Overview

overview

10

Static

static

gate_v2.exe

windows7_x64

10

gate_v2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294188s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    11-04-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gate_v2.exe

  • Size

    937KB

  • MD5

    d278e6e06cfc85443305fdeb3613c6b4

  • SHA1

    e7cdf1906a069c08c7bea43a7378fbcd9f52957c

  • SHA256

    d364d8e6571c30c429dd32746b62b06d60b743f1af3f496a8167e4659c001c6a

  • SHA512

    a01260475ec7b5b5da86c7af569385aa65ae9afcb06e11ad1e4ff3c15ec285b530e8a2e290abb50e0d6246a0c4e36fdd27530ea9b7355ba3243c98eff78001a6

Score
10/10
metastealerstealer

Malware Config

Extracted

Family

metastealer

C2

193.106.191.162:1775

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gate_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\gate_v2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension "exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell rename-item -path C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.xyz -newname hyper-v.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.xyz
    Filesize

    96KB

    MD5

    7825cad99621dd288da81d8d8ae13cf5

    SHA1

    f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

    SHA256

    529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

    SHA512

    2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7ac7117ce8cef51f52254476fe104624

    SHA1

    bb240b96ece4a0ab9a7ed01f7574f1f013e5ab21

    SHA256

    8867e7b859553101a2cf8056a85409d949a690130ccfa5aae474020f124a7275

    SHA512

    259c014b4f5f28089a9ec9b6addbf8fb32d1f1bec26ab52c4ce95d0340e9bda8485d302312856d816a1e4d965a96e2b1d6289ff74c1d77244aea95e02cbfd5ba

    Download Submit
  • memory/1496-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-81-0x00000000021F0000-0x0000000002E3A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1496-78-0x0000000073480000-0x0000000073A2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1548-65-0x0000000000429642-mapping.dmp
    Download
  • memory/1548-67-0x00000000755A1000-0x00000000755A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1548-68-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1548-69-0x0000000010000000-0x0000000010196000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1548-66-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1548-58-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1548-56-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1572-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1572-79-0x0000000073480000-0x0000000073A2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1636-54-0x0000000000380000-0x00000000003E0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1636-55-0x00000000033F0000-0x00000000033F3000-memory.dmp
    Filesize

    12KB

    Download