metastealer | 7d907d9d7f607508f3786b142d4572be9294f4c33f234d546fda6037564cbf0e | Triage

Sharing

General

Target

7d907d9d7f607508f3786b142d4572be9294f4c33f234d546fda6037564cbf0e.msi
Size

2.0MB
Sample

250127-eyqdma1rgp
MD5

0cc2fa779d757287fbc75c72fa82350f
SHA1

3bfe4a489d2d709dc9d03aba8696e39eeb7bbc24
SHA256

7d907d9d7f607508f3786b142d4572be9294f4c33f234d546fda6037564cbf0e
SHA512

b6daf164ce8779896fa78d2a79ea017a94e4212e485f6d80e8a16790fc3bcbf12a561a8fe5fd2aea9c20dd8ecb9afd89d7a84721536dd2b01f9d94ac6d6270a8
SSDEEP

24576:Bt9cpVDhR6flamhHegS/JZBTd59I5EoE/HXnI9sbqU4XA:2pRhwdayegS3sW7qo

Score

10^/10

metastealer discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes

dga_seed
21845
domain_length
16
num_dga_domains
10000
port
443

Targets

- Target
  
  7d907d9d7f607508f3786b142d4572be9294f4c33f234d546fda6037564cbf0e.msi
- Size
  
  2.0MB
- MD5
  
  0cc2fa779d757287fbc75c72fa82350f
- SHA1
  
  3bfe4a489d2d709dc9d03aba8696e39eeb7bbc24
- SHA256
  
  7d907d9d7f607508f3786b142d4572be9294f4c33f234d546fda6037564cbf0e
- SHA512
  
  b6daf164ce8779896fa78d2a79ea017a94e4212e485f6d80e8a16790fc3bcbf12a561a8fe5fd2aea9c20dd8ecb9afd89d7a84721536dd2b01f9d94ac6d6270a8
- SSDEEP
  
  24576:Bt9cpVDhR6flamhHegS/JZBTd59I5EoE/HXnI9sbqU4XA:2pRhwdayegS3sW7qo
Score

10^/10

metastealer discovery execution persistence privilege_escalation spyware stealer
- Meta Stealer
  Meta Stealer steals passwords stored in browsers, written in C++.
  stealer metastealer
- MetaStealer payload
- Metastealer family
  metastealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

File and Directory Permissions Modification

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

behavioral2

metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer