metastealer | 0b8ed3fcb45246fc69664a337d1d27ab726041913ea62b8bb39d8514a0ce21f1

General

Target

fb3bb3c7636b5bc6f99d48693525d03b.exe
Size

344KB
MD5

fb3bb3c7636b5bc6f99d48693525d03b
SHA1

5c8cb66ee20bf86b5685750a30f9471618b5bd46
SHA256

0b8ed3fcb45246fc69664a337d1d27ab726041913ea62b8bb39d8514a0ce21f1
SHA512

a7d801bdf05ec6cb154bf3aa16c96ad204cfab072e1db1a09202e2fc0683124855412afc9de492018972b3b6b60db5239a91fcc804acabac7035d72b9506e506

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	4220	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4220	fb3bb3c7636b5bc6f99d48693525d03b.exe
4220	fb3bb3c7636b5bc6f99d48693525d03b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	fb3bb3c7636b5bc6f99d48693525d03b.exe

C:\Users\Admin\AppData\Local\Temp\fb3bb3c7636b5bc6f99d48693525d03b.exe
"C:\Users\Admin\AppData\Local\Temp\fb3bb3c7636b5bc6f99d48693525d03b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1320
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4220 -ip 4220
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4220-124-0x00000000006A7000-0x00000000006D1000-memory.dmp

Filesize
168KB

Download
memory/4220-125-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-126-0x00000000006A7000-0x00000000006D1000-memory.dmp

Filesize
168KB

Download
memory/4220-127-0x00000000005D0000-0x0000000000607000-memory.dmp

Filesize
220KB

Download
memory/4220-128-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4220-129-0x00000000051D0000-0x00000000057E8000-memory.dmp

Filesize
6.1MB

Download
memory/4220-130-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/4220-131-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/4220-132-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/4220-133-0x0000000004C14000-0x0000000004C16000-memory.dmp

Filesize
8KB

Download
memory/4220-134-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/4220-135-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/4220-136-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/4220-137-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4220-138-0x00000000074E0000-0x00000000076A2000-memory.dmp

Filesize
1.8MB

Download
memory/4220-139-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing