metastealer | aaf2fa68b8c0a8ad0a24c93033f50fdbbfb48303bef53383533291f2ab738038 | Triage

Sharing

General

Target

aaf2fa68b8c0a8ad0a24c93033f50fdbbfb48303bef53383533291f2ab738038
Size

2.1MB
Sample

241213-ncm6tawphy
MD5

74d7bbdf21ead237327f07f5296d4e8d
SHA1

1ad74ce06e60835730fc5ebddb75661ab01a6d6a
SHA256

aaf2fa68b8c0a8ad0a24c93033f50fdbbfb48303bef53383533291f2ab738038
SHA512

b622ded868b24ef8b096242e0f253af4d8e4cf598d495b6cc2b6426ef3f9dc3cb3c5b7209310c3f1c0c19f4727f1d7d6eab136f1b169756fcf20e3cb26ef23ec
SSDEEP

49152:sneA4p84q2WD4WkfFSJNWA6uq4CJ3GJEmNrmqu6Yx1CPwDv3uFfJ7:LlqLU3kCJ6ly1CPwDv3uFfJ7

Score

10^/10

metastealer discovery execution spyware stealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes

dga_seed
21845
domain_length
16
num_dga_domains
10000
port
443

Targets

- Target
  
  aaf2fa68b8c0a8ad0a24c93033f50fdbbfb48303bef53383533291f2ab738038
- Size
  
  2.1MB
- MD5
  
  74d7bbdf21ead237327f07f5296d4e8d
- SHA1
  
  1ad74ce06e60835730fc5ebddb75661ab01a6d6a
- SHA256
  
  aaf2fa68b8c0a8ad0a24c93033f50fdbbfb48303bef53383533291f2ab738038
- SHA512
  
  b622ded868b24ef8b096242e0f253af4d8e4cf598d495b6cc2b6426ef3f9dc3cb3c5b7209310c3f1c0c19f4727f1d7d6eab136f1b169756fcf20e3cb26ef23ec
- SSDEEP
  
  49152:sneA4p84q2WD4WkfFSJNWA6uq4CJ3GJEmNrmqu6Yx1CPwDv3uFfJ7:LlqLU3kCJ6ly1CPwDv3uFfJ7
Score

10^/10

metastealer discovery execution spyware stealer
- Meta Stealer
  Meta Stealer steals passwords stored in browsers, written in C++.
  stealer metastealer
- MetaStealer payload
- Metastealer family
  metastealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metastealerdiscoveryexecutionspywarestealer

behavioral2

metastealerdiscoveryexecutionspywarestealer