metastealer | 030031967edc4442758b080c291fa29e2220d299194173c0a7dd484609f0ad15

General

Target

dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe
Size

366KB
MD5

dc5f75ecc5957d7ddb28bbe2ce9c6c23
SHA1

96ee5a0c5ef0dfbb92e3effb2e9def6969bfb582
SHA256

030031967edc4442758b080c291fa29e2220d299194173c0a7dd484609f0ad15
SHA512

bfa7f6541aceaf33d13a505e91ea3a93ad3436eb906538652334d4566fd23b5257cee789096e3c78b630a6c55503867def06424ed8e614c74a0d566738ba80a5

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
424	3624	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3624	dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe
3624	dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe

C:\Users\Admin\AppData\Local\Temp\dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe
"C:\Users\Admin\AppData\Local\Temp\dc5f75ecc5957d7ddb28bbe2ce9c6c23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1420
  2⤵
  - Program crash
  PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 3624 -ip 3624
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3624-134-0x00000000007C2000-0x00000000007EC000-memory.dmp

Filesize
168KB

Download
memory/3624-135-0x00000000007C2000-0x00000000007EC000-memory.dmp

Filesize
168KB

Download
memory/3624-136-0x0000000000700000-0x0000000000737000-memory.dmp

Filesize
220KB

Download
memory/3624-137-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3624-138-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/3624-139-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/3624-140-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/3624-141-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-142-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/3624-143-0x0000000004BD4000-0x0000000004BD6000-memory.dmp

Filesize
8KB

Download
memory/3624-144-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/3624-145-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/3624-146-0x00000000063E0000-0x0000000006456000-memory.dmp

Filesize
472KB

Download
memory/3624-147-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/3624-148-0x0000000006920000-0x0000000006AE2000-memory.dmp

Filesize
1.8MB

Download
memory/3624-149-0x0000000006AF0000-0x000000000701C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing