metastealer | 32c1e1a834294cc3b4ce9c790c8faf4bd218412859b55b21129ffe991064eeae

General

Target

503fb1498e1c257cf61ade325e9a3a60.exe
Size

491KB
MD5

503fb1498e1c257cf61ade325e9a3a60
SHA1

786094aece0a643b4924b02ef98b82c8585394f1
SHA256

32c1e1a834294cc3b4ce9c790c8faf4bd218412859b55b21129ffe991064eeae
SHA512

4b8eb12a82275ae1e084a76aea4293bc502ec71bfef100bf0391e836b520701374430415aac6a5b6b9bf89e815b989f87c0505721d2cbd153b040239c2d246e1

Score

10^/10

metastealer redline aus discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AUS

C2

147.189.161.112:42516

Attributes

auth_value
2e0aea8f686e4f39fb1ab50a9d815c7c

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3360-138-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/3360-139-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3360	503fb1498e1c257cf61ade325e9a3a60.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	503fb1498e1c257cf61ade325e9a3a60.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77
PID 1416 wrote to memory of 3360	1416	503fb1498e1c257cf61ade325e9a3a60.exe	77

C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
"C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
  C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\503fb1498e1c257cf61ade325e9a3a60.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
memory/1416-135-0x0000000004EC0000-0x0000000004F36000-memory.dmp

Filesize
472KB

Download
memory/1416-136-0x0000000004E60000-0x0000000004E7E000-memory.dmp

Filesize
120KB

Download
memory/1416-137-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/1416-134-0x00000000004D0000-0x0000000000552000-memory.dmp

Filesize
520KB

Download
memory/3360-142-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download
memory/3360-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3360-141-0x00000000060A0000-0x00000000066B8000-memory.dmp

Filesize
6.1MB

Download
memory/3360-143-0x0000000005C50000-0x0000000005D5A000-memory.dmp

Filesize
1.0MB

Download
memory/3360-144-0x0000000005EE0000-0x0000000005F1C000-memory.dmp

Filesize
240KB

Download
memory/3360-145-0x00000000089F0000-0x0000000008A82000-memory.dmp

Filesize
584KB

Download
memory/3360-146-0x0000000008DB0000-0x0000000008E16000-memory.dmp

Filesize
408KB

Download
memory/3360-147-0x00000000095F0000-0x00000000097B2000-memory.dmp

Filesize
1.8MB

Download
memory/3360-148-0x0000000009CF0000-0x000000000A21C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-149-0x0000000009A50000-0x0000000009AA0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing