metastealer | 6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac

Resubmissions

17-12-2023 23:15

231217-28y5vagccl 10

27-10-2023 11:50

231027-nzmhssfg49 10

14-10-2023 04:05

231014-enwgwshf97 10

Sharing

Copy URL

Twitter E-mail

General

Target

6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac
Size

12.1MB
MD5

d771632ff34c40d105363d7035f3cf4b
SHA1

af2ff96d8f81b3e3df2756ac27c9d23f35432435
SHA256

6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac
SHA512

fe954ed4e752f50b5aae5de36bb760610044acc3d19056b24b9a4ec6937d5c5c60f3ebd4d61b86c22af01599f2dc13e159714260c7d32877753b0e600e82a300
SSDEEP

196608:keOD8HOauP9k8YOOBQMfhXx/LVjuMP/2sP:Vw8CP8OOBZLLVaK/2s

Score

10^/10

metastealer

Malware Config

Signatures

MetaStealer payload 1 IoCs

Processes:

resource yara_rule

sample family_metastealer
Metastealer family
metastealer

resource	yara_rule
sample	family_metastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac

Files

6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac
.dll windows:6 windows x86

3e526cb750e198d67dd1068bbcd2911b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

crypt32

CertOpenSystemStoreW
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CryptUnprotectData
CryptProtectData
CertOpenStore

gdiplus

GdipCreateBitmapFromHBITMAP
GdipFree
GdiplusStartup
GdiplusShutdown
GdipLoadImageFromStream
GdipCloneImage
GdipDisposeImage
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectI
GdipSetInterpolationMode
GdipSetPixelOffsetMode
GdipSetSmoothingMode
GdipDeleteGraphics
GdipSaveImageToStream
GdipCreateBitmapFromScan0
GdipGetImagePixelFormat
GdipGetImageGraphicsContext
GdipAlloc

shlwapi

ord12

wininet

InternetSetOptionW

kernel32

QueryPerformanceCounter
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
GetSystemTimeAsFileTime
WideCharToMultiByte
FreeLibrary
SystemTimeToFileTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
LockFileEx
LocalFree
GetProcAddress
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
LoadLibraryW
GetSystemInfo
CloseHandle
HeapReAlloc
DeleteFileW
DeleteFileA
WaitForSingleObjectEx
LoadLibraryA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetLastError
GetDiskFreeSpaceA
FormatMessageW
GetTempPathA
Sleep
MultiByteToWideChar
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateFileW
WaitForSingleObject
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
GetFullPathNameW
HeapFree
HeapCreate
ReadFile
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
SetLastError
GetNativeSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetModuleHandleA
IsBadReadPtr
GetEnvironmentVariableW
GetDriveTypeW
GetLogicalDriveStringsW
CreatePipe
PeekNamedPipe
GetCurrentProcess
ExitProcess
TerminateProcess
GetExitCodeProcess
CreateRemoteThread
CreateProcessW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
OpenProcess
GetWindowsDirectoryW
GetProductInfo
VirtualAllocEx
WriteProcessMemory
VirtualFreeEx
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
IsWow64Process
GetTickCount
K32GetModuleFileNameExW
SetStdHandle
GetTempFileNameA
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
QueryPerformanceFrequency
GetModuleFileNameA
GetModuleHandleExA
GetFileAttributesExA
FindClose
FindNextFileA
SetEvent
ResetEvent
CreateEventA
GetCurrentThread
GetThreadTimes
WaitForThreadpoolTimerCallbacks
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetTimeZoneInformation
SetConsoleCtrlHandler
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetModuleHandleExW
ResumeThread
ExitThread
CreateTimerQueue
GetVersionExW
UnregisterWait
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
SignalObjectAndWait
SetThreadpoolTimer
CreateThreadpoolTimer
FreeLibraryWhenCallbackReturns
GetTickCount64
GetCurrentProcessorNumber
FlushProcessWriteBuffers
CreateSemaphoreExW
CreateEventExW
SleepConditionVariableSRW
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
InitializeCriticalSectionEx
InitOnceComplete
InitOnceBeginInitialize
GetStringTypeW
GetFileInformationByHandleEx
MoveFileExW
CopyFileW
SetFileInformationByHandle
GetFinalPathNameByHandleW
GetFileInformationByHandle
FindNextFileW
FindFirstFileExW
FindFirstFileW
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
GetExitCodeThread
RegisterWaitForSingleObject
FlushFileBuffers
GetUserDefaultLCID
EnumSystemLocalesW
CloseThreadpoolTimer
CreateThreadpoolWait
GetConsoleOutputCP
GetFileSizeEx
SetFilePointerEx
GetModuleFileNameW
SwitchToThread
GetStartupInfoW
IsDebuggerPresent
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
DuplicateHandle
InitializeSListHead
GetModuleHandleW
CreateEventW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
ReadConsoleW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
WriteConsoleW
CreateFileMappingA
SetThreadpoolWait
CloseThreadpoolWait
EncodePointer
DecodePointer
LoadLibraryExW
FreeLibraryAndExitThread
LCMapStringEx
GetCPInfo
RaiseException
LoadLibraryExA
RtlUnwind
VirtualQuery
CreateThread
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber
CreateFiber
FindFirstFileA
GetStdHandle
GetFileType
ConvertFiberToThread
ConvertThreadToFiber
GetConsoleMode
SetConsoleMode
ReadConsoleA
CompareStringEx

ws2_32

select
recv
getsockopt
__WSAFDIsSet
closesocket
connect
ioctlsocket
getpeername
ntohs
send
WSASetLastError
inet_pton
getnameinfo
freeaddrinfo
getaddrinfo
WSASocketW
WSAGetLastError
WSACleanup
WSAStartup
socket
shutdown
setsockopt
getsockname

user32

SetWindowsHookExW
UnhookWindowsHook
SetWindowsHookA
GetWindow
GetWindowThreadProcessId
GetTopWindow
FindWindowW
GetParent
GetDesktopWindow
SetWindowLongW
GetWindowLongW
PtInRect
ChildWindowFromPoint
WindowFromPoint
GetProcessWindowStation
GetCursorPos
GetWindowRect
ReleaseDC
GetDC
UnhookWindowsHookEx
MenuItemFromPoint
IsWindowEnabled
GetKeyState
GetDlgItem
IsWindowVisible
GetWindowPlacement
MoveWindow
PrintWindow
PostMessageW
SendMessageW
SendMessageA
PeekMessageW
DispatchMessageW
TranslateMessage
CloseDesktop
SetThreadDesktop
OpenDesktopW
CreateDesktopW
GetUserObjectInformationW
EnumDisplaySettingsW
CallNextHookEx
MessageBoxA
SetProcessDPIAware
GetForegroundWindow
RealGetWindowClassW
ScreenToClient

gdi32

SetStretchBltMode
StretchBlt
SelectObject
GetDIBits
DeleteObject
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt

shell32

SHGetFolderPathW
SHGetKnownFolderPath

ole32

StgCreateDocfile
CoInitialize
CoTaskMemFree
CoCreateInstance
CoUninitialize
CreateStreamOnHGlobal

oleaut32

VariantClear
VariantInit
SysStringLen
SysFreeString
OleCreatePropertyFrame
SysAllocString

advapi32

RegSetValueExW
RegCloseKey
RegCreateKeyExW
RegGetValueW
RegDeleteKeyExW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
ReportEventA
RegisterEventSourceA
DeregisterEventSource
RegDeleteTreeW
GetUserNameW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW

bcrypt

BCryptGenRandom

Exports

Exports

TLSDataStart

Sections

.text
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6.8MB - Virtual size: 6.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 107KB - Virtual size: 254KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 213KB - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

3e526cb750e198d67dd1068bbcd2911b

Headers

DLL Characteristics

File Characteristics

Imports

crypt32

gdiplus

shlwapi

wininet

kernel32

ws2_32

user32

gdi32

shell32

ole32

oleaut32

advapi32

bcrypt

Exports

Exports

Sections

.text Size: 5.0MB - Virtual size: 5.0MB

.rdata Size: 6.8MB - Virtual size: 6.8MB

.data Size: 107KB - Virtual size: 254KB

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 213KB - Virtual size: 213KB

.text
Size: 5.0MB - Virtual size: 5.0MB

.rdata
Size: 6.8MB - Virtual size: 6.8MB

.data
Size: 107KB - Virtual size: 254KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 213KB - Virtual size: 213KB