metastealer | d48b7e4c2955e6764ab696429590bed38b4afa9b4d49a103e99a61314825e9cd | Triage

Sharing

General

Target

d48b7e4c2955e6764ab696429590bed38b4afa9b4d49a103e99a61314825e9cd
Size

456KB
Sample

220414-n1zjraadh6
MD5

f8dbb51b18bc60d943da14368a5d6c58
SHA1

fae8de8cc751859d7498b8e28104b462beca0a96
SHA256

d48b7e4c2955e6764ab696429590bed38b4afa9b4d49a103e99a61314825e9cd
SHA512

1e5284515b33a4de8ee00833d2cd8073bf762fca530fba950d71849773a00492b60f126a77ac4d3df01ce8b09b25abcc00419aa41efbedb20edbf45d9090ecc0

Score

10^/10

metastealer nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

farah99.zapto.org:19720

Mutex

6d50c134-6325-499c-b5ec-dbc7a37a8117

Attributes

activate_away_mode
true
backup_connection_host
farah99.zapto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-08-20T23:36:09.518759436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
19720
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6d50c134-6325-499c-b5ec-dbc7a37a8117
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
farah99.zapto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  d48b7e4c2955e6764ab696429590bed38b4afa9b4d49a103e99a61314825e9cd
- Size
  
  456KB
- MD5
  
  f8dbb51b18bc60d943da14368a5d6c58
- SHA1
  
  fae8de8cc751859d7498b8e28104b462beca0a96
- SHA256
  
  d48b7e4c2955e6764ab696429590bed38b4afa9b4d49a103e99a61314825e9cd
- SHA512
  
  1e5284515b33a4de8ee00833d2cd8073bf762fca530fba950d71849773a00492b60f126a77ac4d3df01ce8b09b25abcc00419aa41efbedb20edbf45d9090ecc0
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan metastealer
- Meta Stealer Stealer
  Meta Stealer steals passwords stored in browsers, written in C++.
  stealer metastealer
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

metastealernanocoreevasionkeyloggerpersistencespywarestealertrojan