metastealer | ddf33bf30a8e0d35b049d817cfcf224bd6519e0056aebe401ee48081484cdddd

General

Target

e09ac7299dc0f0d6e0e6defc44cf7f9e.exe
Size

367KB
MD5

e09ac7299dc0f0d6e0e6defc44cf7f9e
SHA1

1b9528e5750344d12ed21da2c951e7323c926166
SHA256

ddf33bf30a8e0d35b049d817cfcf224bd6519e0056aebe401ee48081484cdddd
SHA512

85d1aadd8e43a363753a440313bc0ad2f5a6d01b19a2c40b1ff3fa525e5f8548fb7d4f59d9d1ebd4d4e8fbcc51da7e38a7769b22fd43842722ac96ed2bd71c53

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	1316	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	e09ac7299dc0f0d6e0e6defc44cf7f9e.exe
1316	e09ac7299dc0f0d6e0e6defc44cf7f9e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	e09ac7299dc0f0d6e0e6defc44cf7f9e.exe

C:\Users\Admin\AppData\Local\Temp\e09ac7299dc0f0d6e0e6defc44cf7f9e.exe
"C:\Users\Admin\AppData\Local\Temp\e09ac7299dc0f0d6e0e6defc44cf7f9e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1268
  2⤵
  - Program crash
  PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1316 -ip 1316
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-124-0x0000000000517000-0x0000000000541000-memory.dmp

Filesize
168KB

Download
memory/1316-125-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-126-0x0000000000517000-0x0000000000541000-memory.dmp

Filesize
168KB

Download
memory/1316-127-0x0000000000600000-0x0000000000637000-memory.dmp

Filesize
220KB

Download
memory/1316-128-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1316-129-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/1316-130-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/1316-131-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/1316-132-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/1316-133-0x0000000004B44000-0x0000000004B46000-memory.dmp

Filesize
8KB

Download
memory/1316-134-0x0000000005C70000-0x0000000005D02000-memory.dmp

Filesize
584KB

Download
memory/1316-135-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1316-136-0x00000000063E0000-0x0000000006456000-memory.dmp

Filesize
472KB

Download
memory/1316-137-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/1316-138-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/1316-139-0x00000000068A0000-0x0000000006DCC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing