stealer payload is sold for USD 63 in BitCoin.

The figure below shows the payment details.  

Figure 2 – VectorStealer Subscription

The stealer payload can be generated using the web panel. This web panel allows an attacker to create custom malware without having advanced programming skills.

Such web panels typically have a user-friendly interface and provide various options for customization, such as the ability to specify what actions the malware will perform and configure the malware’s behavior. This stealer can exfiltrate the sensitive information stolen from the victim’s system using SMTP, Discord, and Telegram.

The figure below shows the builder options.

Figure 3 – VectorStealer Builder

Interestingly, on the same web panel, the TA is advertising KGB crypter and claims that this crypter can kill multiple antivirus solutions. The figure below shows the section of the KGB crypter presented on the VectorStealer panel.

Figure 4 – KGB Crypter recommended on VectorStealer Panel

Crypters are a tool used by threat actors (TAs) to evade detection by encrypting the malware code, making it difficult for antivirus software to identify and remove it.

The TAs behind the KGB Crypter use their own website to provide the service and claims that it is compatible with .Net and C++-based binaries. They also claim that multiple prominent malware families, such as Redline, Quasar RAT, Venom RAT, and Pandora RAT, are already using this crypter.  

Figure 5 – KGB Crypter Web Panel

The creators of KGB Crypter claim to be of Russian origin and boast that over 1,000 users have registered on their site, indicating its popularity among TAs. The crypter is offered as a paid service for USD 145 per month. It is equipped with a metamorphic generator, which alters the code each time it is compiled, making it more challenging for antivirus software to detect.

Figure 6 – KGB Crypter Builder

Technical Analysis

Initial Infection

CRIL found a phishing email that was spreading vector stealer. This phishing email is themed around spare parts with an attachment named “POM-8501” and pretends to be coming from a supplier.

The Malicious Document (MalDoc) attachment in the spam email is shown below.

Figure 7 – Phishing Mail Spreading VectorStealer

When the MalDoc attachment is opened, it prompts the user to enable the macro. Enabling macros would trigger the execution of malicious activities on the victim’s computer. The image below shows the malicious document (MalDoc).

Figure 8 – MalDoc

Upon analyzing the MalDoc, we found that one of the OLE streams contains a VBA macro. Upon execution, the macro code de-obfuscates a PowerShell script and executes it using the Shell() function. The PowerShell script contains code to download the next stage payload from a remote server, save it as “ks.exe”, and executes it as shown below.

Figure 9 – Macro Executing PowerShell Script

Payload Execution

The stealer binary (SHA256: ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb) downloaded and executed by MalDoc is a 32-Bit .NET-based executable.

The figure below shows the file details.

Figure 10 – File Details


Upon execution, the stealer creates a copy of itself into the %appdata% location and creates a task scheduler to establish persistence, as shown below.

Figure 11 – Persistence Through Task Scheduler

After this, it spawns a new process that loads the next level payload that uses KoiVM. KoiVM is a virtualizing protector for .NET applications and is made to work with ConfuserEx. The KoiVM is designed to change the .NET opcodes into new ones that only a virtualizing agent can understand.

The figure below shows the Koi stream present in MetaData.

Figure 12 – Koi Stream

The KoiVM further loads the VectorStealer and starts performing the stealer activities. Upon analyzing the memory dumps, we found that VectorStealer targets applications such as

  • Mail Clients: Outlook, ThunderBird, FoxMail
  • Chat Applications: Discord, Telegram,
  • Browsers: Opera, Vivaldi, Yandex, Brave, Chromium, Aloha Browser, Comodo Dragon, MapleStudio, ChromePlus, 360Browser, 7Star, CocCoc, Mozilla Firefox, Google Chrome.
  • Cold Crypto Wallets: Exodus, Electrum

VectorStealer also queries the Registry keys of a few applications to steal the credentials.

The table below shows the registry keys queried by the Stealer for collecting victims’ sensitive information.

Targeted ApplicationRegistry KeyDescription
OutlookHKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\   HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676   HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\   HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\  Registry Keys Stores passwords of Email, HTTP, SMTP, IMAP, and POP3.  
FoxmailSOFTWARE\Classes\Foxmail.url.mailto\Shell\open\commandTo get the FoxMail’s installation directory.

File Grabber

The stealer now grabs important sensitive files from the victim’s machine. Interestingly, this stealer also grabs .rdp files. Stealing .rdp files can also enable TAs to perform RDP (Remote Desktop Protocol) hijacking, as they contain information related to the RDP session.

The figure below shows the stealer enumerating a directory for grabbing files with extensions such as .txt, .doc, .docx, .pdf, and .rdp.

Figure 13 – Targeted File Types

Finally, the stealer creates a folder in the AppData\Local\Temp directory. This folder contains multiple sub-folders that will store stolen data from respective applications.

The figure below shows the folders created by the stealer.

Figure 14 – Creating Folder in Temp Directory

After collecting all the stolen data, it compresses the folder into a zip archive. The archive can then be exfiltrated using SMTP, Discord webhooks, or Telegram API. In this case, the stealer uses Telegram for exfiltration. It first sends a chat message to a Telegram bot controlled by TA. This message contains details of the victim’s system, including Username, Machine name, Operating System, IP address, and antivirus product.

To identify the antivirus product installed, it uses the WMI query, “SELECT * FROM AntiVirusProduct”. This stealer sends a GET request to “hxxps://” to fetch the victim’s IP address.

The figure below shows the contents of the chat message.

Figure 15 – Telegram Chat Message

This stealer establishes a successful internet connection before interacting with any remote servers. It terminates itself if it fails to establish a connection. After successfully sending this chat message, it sends the zip file which contains the stolen data to the Telegram bot.

The figure below shows the POST request made by VectorStealer.

Figure 16 – Exfiltrating Data using a POST Request


We believe that the TAs behind VectorStealer and KGB crypter is in some sort of association. The VectorStealer uses an unknown crypter and uses KoiVM for virtualization. Like other stealers, it targets browsers, email clients, crypto wallets, and chat applications.

VectorStealer specifically targets .rdp files and steals them, suggesting a potential interest in RDP hijacking to gain access to victims’ networks. TAs can leverage RDP files to carry out numerous attacks, including ransomware attacks.

Our Recommendations

​​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  


  • ​ Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc.,  typically contains such malware.   
  • Use strong passwords and enforce multi-factor authentication wherever possible.    
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.   
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques


​Tactic ​Technique ID ​Technique Name 
​Initial Access T1566 ​Phishing 
​Execution T1204 ​User Execution 
​Credential Access T1555 
T1539  ​
​Credentials from Password Stores  ​
Steal Web Session Cookies  ​
Unsecured Credentials 
​Discovery T1087 
T1518  ​
T1124  ​
​Account Discovery 
​Software Discovery  ​
Process Discovery  ​
System Time Discovery 
​System Service Discovery  ​
System Location Discovery 
​Command and Control T1071​Application Layer Protocol
​Exfiltration T1041 ​Exfiltration Over C&C Channel  ​ 

Indicators of Compromise (IoCs):   ​ 

​Indicators​Indicator type​Description
hxxp[:]//185.246.220[.]65/2×2/img-078-410-00[.]exe hxxp[:]//185.246.220[.]65/2×2/PCqcxNVzIHq2raQ.exe​URL ​Malicious URL 
​VectorStealer Loader 
VectorStealer Loader 
VectorStealer Payload
VectorStealer Payload

Recent Blogs


CRIL analyzes an ongoing campaign by SideCopy APT group targeting the Defense Research and Development Organization(DRDO) of the Indian government.

Read More »

Cyble reflects on the identification of a forum administrator and two cybercriminals and how it impacts the wider cybercrime ecosystem.

Read More »

Cyble analyzes the recent Emotet campaign, which utilizes OneNote attachments as a novel approach to infect users.

Read More »
Scroll to Top