metastealer | 35b95a8cf490deea69c6418f9dff0d8ca6354e059d0bb9b1e77bb4578c96f264

General

Target

c754a222b6fc3178dfd583864880a9ee.exe
Size

366KB
MD5

c754a222b6fc3178dfd583864880a9ee
SHA1

235f9677cfb79cddfb50bd5f7c9e3abf016ca1ee
SHA256

35b95a8cf490deea69c6418f9dff0d8ca6354e059d0bb9b1e77bb4578c96f264
SHA512

52615b677c5d036964c776f909af309e59aaca84bc62d0fa6eb03b3be465d728d8ff7bf5256906c7006fe8675f0f3ffc3f5386ab1dcb116953e306d95374c0d9

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3364	2928	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2928	c754a222b6fc3178dfd583864880a9ee.exe
2928	c754a222b6fc3178dfd583864880a9ee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	c754a222b6fc3178dfd583864880a9ee.exe

C:\Users\Admin\AppData\Local\Temp\c754a222b6fc3178dfd583864880a9ee.exe
"C:\Users\Admin\AppData\Local\Temp\c754a222b6fc3178dfd583864880a9ee.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1256
  2⤵
  - Program crash
  PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2928 -ip 2928
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-124-0x00000000005C2000-0x00000000005EC000-memory.dmp

Filesize
168KB

Download
memory/2928-125-0x00000000005C2000-0x00000000005EC000-memory.dmp

Filesize
168KB

Download
memory/2928-126-0x0000000000520000-0x0000000000557000-memory.dmp

Filesize
220KB

Download
memory/2928-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2928-128-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/2928-129-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/2928-130-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/2928-131-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/2928-132-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/2928-133-0x0000000004BE4000-0x0000000004BE6000-memory.dmp

Filesize
8KB

Download
memory/2928-134-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2928-135-0x0000000006310000-0x0000000006386000-memory.dmp

Filesize
472KB

Download
memory/2928-136-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/2928-137-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/2928-138-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/2928-139-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing