metastealer | e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f

General

Target

e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe
Size

939KB
MD5

c7b2f2bf03dc91ffb2b9beab50aa5835
SHA1

23c70b6de6c3a2958d1b0dc25b691106f215ac0f
SHA256

e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f
SHA512

dedc8b90306de0c0b1bfddd2f3a7a31a3c096e036a24e14794aa63dc8a40af8455110cc260ebb4651ee02c336eb9e04e99afd969e70341e2f3a770d744d86875

Score

10^/10

metastealer redline discovery infostealer spyware stealer

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral1/memory/600-130-0x0000000000BD0000-0x0000000000C99000-memory.dmp	family_redline
behavioral1/memory/600-131-0x0000000000BD0000-0x0000000000C99000-memory.dmp	family_redline
behavioral1/memory/600-135-0x0000000000BD0000-0x0000000000C99000-memory.dmp	family_redline
behavioral1/memory/600-136-0x0000000000BD0000-0x0000000000C99000-memory.dmp	family_redline
behavioral1/memory/600-137-0x0000000000BD0000-0x0000000000C99000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
600	e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
600	e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe
600	e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe
600	e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe

C:\Users\Admin\AppData\Local\Temp\e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe
"C:\Users\Admin\AppData\Local\Temp\e5bf5fad9a4c4d6351fc00763305c35419b1bbf9aef689973112fccdd289292f.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-130-0x0000000000BD0000-0x0000000000C99000-memory.dmp

Filesize
804KB

Download
memory/600-131-0x0000000000BD0000-0x0000000000C99000-memory.dmp

Filesize
804KB

Download
memory/600-132-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/600-134-0x0000000076150000-0x0000000076365000-memory.dmp

Filesize
2.1MB

Download
memory/600-135-0x0000000000BD0000-0x0000000000C99000-memory.dmp

Filesize
804KB

Download
memory/600-133-0x0000000001210000-0x0000000001256000-memory.dmp

Filesize
280KB

Download
memory/600-136-0x0000000000BD0000-0x0000000000C99000-memory.dmp

Filesize
804KB

Download
memory/600-137-0x0000000000BD0000-0x0000000000C99000-memory.dmp

Filesize
804KB

Download
memory/600-138-0x00000000730E0000-0x0000000073169000-memory.dmp

Filesize
548KB

Download
memory/600-139-0x0000000076D20000-0x00000000772D3000-memory.dmp

Filesize
5.7MB

Download
memory/600-140-0x0000000005FB0000-0x00000000065C8000-memory.dmp

Filesize
6.1MB

Download
memory/600-141-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/600-142-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

Filesize
1.0MB

Download
memory/600-143-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/600-144-0x000000006E8F0000-0x000000006E93C000-memory.dmp

Filesize
304KB

Download
memory/600-145-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/600-146-0x0000000006E60000-0x0000000006EF2000-memory.dmp

Filesize
584KB

Download
memory/600-147-0x0000000006F00000-0x0000000006F76000-memory.dmp

Filesize
472KB

Download
memory/600-148-0x0000000007200000-0x000000000721E000-memory.dmp

Filesize
120KB

Download
memory/600-149-0x00000000078B0000-0x0000000007916000-memory.dmp

Filesize
408KB

Download
memory/600-150-0x0000000007C30000-0x0000000007DF2000-memory.dmp

Filesize
1.8MB

Download
memory/600-151-0x0000000008330000-0x000000000885C000-memory.dmp

Filesize
5.2MB

Download
memory/600-152-0x0000000007B80000-0x0000000007BD0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing