metastealer | 4c3622798c473202ef6f648c098cb71d1bd6b35c98ce36ebe525299f6599124b

Analysis

Target

9cf3483969457f0b6046eae0f281c43c.exe
Size

367KB
MD5

9cf3483969457f0b6046eae0f281c43c
SHA1

d647a4762c742799453dc40e2e2b81c350875e34
SHA256

4c3622798c473202ef6f648c098cb71d1bd6b35c98ce36ebe525299f6599124b
SHA512

7b2a2213b935b305178c5beda1d2367cd8a8207dccd6ee9ed119f15147827b8587e03fc633a241031b36fbf93eca786c6f1ab77e90703465f60fbd5f4a4e4746

Score

10^/10

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	4804	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	9cf3483969457f0b6046eae0f281c43c.exe
4804	9cf3483969457f0b6046eae0f281c43c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	9cf3483969457f0b6046eae0f281c43c.exe

C:\Users\Admin\AppData\Local\Temp\9cf3483969457f0b6046eae0f281c43c.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3483969457f0b6046eae0f281c43c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1152
  2⤵
  - Program crash
  PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4804 -ip 4804
1⤵
PID:4260

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/4804-125-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/4804-126-0x0000000000710000-0x0000000000747000-memory.dmp

Filesize
220KB

Download
memory/4804-127-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4804-128-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/4804-129-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/4804-130-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4804-131-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4804-132-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

Filesize
240KB

Download
memory/4804-133-0x0000000004E64000-0x0000000004E66000-memory.dmp

Filesize
8KB

Download
memory/4804-134-0x0000000005C70000-0x0000000005CE6000-memory.dmp

Filesize
472KB

Download
memory/4804-135-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/4804-136-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/4804-137-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/4804-138-0x00000000067E0000-0x00000000069A2000-memory.dmp

Filesize
1.8MB

Download
memory/4804-139-0x00000000069B0000-0x0000000006EDC000-memory.dmp

Filesize
5.2MB

Download