metastealer | 94b78106989de9df32a0db19e58d3c79292bad1c125e3b699b7f5f2c099c8156

Analysis

Target

2245bcc8a29546d7857680789e3c5570.exe
Size

345KB
MD5

2245bcc8a29546d7857680789e3c5570
SHA1

67603329135d4729a9929c42f5176f4f5e3d748f
SHA256

94b78106989de9df32a0db19e58d3c79292bad1c125e3b699b7f5f2c099c8156
SHA512

c4d6552aa5c2d51938ed5e32283e853a1de0149584c47d08a55881293f65c89e24e0cd77598de6712d40fba00dc017e6f22e58ff05f8a8fc8362622c171b07df

Score

10^/10

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3092	664	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
664	2245bcc8a29546d7857680789e3c5570.exe
664	2245bcc8a29546d7857680789e3c5570.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	2245bcc8a29546d7857680789e3c5570.exe

C:\Users\Admin\AppData\Local\Temp\2245bcc8a29546d7857680789e3c5570.exe
"C:\Users\Admin\AppData\Local\Temp\2245bcc8a29546d7857680789e3c5570.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 1804
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 664 -ip 664
1⤵
PID:3140

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/664-130-0x0000000000577000-0x00000000005A1000-memory.dmp

Filesize
168KB

Download
memory/664-131-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/664-132-0x0000000000577000-0x00000000005A1000-memory.dmp

Filesize
168KB

Download
memory/664-133-0x00000000008E0000-0x0000000000917000-memory.dmp

Filesize
220KB

Download
memory/664-134-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/664-135-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/664-136-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/664-137-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/664-138-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/664-139-0x0000000004B14000-0x0000000004B16000-memory.dmp

Filesize
8KB

Download
memory/664-140-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/664-141-0x0000000005BC0000-0x0000000005C36000-memory.dmp

Filesize
472KB

Download
memory/664-142-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/664-143-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/664-144-0x0000000006580000-0x0000000006742000-memory.dmp

Filesize
1.8MB

Download
memory/664-145-0x0000000006750000-0x0000000006C7C000-memory.dmp

Filesize
5.2MB

Download