metastealer | 9740f0236a376d9d566052f218de24c8a1f4f53cff3f7a3823cb8934a6a12a12 | Triage

Sharing

General

Target

SecuriteInfo.com.Gen.Variant.Lazy.649482.12413.22482.msi
Size

1.8MB
Sample

250218-zsrdys1kv2
MD5

ce10e9e6704cdf38666d71368b7c2a7c
SHA1

0e84f7ec7c280623b481cf68d6cfe1435fe2636f
SHA256

9740f0236a376d9d566052f218de24c8a1f4f53cff3f7a3823cb8934a6a12a12
SHA512

bd3a244f13595bfc1f21798544d13fa1e25f8a48b9b8a4813619bf045cf7ad652dfda9ba6d7819cfaa2d07c37b69bc02d275748da8ef6647c1ffd1a867cfa2ee
SSDEEP

24576:Jt9cpVDhUOAm/mtIxfjT9FqFc5pLG5rTkzwdQGEcQacj:+pRhImeteP9Fq+TLsgzwdB9Q5

Score

10^/10

metastealer discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

metastealer

C2

kagkimuoakomksww.xyz

cwikwiiisuyqymso.xyz

qgimwqowkmuicoos.xyz

kuueskmwqmwoocuq.xyz

eaeueussigokssqg.xyz

eoyqkgcyoesysssk.xyz

ocmmqamiyucswwik.xyz

eimemucysaammomg.xyz

iwomsoekyisuymws.xyz

mqykiccmwokeumes.xyz

iqqcgqqseysecuum.xyz

iqmoyikmqymsmcwm.xyz

aseuqoqgaueaymyo.xyz

wycuamkomemmigmy.xyz

ceiyeqaoscmsamim.xyz

skcqkaykccckqyam.xyz

kaycmqwocuyyuqyg.xyz

mqssyaeoeeucegqy.xyz

ywqamawcqumaqiyq.xyz

skscsegicyqikqww.xyz

Attributes

dga_seed
12914
domain_length
16
num_dga_domains
10000
port
443

Targets

- Target
  
  SecuriteInfo.com.Gen.Variant.Lazy.649482.12413.22482.msi
- Size
  
  1.8MB
- MD5
  
  ce10e9e6704cdf38666d71368b7c2a7c
- SHA1
  
  0e84f7ec7c280623b481cf68d6cfe1435fe2636f
- SHA256
  
  9740f0236a376d9d566052f218de24c8a1f4f53cff3f7a3823cb8934a6a12a12
- SHA512
  
  bd3a244f13595bfc1f21798544d13fa1e25f8a48b9b8a4813619bf045cf7ad652dfda9ba6d7819cfaa2d07c37b69bc02d275748da8ef6647c1ffd1a867cfa2ee
- SSDEEP
  
  24576:Jt9cpVDhUOAm/mtIxfjT9FqFc5pLG5rTkzwdQGEcQacj:+pRhImeteP9Fq+TLsgzwdB9Q5
Score

10^/10

metastealer discovery execution persistence privilege_escalation spyware stealer
- Meta Stealer
  Meta Stealer steals passwords stored in browsers, written in C++.
  stealer metastealer
- MetaStealer payload
- Metastealer family
  metastealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

File and Directory Permissions Modification

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

behavioral2

metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer