metastealer | 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00

General

Target

95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Size

7.9MB
MD5

66eeed112f302db2ee39e58cf6eb0c2e
SHA1

7f614ccb6d175a343be4e9d18787f723e4a25e76
SHA256

95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00
SHA512

2009a6e680d208759cccef72ab3000e232eb323befe6217960eba42b53765e7df2833be36bd8a6fd0dd33c54624d49a8a1f49ad73f27ec8a92924b5bb43d7280

Score

10^/10

metastealer discovery stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

Executes dropped EXE 2 IoCs

pid	Process
3412	TechSuiteUpdater.exe
2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	TechSuiteUpdater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Key created	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3448	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
3448	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
3412	TechSuiteUpdater.exe
3412	TechSuiteUpdater.exe
3412	TechSuiteUpdater.exe
3412	TechSuiteUpdater.exe
3412	TechSuiteUpdater.exe
2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Token: SeDebugPrivilege	3412	TechSuiteUpdater.exe
Token: SeDebugPrivilege	2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
2544	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3412	3448	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe	92
PID 3448 wrote to memory of 3412	3448	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe	92
PID 3412 wrote to memory of 2544	3412	TechSuiteUpdater.exe	96
PID 3412 wrote to memory of 2544	3412	TechSuiteUpdater.exe	96

C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
"C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe" 1.0.7.0 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe False
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
    "C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Filesize
10.4MB

MD5
2ae302b589c44c3d0f675d34daf0e5c5

SHA1
a0875a2fad02a83cd3522737aff202dccd40d9c9

SHA256
620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f

SHA512
aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Filesize
10.4MB

MD5
2ae302b589c44c3d0f675d34daf0e5c5

SHA1
a0875a2fad02a83cd3522737aff202dccd40d9c9

SHA256
620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f

SHA512
aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe

Filesize
1.5MB

MD5
46adfcab1b505e4045615a60946b3e90

SHA1
99b36a6acc75118b98b7969daa9e6b818354f2e1

SHA256
10c818e4fa3c9d50c5af50644762e5136db7ab0d5550d84f2e2e648f38f723d2

SHA512
fbee21ae626c102978350a3bc7cd3c8ec8519641c3fb7cf03feba3c5327fd7fbd37a3f141babd07bf834c01c53d31828f27d4da3fb2dc1ab5a10e48f38892623

Download Submit
C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe

Filesize
1.5MB

MD5
46adfcab1b505e4045615a60946b3e90

SHA1
99b36a6acc75118b98b7969daa9e6b818354f2e1

SHA256
10c818e4fa3c9d50c5af50644762e5136db7ab0d5550d84f2e2e648f38f723d2

SHA512
fbee21ae626c102978350a3bc7cd3c8ec8519641c3fb7cf03feba3c5327fd7fbd37a3f141babd07bf834c01c53d31828f27d4da3fb2dc1ab5a10e48f38892623

Download Submit
C:\Users\Admin\AppData\Local\Temp\TechSuite\Config\techsuite_debug.txt

Filesize
708B

MD5
e64585e1903c3e83980be22939b7ec10

SHA1
2db883bb0aefedde4a722bb6f3f978b4abed6c94

SHA256
1c276a34568174d147540a7e53a955a1fd7356ceb7ea1c89d48c628844b824ae

SHA512
5adb5be80a643596d3e1a18d9ffd5dfbb83c63b2ead7121053c671bb1b01a41ded0510107303db631fcbdc911abf2b2ebd3a7f0445775c1f94b01d4b84651895

Download Submit
C:\Users\Admin\AppData\Local\Temp\TechSuite_new.exe

Filesize
10.4MB

MD5
2ae302b589c44c3d0f675d34daf0e5c5

SHA1
a0875a2fad02a83cd3522737aff202dccd40d9c9

SHA256
620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f

SHA512
aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9

Download Submit
memory/2544-142-0x00007FFF8FA00000-0x00007FFF904C1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-144-0x000000001C382000-0x000000001C384000-memory.dmp

Filesize
8KB

Download
memory/2544-148-0x0000000025DE0000-0x0000000025DE3000-memory.dmp

Filesize
12KB

Download
memory/2544-147-0x000000001C38A000-0x000000001C38F000-memory.dmp

Filesize
20KB

Download
memory/2544-146-0x000000001C385000-0x000000001C387000-memory.dmp

Filesize
8KB

Download
memory/2544-145-0x0000000022670000-0x0000000022B98000-memory.dmp

Filesize
5.2MB

Download
memory/2544-143-0x000000001C380000-0x000000001C382000-memory.dmp

Filesize
8KB

Download
memory/2544-140-0x0000000000C00000-0x0000000001660000-memory.dmp

Filesize
10.4MB

Download
memory/3412-136-0x000000001B552000-0x000000001B554000-memory.dmp

Filesize
8KB

Download
memory/3412-133-0x00007FFF8FA00000-0x00007FFF904C1000-memory.dmp

Filesize
10.8MB

Download
memory/3412-134-0x000000001B550000-0x000000001B552000-memory.dmp

Filesize
8KB

Download
memory/3412-132-0x0000000000730000-0x00000000008B0000-memory.dmp

Filesize
1.5MB

Download
memory/3448-126-0x000000001B800000-0x000000001B802000-memory.dmp

Filesize
8KB

Download
memory/3448-127-0x000000001B802000-0x000000001B804000-memory.dmp

Filesize
8KB

Download
memory/3448-125-0x00007FFF8FA00000-0x00007FFF904C1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-124-0x0000000000220000-0x0000000000A02000-memory.dmp

Filesize
7.9MB

Download
memory/3448-128-0x00000000209E0000-0x0000000020A02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing