metastealer | 31d2646ce062a95e9aecd01bab72221fec3947aa79b82a95840ff09cf676da4c

General

Target

8f3120dda00cf636fc9b3c0e943ff8ef.exe
Size

367KB
MD5

8f3120dda00cf636fc9b3c0e943ff8ef
SHA1

77f04c4021e94104e756d9345f56032f338414d1
SHA256

31d2646ce062a95e9aecd01bab72221fec3947aa79b82a95840ff09cf676da4c
SHA512

8732d4d5d6d77225d9a03d63c70531f0ddadc0bcce293643cba7e10058d8a45b908635fbaa78edcfef4f539aab57335e54d1e897d65aaa6e43c4c8aa569ff730

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	4288	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4288	8f3120dda00cf636fc9b3c0e943ff8ef.exe
4288	8f3120dda00cf636fc9b3c0e943ff8ef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	8f3120dda00cf636fc9b3c0e943ff8ef.exe

C:\Users\Admin\AppData\Local\Temp\8f3120dda00cf636fc9b3c0e943ff8ef.exe
"C:\Users\Admin\AppData\Local\Temp\8f3120dda00cf636fc9b3c0e943ff8ef.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1332
  2⤵
  - Program crash
  PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4288 -ip 4288
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4288-130-0x0000000000687000-0x00000000006B1000-memory.dmp

Filesize
168KB

Download
memory/4288-131-0x0000000000687000-0x00000000006B1000-memory.dmp

Filesize
168KB

Download
memory/4288-132-0x00000000005E0000-0x0000000000617000-memory.dmp

Filesize
220KB

Download
memory/4288-133-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4288-134-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/4288-135-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/4288-136-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/4288-137-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4288-138-0x0000000002554000-0x0000000002556000-memory.dmp

Filesize
8KB

Download
memory/4288-139-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/4288-140-0x0000000005C70000-0x0000000005CE6000-memory.dmp

Filesize
472KB

Download
memory/4288-141-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/4288-142-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/4288-143-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/4288-144-0x00000000073D0000-0x0000000007592000-memory.dmp

Filesize
1.8MB

Download
memory/4288-145-0x00000000075A0000-0x0000000007ACC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing