metastealer | 0118358128946efef9fa03d752c2687347d4a43e5d387110058e9567c8668854

General

Target

3ba69872f94f58572425e1c32cd92131.exe
Size

368KB
MD5

3ba69872f94f58572425e1c32cd92131
SHA1

11a585d778e1818a3c6f3d8013fe7bc6bb6679f8
SHA256

0118358128946efef9fa03d752c2687347d4a43e5d387110058e9567c8668854
SHA512

59a7d03a7d132e7466a6b45d7e1454d88502c9ba0ca0dd4f3603d4949ea148d7a35180ffba91777755244f5157a3d5f9ca5daa96774278e12130c408886d8c94

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3512	4824	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	3ba69872f94f58572425e1c32cd92131.exe
4824	3ba69872f94f58572425e1c32cd92131.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	3ba69872f94f58572425e1c32cd92131.exe

C:\Users\Admin\AppData\Local\Temp\3ba69872f94f58572425e1c32cd92131.exe
"C:\Users\Admin\AppData\Local\Temp\3ba69872f94f58572425e1c32cd92131.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1256
  2⤵
  - Program crash
  PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4824 -ip 4824
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4824-124-0x0000000000562000-0x000000000058C000-memory.dmp

Filesize
168KB

Download
memory/4824-125-0x0000000000562000-0x000000000058C000-memory.dmp

Filesize
168KB

Download
memory/4824-127-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4824-126-0x0000000000510000-0x0000000000547000-memory.dmp

Filesize
220KB

Download
memory/4824-128-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/4824-129-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/4824-130-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/4824-131-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4824-132-0x0000000005970000-0x00000000059AC000-memory.dmp

Filesize
240KB

Download
memory/4824-133-0x0000000002334000-0x0000000002336000-memory.dmp

Filesize
8KB

Download
memory/4824-134-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4824-135-0x0000000006330000-0x00000000063C2000-memory.dmp

Filesize
584KB

Download
memory/4824-136-0x00000000063E0000-0x0000000006456000-memory.dmp

Filesize
472KB

Download
memory/4824-137-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/4824-138-0x00000000067F0000-0x00000000069B2000-memory.dmp

Filesize
1.8MB

Download
memory/4824-139-0x00000000069D0000-0x0000000006EFC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing