metastealer | 98fea55f7585644b6f43651491e22f91fd57a1b99c4320c11a0f67ce7c486885

General

Target

a410935df72f79ea065d92b0036b287c.exe
Size

4.5MB
MD5

a410935df72f79ea065d92b0036b287c
SHA1

28465a4ab42d116fe260e103557b60dca92e02ce
SHA256

98fea55f7585644b6f43651491e22f91fd57a1b99c4320c11a0f67ce7c486885
SHA512

359f3c9af3a2968a0be4952bc2b286db670e546ac0232a0c0ac6fe39347c485e1ac140755be5c9e45606f5a02354802b1a6699bccf6e56ad1435105471c6d03d

Score

10^/10

metastealer redline 10 evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

10

C2

185.183.32.227:80

Attributes

auth_value
187348b4b0ba6b71d26eaf47eb720dc2

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4772-139-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a410935df72f79ea065d92b0036b287c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a410935df72f79ea065d92b0036b287c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a410935df72f79ea065d92b0036b287c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4772	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81
PID 4780 wrote to memory of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81
PID 4780 wrote to memory of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81
PID 4780 wrote to memory of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81
PID 4780 wrote to memory of 4772	4780	a410935df72f79ea065d92b0036b287c.exe	81

C:\Users\Admin\AppData\Local\Temp\a410935df72f79ea065d92b0036b287c.exe
"C:\Users\Admin\AppData\Local\Temp\a410935df72f79ea065d92b0036b287c.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-147-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/4772-149-0x0000000007010000-0x00000000075B4000-memory.dmp

Filesize
5.6MB

Download
memory/4772-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4772-144-0x0000000005AD0000-0x00000000060E8000-memory.dmp

Filesize
6.1MB

Download
memory/4772-145-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/4772-146-0x00000000056A0000-0x00000000057AA000-memory.dmp

Filesize
1.0MB

Download
memory/4772-148-0x00000000068E0000-0x0000000006946000-memory.dmp

Filesize
408KB

Download
memory/4772-155-0x0000000007C60000-0x0000000007CB0000-memory.dmp

Filesize
320KB

Download
memory/4772-150-0x0000000006B50000-0x0000000006BE2000-memory.dmp

Filesize
584KB

Download
memory/4772-151-0x0000000006BF0000-0x0000000006C66000-memory.dmp

Filesize
472KB

Download
memory/4772-152-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/4772-153-0x0000000007890000-0x0000000007A52000-memory.dmp

Filesize
1.8MB

Download
memory/4772-154-0x0000000007F90000-0x00000000084BC000-memory.dmp

Filesize
5.2MB

Download
memory/4780-134-0x0000000000400000-0x0000000000D5F000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads