metastealer | 0a6546b2712cafa1a03913e648891dde74af6d86fad5302cdb85d3f37728884d

General

Target

DocuSign.zip.zip
Size

120.5MB
Sample

240805-vtmd6ssfql
MD5

bf3506acd9a8ef22fa58d5c06c76990b
SHA1

55835804a607eacedf5e6806f0910cc8566ff262
SHA256

0a6546b2712cafa1a03913e648891dde74af6d86fad5302cdb85d3f37728884d
SHA512

7f5fbff890c78fc688b6a9f85e61ebc0d6ffa41e1ef46de3fd1f94c9ca3f511edc777aa33ac8417557890a6f2036cdb9bd8d3833087edcbfc7705f6aa18d5079
SSDEEP

3145728:uVX23JeA49AtNOV810qQ2NQxREVfV389xSAjJWcWmA:gXHdXV8Kq4xIfa3ccWmA

Score

10^/10

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes

dga_seed
21845
domain_length
16
num_dga_domains
10000
port
443

Targets

- Target
  
  DocuSign.vhd
- Size
  
  270.0MB
- MD5
  
  53ab0e1575f7785c7d4b774b3f70449b
- SHA1
  
  43dff693fa84f727ed70eecdb019beb103d07a19
- SHA256
  
  387e7dc9ff57715da374a9c768c67df9ce062d030f8417dbca0e7bb58d16f028
- SHA512
  
  f13e93fa7b148c9122a93eb417621a252728d5aa2318db243ec04c552b7a5979a6a18f1b277d25823299b3211d6c083a793590551300069c7b2454f7490a9bca
- SSDEEP
  
  3145728:nVlMuAqzL0BYuJ/i72qy+B1OJ3VAXpznEze5RM4vp2fpgoi:U1fKyZqyoMJwJc4B2fpG
Score

10^/10

metastealer credential_access discovery execution spyware stealer
- Meta Stealer
  Meta Stealer steals passwords stored in browsers, written in C++.
  stealer metastealer
- MetaStealer payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  1.Basic data partition.ntfs
- Size
  
  252.0MB
- MD5
  
  ae6a86bd06f3bc28cb2ef3be84359568
- SHA1
  
  3f8d84e7958a9b258aa2c1b73ba561f37f3259af
- SHA256
  
  cbd9c31cce21eb22043384d6f79cbd196a193c34e8c33cc8b91a22756d9abfb1
- SHA512
  
  715b07c3ed8a55d5e1744419547cd57dc05774b5fcd600d6a7b03533a1495c353d5847f7eef5456578340508ed2b2b32d4ce75941262ebca0e2ea7b460cbfddd
- SSDEEP
  
  3145728:zVlMuAqzL0BYuJ/i72qy+B1OJ3VAXpznEze5RM4vp2fpgoi6:41fKyZqyoMJwJc4B2fpG6
Score

3^/10

execution
behavioral3 behavioral4