metastealer | 54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4

General

Target

54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe
Size

413KB
MD5

92c2f37d5fb51fbe04ee2aeafc915dae
SHA1

39e0cb735dbe5d47cedf6792e25cb73d63858c6c
SHA256

54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4
SHA512

f3fb607a7cac6635f2880669da5666c6f478b7cecbc14f240455a74aa3402f6cf9f6a4f45b879176e86c9653b09d7f55160e181bbe3a9063efdeeac4bee6b8f1

Score

10^/10

metastealer redline 50 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

50

C2

193.106.191.153:23196

Attributes

auth_value
8735fcb130c82dd9d353478678d60bde

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2516	54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe
2516	54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe

C:\Users\Admin\AppData\Local\Temp\54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe
"C:\Users\Admin\AppData\Local\Temp\54495fecb835148e833c39bafdecf16a816c029c8dd2ae2e049a583eccfc6da4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-113-0x0000000000679000-0x00000000006A3000-memory.dmp

Filesize
168KB

Download
memory/2516-114-0x0000000002520000-0x0000000002550000-memory.dmp

Filesize
192KB

Download
memory/2516-115-0x0000000004B70000-0x000000000506E000-memory.dmp

Filesize
5.0MB

Download
memory/2516-116-0x00000000026C0000-0x00000000026EE000-memory.dmp

Filesize
184KB

Download
memory/2516-117-0x0000000000679000-0x00000000006A3000-memory.dmp

Filesize
168KB

Download
memory/2516-118-0x0000000000610000-0x0000000000647000-memory.dmp

Filesize
220KB

Download
memory/2516-119-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2516-120-0x0000000005690000-0x0000000005C96000-memory.dmp

Filesize
6.0MB

Download
memory/2516-121-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/2516-122-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/2516-123-0x0000000005260000-0x000000000529E000-memory.dmp

Filesize
248KB

Download
memory/2516-124-0x00000000053D0000-0x000000000541B000-memory.dmp

Filesize
300KB

Download
memory/2516-125-0x0000000002594000-0x0000000002596000-memory.dmp

Filesize
8KB

Download
memory/2516-126-0x0000000005570000-0x00000000055E6000-memory.dmp

Filesize
472KB

Download
memory/2516-127-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/2516-128-0x0000000005540000-0x000000000555E000-memory.dmp

Filesize
120KB

Download
memory/2516-129-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2516-130-0x0000000006670000-0x0000000006832000-memory.dmp

Filesize
1.8MB

Download
memory/2516-131-0x0000000006850000-0x0000000006D7C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing