metastealer | 1ebde62def8bc20f9a8ba674f6d1b0d206e364488cde55048f9f2fb4271ceb5d

General

Target

34f27a683fa68e5a0fcf42dd63743896.exe
Size

345KB
MD5

34f27a683fa68e5a0fcf42dd63743896
SHA1

413f653bd11c8f4d9c1b88e8203f997d3b0d6491
SHA256

1ebde62def8bc20f9a8ba674f6d1b0d206e364488cde55048f9f2fb4271ceb5d
SHA512

815c1c9e7c35827b6b71bd9ce972da3a1b08c4781d6abd9a268a94c4ce40f8a04092101fc2696384c8626a9d9eba70decaa71431c4b6d6d5b680ba704de529eb

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	4464	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4464	34f27a683fa68e5a0fcf42dd63743896.exe
4464	34f27a683fa68e5a0fcf42dd63743896.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	34f27a683fa68e5a0fcf42dd63743896.exe

C:\Users\Admin\AppData\Local\Temp\34f27a683fa68e5a0fcf42dd63743896.exe
"C:\Users\Admin\AppData\Local\Temp\34f27a683fa68e5a0fcf42dd63743896.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1512
  2⤵
  - Program crash
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4464 -ip 4464
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4464-124-0x0000000000787000-0x00000000007B1000-memory.dmp

Filesize
168KB

Download
memory/4464-125-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/4464-126-0x0000000000787000-0x00000000007B1000-memory.dmp

Filesize
168KB

Download
memory/4464-127-0x00000000006D0000-0x0000000000707000-memory.dmp

Filesize
220KB

Download
memory/4464-128-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4464-129-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/4464-130-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4464-131-0x0000000005B20000-0x0000000005C2A000-memory.dmp

Filesize
1.0MB

Download
memory/4464-132-0x0000000002720000-0x000000000275C000-memory.dmp

Filesize
240KB

Download
memory/4464-133-0x0000000004F44000-0x0000000004F46000-memory.dmp

Filesize
8KB

Download
memory/4464-134-0x0000000005DB0000-0x0000000005E26000-memory.dmp

Filesize
472KB

Download
memory/4464-135-0x0000000005EB0000-0x0000000005F42000-memory.dmp

Filesize
584KB

Download
memory/4464-136-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/4464-137-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/4464-138-0x0000000007610000-0x00000000077D2000-memory.dmp

Filesize
1.8MB

Download
memory/4464-139-0x00000000077F0000-0x0000000007D1C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing