metastealer | 4d546e62bbd229511c831727642afcd28009f3d293a4e13ea03252abe29ff1b5

Resubmissions

15-01-2025 22:48

250115-2rgjgazlen 3

29-02-2024 16:02

240229-tgwlmsdg71 10

Analysis

max time kernel
90s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-02-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sig.exe
Size

1.5MB
MD5

c68c16589a1c06e534aa7a29ed4fe1aa
SHA1

4fdee6b3c80029bd9e64d03a05503b9427844582
SHA256

4d546e62bbd229511c831727642afcd28009f3d293a4e13ea03252abe29ff1b5
SHA512

28f9954fb56bb3d2637ae3a4547b8f1b7a5e335f51265b4845a59b143d1904c303dd5e35d6d6bfeb528e92ad9d85e624b6a9d50789a7b673eb670d8fdcc365aa
SSDEEP

24576:ihgVrnoHu/QSDTV+Bnvu8tOvkTyuhOOPZ1afVyH0VsQ4OttT0:iWhoONVnkTyugmZELsMp0

Score

10^/10

metastealer spyware stealer

Malware Config

Signatures

Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

MetaStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1936-16-0x0000000010000000-0x000000001072D000-memory.dmp	family_metastealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 1936	4900	Sig.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
740	4900	WerFault.exe	78

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2364	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	Sig.exe
1936	Sig.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1936	4900	Sig.exe	80
PID 4900 wrote to memory of 1936	4900	Sig.exe	80
PID 4900 wrote to memory of 1936	4900	Sig.exe	80
PID 4900 wrote to memory of 1936	4900	Sig.exe	80
PID 4900 wrote to memory of 1936	4900	Sig.exe	80
PID 1936 wrote to memory of 2364	1936	Sig.exe	84
PID 1936 wrote to memory of 2364	1936	Sig.exe	84
PID 1936 wrote to memory of 2364	1936	Sig.exe	84

C:\Users\Admin\AppData\Local\Temp\Sig.exe
"C:\Users\Admin\AppData\Local\Temp\Sig.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\Sig.exe
  "C:\Users\Admin\AppData\Local\Temp\Sig.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 544
  2⤵
  - Program crash
  PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-10-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/1936-28-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/1936-16-0x0000000010000000-0x000000001072D000-memory.dmp

Filesize
7.2MB

Download
memory/1936-13-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/1936-11-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/1936-9-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/1936-7-0x0000000000580000-0x00000000005F9000-memory.dmp

Filesize
484KB

Download
memory/4900-5-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-8-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-6-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-12-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-0-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-1-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4900-2-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download