metastealer | 9a4327936a40f16d7a08d54473df45caac32eeb608185f9c9690f4fddc0c97a8

General

Target

505c08b34025ea724caeb6dc89e9ed58.exe
Size

345KB
MD5

505c08b34025ea724caeb6dc89e9ed58
SHA1

ba063c25f267274bcdad0d4098eff5d7d5b62293
SHA256

9a4327936a40f16d7a08d54473df45caac32eeb608185f9c9690f4fddc0c97a8
SHA512

da74817eb1c52df3155d51f480e6f29c08b2cce1372eb07932738e4e2e2bd36969ec3ee7c55745aca4de7ec5b2f5ddaa885181755e6a59ceee8a391af9510bf1

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	3496	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	505c08b34025ea724caeb6dc89e9ed58.exe
3496	505c08b34025ea724caeb6dc89e9ed58.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	505c08b34025ea724caeb6dc89e9ed58.exe

C:\Users\Admin\AppData\Local\Temp\505c08b34025ea724caeb6dc89e9ed58.exe
"C:\Users\Admin\AppData\Local\Temp\505c08b34025ea724caeb6dc89e9ed58.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1740
  2⤵
  - Program crash
  PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3496 -ip 3496
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3496-130-0x00000000007A7000-0x00000000007D1000-memory.dmp

Filesize
168KB

Download
memory/3496-131-0x00000000007A7000-0x00000000007D1000-memory.dmp

Filesize
168KB

Download
memory/3496-132-0x0000000000710000-0x0000000000747000-memory.dmp

Filesize
220KB

Download
memory/3496-133-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3496-134-0x0000000004B60000-0x0000000005104000-memory.dmp

Filesize
5.6MB

Download
memory/3496-135-0x0000000005160000-0x0000000005778000-memory.dmp

Filesize
6.1MB

Download
memory/3496-136-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/3496-137-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/3496-138-0x0000000004B54000-0x0000000004B56000-memory.dmp

Filesize
8KB

Download
memory/3496-139-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/3496-140-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/3496-141-0x0000000005D00000-0x0000000005D76000-memory.dmp

Filesize
472KB

Download
memory/3496-142-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/3496-143-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3496-144-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/3496-145-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing