metastealer | 92cf7bd32bc8125a758cafd97fc06559994b57ed94f641f74f2da07de284aff3

Resubmissions

13-11-2023 22:04

231113-1yw23afg53 10

15-04-2022 07:01

220415-hs782adef5 10

Analysis

max time kernel
139s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-04-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoInstall.exe
Size

1.8MB
MD5

d22dea0339065ec05cccf525b72a7b12
SHA1

fb73af59c4498f28ffd714d467551ec465b77d7d
SHA256

92cf7bd32bc8125a758cafd97fc06559994b57ed94f641f74f2da07de284aff3
SHA512

9b947179aac2233f83e24f5892aeeba2aa2240f5bf32d323395e712ae02844b04e56abbea16e6e7c34559b7a4ad5ab53a9049bf6eb2a31cbcb59be180dfde573

Score

10^/10

metastealer redline @sdsaads2 infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@SDSAads2

104.168.44.52:80

Attributes

auth_value
589d0e9314616e09f68efd12b2086ab8

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4816-134-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3104	svhost.exe
3068	debug.exe
2232	Defender.exe
2792	MoUSO.exe
4748	MoUSO.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3460 set thread context of 4816	3460	AutoInstall.exe	78
PID 2232 set thread context of 4740	2232	Defender.exe	83

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4816	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	AppLaunch.exe
Token: SeDebugPrivilege	3104	svhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4816	3460	AutoInstall.exe	78
PID 3460 wrote to memory of 4816	3460	AutoInstall.exe	78
PID 3460 wrote to memory of 4816	3460	AutoInstall.exe	78
PID 3460 wrote to memory of 4816	3460	AutoInstall.exe	78
PID 3460 wrote to memory of 4816	3460	AutoInstall.exe	78
PID 4816 wrote to memory of 3104	4816	AppLaunch.exe	79
PID 4816 wrote to memory of 3104	4816	AppLaunch.exe	79
PID 4816 wrote to memory of 3104	4816	AppLaunch.exe	79
PID 4816 wrote to memory of 3068	4816	AppLaunch.exe	80
PID 4816 wrote to memory of 3068	4816	AppLaunch.exe	80
PID 4816 wrote to memory of 3068	4816	AppLaunch.exe	80
PID 4816 wrote to memory of 2232	4816	AppLaunch.exe	81
PID 4816 wrote to memory of 2232	4816	AppLaunch.exe	81
PID 4816 wrote to memory of 2232	4816	AppLaunch.exe	81
PID 2232 wrote to memory of 4740	2232	Defender.exe	83
PID 2232 wrote to memory of 4740	2232	Defender.exe	83
PID 2232 wrote to memory of 4740	2232	Defender.exe	83
PID 2232 wrote to memory of 4740	2232	Defender.exe	83
PID 2232 wrote to memory of 4740	2232	Defender.exe	83
PID 4740 wrote to memory of 4844	4740	AppLaunch.exe	84
PID 4740 wrote to memory of 4844	4740	AppLaunch.exe	84
PID 4740 wrote to memory of 4844	4740	AppLaunch.exe	84

C:\Users\Admin\AppData\Local\Temp\AutoInstall.exe
"C:\Users\Admin\AppData\Local\Temp\AutoInstall.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\debug.exe
    "C:\Users\Admin\AppData\Local\Temp\debug.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\Defender.exe
    "C:\Users\Admin\AppData\Local\Temp\Defender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4844

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
1.9MB

MD5
c579e22d0be8514b92ac1b683a00a450

SHA1
c06796625354c2320eb72bd9a110c6f524b34781

SHA256
adaf6731cc2902c106b3da59acfa1ccb6fd784d74415de58c0b879452f316464

SHA512
c08d9bc83e6431a5d783a05ae98e62dea906189f93819418e67dfb1395edb2517465d086bf209fbc4f3fa084cc4ad835a0bf24d28672662831b53b6d998d891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
1.9MB

MD5
c579e22d0be8514b92ac1b683a00a450

SHA1
c06796625354c2320eb72bd9a110c6f524b34781

SHA256
adaf6731cc2902c106b3da59acfa1ccb6fd784d74415de58c0b879452f316464

SHA512
c08d9bc83e6431a5d783a05ae98e62dea906189f93819418e67dfb1395edb2517465d086bf209fbc4f3fa084cc4ad835a0bf24d28672662831b53b6d998d891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\debug.exe

Filesize
393KB

MD5
1b1f2dcd6719af36b67a0ed45351208f

SHA1
7c51957f3a4149480e6d6fb0b348c7056a1f348e

SHA256
5b48c45c9a8a4d2b2641d6c573db88fad8e96e67d10957018543d1e2998f565a

SHA512
f2c057fa83427247dbfc1615f5c2b4294927b70b9dca129d6cbcb65a173253151ef61f8e7af81ca3f5e56106737162e1bcca612bb2de4be8da600b34c33e0902

Download Submit
C:\Users\Admin\AppData\Local\Temp\debug.exe

Filesize
393KB

MD5
1b1f2dcd6719af36b67a0ed45351208f

SHA1
7c51957f3a4149480e6d6fb0b348c7056a1f348e

SHA256
5b48c45c9a8a4d2b2641d6c573db88fad8e96e67d10957018543d1e2998f565a

SHA512
f2c057fa83427247dbfc1615f5c2b4294927b70b9dca129d6cbcb65a173253151ef61f8e7af81ca3f5e56106737162e1bcca612bb2de4be8da600b34c33e0902

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
224KB

MD5
fa80d46b0c9936d6c1f59f5761b4757b

SHA1
19e774e899d67b02fd332174a1cc1c28a8924912

SHA256
77492bb533f2378d81060cf271153ea8ceaa71e41027ec732606a5fd974ff19e

SHA512
a24ce54f84dc2bbadda49bc6e037f8cdab8effd7a08c4e2af22d2b0508d90f2eed0ce760c286092739ec3f13242a8d39af3e9a23e16874669a34f6dae0890fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
224KB

MD5
fa80d46b0c9936d6c1f59f5761b4757b

SHA1
19e774e899d67b02fd332174a1cc1c28a8924912

SHA256
77492bb533f2378d81060cf271153ea8ceaa71e41027ec732606a5fd974ff19e

SHA512
a24ce54f84dc2bbadda49bc6e037f8cdab8effd7a08c4e2af22d2b0508d90f2eed0ce760c286092739ec3f13242a8d39af3e9a23e16874669a34f6dae0890fd7

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
memory/2232-163-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3068-161-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3104-162-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/3104-157-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/3460-132-0x0000000000990000-0x0000000000B6C000-memory.dmp

Filesize
1.9MB

Download
memory/4740-165-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/4740-172-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/4816-148-0x0000000008FC0000-0x0000000009010000-memory.dmp

Filesize
320KB

Download
memory/4816-141-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4816-140-0x0000000005DD0000-0x0000000005DE2000-memory.dmp

Filesize
72KB

Download
memory/4816-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4816-150-0x000000000A4A0000-0x000000000A9CC000-memory.dmp

Filesize
5.2MB

Download
memory/4816-149-0x0000000009920000-0x0000000009AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4816-139-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/4816-147-0x0000000008DF0000-0x0000000008E0E000-memory.dmp

Filesize
120KB

Download
memory/4816-146-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/4816-145-0x0000000008B90000-0x0000000008C22000-memory.dmp

Filesize
584KB

Download
memory/4816-142-0x0000000007920000-0x000000000795C000-memory.dmp

Filesize
240KB

Download
memory/4816-144-0x00000000090A0000-0x0000000009644000-memory.dmp

Filesize
5.6MB

Download
memory/4816-143-0x0000000008A80000-0x0000000008AE6000-memory.dmp

Filesize
408KB

Download