metastealer | bf443e407476f3c013f106bb2ffc7540dac5dc5badd162b9574f13fa500604ce

General

Target

40073a62aad20fcaf8226d3ed7b7dd98.exe
Size

367KB
MD5

40073a62aad20fcaf8226d3ed7b7dd98
SHA1

c50ea827a4e6695594580a562cfd8fd31630de90
SHA256

bf443e407476f3c013f106bb2ffc7540dac5dc5badd162b9574f13fa500604ce
SHA512

6f98ea608485b6cde18b1b16d0ef7820f0f5d27d70e5b68ba170675a5f5f6c8e10098caf1799c8e3d54be01e02c8536981c322025b79118d6b0b7fee9935adb7

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	2060	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	40073a62aad20fcaf8226d3ed7b7dd98.exe
2060	40073a62aad20fcaf8226d3ed7b7dd98.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	40073a62aad20fcaf8226d3ed7b7dd98.exe

C:\Users\Admin\AppData\Local\Temp\40073a62aad20fcaf8226d3ed7b7dd98.exe
"C:\Users\Admin\AppData\Local\Temp\40073a62aad20fcaf8226d3ed7b7dd98.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1160
  2⤵
  - Program crash
  PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2060 -ip 2060
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2060-124-0x0000000000592000-0x00000000005BC000-memory.dmp

Filesize
168KB

Download
memory/2060-125-0x0000000004D90000-0x0000000005334000-memory.dmp

Filesize
5.6MB

Download
memory/2060-126-0x0000000000592000-0x00000000005BC000-memory.dmp

Filesize
168KB

Download
memory/2060-127-0x00000000021F0000-0x0000000002227000-memory.dmp

Filesize
220KB

Download
memory/2060-128-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2060-129-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/2060-130-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/2060-131-0x0000000004C60000-0x0000000004D6A000-memory.dmp

Filesize
1.0MB

Download
memory/2060-132-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/2060-133-0x0000000004D84000-0x0000000004D86000-memory.dmp

Filesize
8KB

Download
memory/2060-134-0x0000000005DC0000-0x0000000005E36000-memory.dmp

Filesize
472KB

Download
memory/2060-135-0x0000000005EC0000-0x0000000005F52000-memory.dmp

Filesize
584KB

Download
memory/2060-136-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/2060-137-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/2060-138-0x00000000067F0000-0x00000000069B2000-memory.dmp

Filesize
1.8MB

Download
memory/2060-139-0x00000000069D0000-0x0000000006EFC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing