metastealer | 65ef6adfb666a45e55ba073a32dac18f67a74ae4f3c7f68ac967df5c88d8da43

Analysis

Target

f6c01d882a004b44dac33cdab3c86eaa.exe
Size

366KB
MD5

f6c01d882a004b44dac33cdab3c86eaa
SHA1

d5efe57d03b882b95362288211ffb48c0fa47935
SHA256

65ef6adfb666a45e55ba073a32dac18f67a74ae4f3c7f68ac967df5c88d8da43
SHA512

dc4431349ab8182a1016baf53fcc86da847fdde014ddf8baa4e944735baf9427fdd40007d7fa4d565fa0ebf0561c1215983aede39b4cf96c0b6689d6a1046f6e

Score

10^/10

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4100	756	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
756	f6c01d882a004b44dac33cdab3c86eaa.exe
756	f6c01d882a004b44dac33cdab3c86eaa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	f6c01d882a004b44dac33cdab3c86eaa.exe

C:\Users\Admin\AppData\Local\Temp\f6c01d882a004b44dac33cdab3c86eaa.exe
"C:\Users\Admin\AppData\Local\Temp\f6c01d882a004b44dac33cdab3c86eaa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1176
  2⤵
  - Program crash
  PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 756 -ip 756
1⤵
PID:3380

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/756-124-0x0000000000522000-0x000000000054C000-memory.dmp

Filesize
168KB

Download
memory/756-125-0x0000000000522000-0x000000000054C000-memory.dmp

Filesize
168KB

Download
memory/756-126-0x00000000007F0000-0x0000000000827000-memory.dmp

Filesize
220KB

Download
memory/756-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/756-128-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/756-129-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/756-130-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/756-131-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/756-132-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/756-133-0x0000000004B64000-0x0000000004B66000-memory.dmp

Filesize
8KB

Download
memory/756-134-0x0000000005DC0000-0x0000000005E36000-memory.dmp

Filesize
472KB

Download
memory/756-135-0x0000000005EC0000-0x0000000005F52000-memory.dmp

Filesize
584KB

Download
memory/756-136-0x0000000005E60000-0x0000000005E7E000-memory.dmp

Filesize
120KB

Download
memory/756-137-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/756-138-0x00000000068F0000-0x0000000006AB2000-memory.dmp

Filesize
1.8MB

Download
memory/756-139-0x0000000006AE0000-0x000000000700C000-memory.dmp

Filesize
5.2MB

Download