metastealer | 88d8c904915acdaaec8e8c801af2bbde838ea410f90d796c94913aac83119b13

General

Target

4a45b900e7cd2b7cc46fa7b68238f054.exe
Size

345KB
MD5

4a45b900e7cd2b7cc46fa7b68238f054
SHA1

86ab9705fc92ad0e46d354ac02a1bf3a4e3a8f0d
SHA256

88d8c904915acdaaec8e8c801af2bbde838ea410f90d796c94913aac83119b13
SHA512

591b7bc165c8e8a4fb6c1f7d6569de78f34a1deabccc131e46e040191e688fc8dc68607c4885ed8f2ac21ff6984f6939934701e321c09b48045d7b8f1806da05

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	1936	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	4a45b900e7cd2b7cc46fa7b68238f054.exe
1936	4a45b900e7cd2b7cc46fa7b68238f054.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	4a45b900e7cd2b7cc46fa7b68238f054.exe

C:\Users\Admin\AppData\Local\Temp\4a45b900e7cd2b7cc46fa7b68238f054.exe
"C:\Users\Admin\AppData\Local\Temp\4a45b900e7cd2b7cc46fa7b68238f054.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1120
  2⤵
  - Program crash
  PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1936 -ip 1936
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-130-0x0000000000647000-0x0000000000671000-memory.dmp

Filesize
168KB

Download
memory/1936-131-0x0000000000647000-0x0000000000671000-memory.dmp

Filesize
168KB

Download
memory/1936-132-0x00000000005D0000-0x0000000000607000-memory.dmp

Filesize
220KB

Download
memory/1936-133-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1936-134-0x0000000004A30000-0x0000000004FD4000-memory.dmp

Filesize
5.6MB

Download
memory/1936-135-0x0000000005020000-0x0000000005638000-memory.dmp

Filesize
6.1MB

Download
memory/1936-136-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/1936-137-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-138-0x0000000004A24000-0x0000000004A26000-memory.dmp

Filesize
8KB

Download
memory/1936-139-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/1936-140-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/1936-141-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/1936-142-0x0000000006390000-0x0000000006406000-memory.dmp

Filesize
472KB

Download
memory/1936-143-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/1936-144-0x0000000007390000-0x0000000007552000-memory.dmp

Filesize
1.8MB

Download
memory/1936-145-0x0000000007560000-0x0000000007A8C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing