General

  • Target

    Agreement_eSign.lnk

  • Size

    3KB

  • Sample

    241224-vv5xxasreq

  • MD5

    1e98bde2c12668b383a15f66d71f6d0c

  • SHA1

    b0a96f44ca8109492285657118f35551c3266794

  • SHA256

    1703be0db351262d9a327e98aa9df4fd33ff58b41c7ea0c7eb4587853e2cca0f

  • SHA512

    fa30834bbd5711a7d1a454b427a1d314697dbef43adaf87ec32c54500c414af16df91ef2d462a2aa9f384a069b2bfb76f7a81c7a8726132f39fb211976caa17a

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Targets

    • Target

      Agreement_eSign.lnk

    • Size

      3KB

    • MD5

      1e98bde2c12668b383a15f66d71f6d0c

    • SHA1

      b0a96f44ca8109492285657118f35551c3266794

    • SHA256

      1703be0db351262d9a327e98aa9df4fd33ff58b41c7ea0c7eb4587853e2cca0f

    • SHA512

      fa30834bbd5711a7d1a454b427a1d314697dbef43adaf87ec32c54500c414af16df91ef2d462a2aa9f384a069b2bfb76f7a81c7a8726132f39fb211976caa17a

    • Meta Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • MetaStealer payload

    • Metastealer family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks