metastealer | d97d0e03d589b7d01167ea9cbb2241d6f792527b445692cfb1e655172bd267f2

General

Target

045b8cd99f05161bfa0abbe8c5571f3c.exe
Size

344KB
MD5

045b8cd99f05161bfa0abbe8c5571f3c
SHA1

0cf702c47df828448a57da1f8d71e670081a9de5
SHA256

d97d0e03d589b7d01167ea9cbb2241d6f792527b445692cfb1e655172bd267f2
SHA512

3ae8f9f79872759708d2ef140d879b96d6e79953557a3a22fde4925a4a4d69d1d98618dc31b508251ce06f8a33da0026ef995701f5770472912aac7e375ab806

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3456	2856	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	045b8cd99f05161bfa0abbe8c5571f3c.exe
2856	045b8cd99f05161bfa0abbe8c5571f3c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	045b8cd99f05161bfa0abbe8c5571f3c.exe

C:\Users\Admin\AppData\Local\Temp\045b8cd99f05161bfa0abbe8c5571f3c.exe
"C:\Users\Admin\AppData\Local\Temp\045b8cd99f05161bfa0abbe8c5571f3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1348
  2⤵
  - Program crash
  PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2856 -ip 2856
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2856-124-0x00000000005E7000-0x0000000000611000-memory.dmp

Filesize
168KB

Download
memory/2856-125-0x00000000005E7000-0x0000000000611000-memory.dmp

Filesize
168KB

Download
memory/2856-126-0x0000000000510000-0x0000000000547000-memory.dmp

Filesize
220KB

Download
memory/2856-127-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2856-128-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/2856-129-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/2856-130-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/2856-131-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/2856-132-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/2856-133-0x0000000002444000-0x0000000002446000-memory.dmp

Filesize
8KB

Download
memory/2856-134-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2856-135-0x0000000006320000-0x0000000006396000-memory.dmp

Filesize
472KB

Download
memory/2856-136-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/2856-137-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/2856-138-0x00000000067B0000-0x0000000006972000-memory.dmp

Filesize
1.8MB

Download
memory/2856-139-0x0000000006990000-0x0000000006EBC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing