SYMBOLCOMMON_NAMEaka. SYNONYMS
win.metastealer (Back to overview)

MetaStealer


On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.

References
2023-05-09Medium walmartglobaltechJason Reaves, Joshua Platt, Jonathan Mccay
@online{reaves:20230509:metastealer:11ef397, author = {Jason Reaves and Joshua Platt and Jonathan Mccay}, title = {{MetaStealer string decryption and DGA overview}}, date = {2023-05-09}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd}, language = {English}, urldate = {2023-05-11} } MetaStealer string decryption and DGA overview
MetaStealer
2022-12-05AccenturePaul Mansfield, Thomas Willkan
@online{mansfield:20221205:popularity:9c1ed9c, author = {Paul Mansfield and Thomas Willkan}, title = {{Popularity spikes for information stealer malware on the dark web}}, date = {2022-12-05}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web}, language = {English}, urldate = {2023-04-28} } Popularity spikes for information stealer malware on the dark web
MetaStealer Rhadamanthys
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-20nccgroupPeter Gurney
@online{gurney:20220520:metastealer:d3c2f0e, author = {Peter Gurney}, title = {{Metastealer – filling the Racoon void}}, date = {2022-05-20}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/}, language = {English}, urldate = {2023-01-31} } Metastealer – filling the Racoon void
MetaStealer
2022-04-06InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220406:windows:3802dbd, author = {Brad Duncan}, title = {{Windows MetaStealer Malware}}, date = {2022-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/}, language = {English}, urldate = {2022-05-05} } Windows MetaStealer Malware
MetaStealer
Yara Rules
[TLP:WHITE] win_metastealer_auto (20230715 | Detects win.metastealer.)
rule win_metastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.metastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f30f1005???????? f30f1145cc f30f1005???????? eb2f f30f1005???????? f30f1145c4 f30f1005???????? }
            // n = 7, score = 200
            //   f30f1005????????     |                     
            //   f30f1145cc           | movss               dword ptr [ebp - 0x34], xmm0
            //   f30f1005????????     |                     
            //   eb2f                 | jmp                 0x31
            //   f30f1005????????     |                     
            //   f30f1145c4           | movss               dword ptr [ebp - 0x3c], xmm0
            //   f30f1005????????     |                     

        $sequence_1 = { f30f7ec8 0f57c0 660f61c8 f30fe6c1 660f73d908 660f59c2 660f58c3 }
            // n = 7, score = 200
            //   f30f7ec8             | movq                xmm1, xmm0
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f61c8             | punpcklwd           xmm1, xmm0
            //   f30fe6c1             | cvtdq2pd            xmm0, xmm1
            //   660f73d908           | psrldq              xmm1, 8
            //   660f59c2             | mulpd               xmm0, xmm2
            //   660f58c3             | addpd               xmm0, xmm3

        $sequence_2 = { ffd0 3b4510 7559 85d2 7555 90 85f6 }
            // n = 7, score = 200
            //   ffd0                 | call                eax
            //   3b4510               | cmp                 eax, dword ptr [ebp + 0x10]
            //   7559                 | jne                 0x5b
            //   85d2                 | test                edx, edx
            //   7555                 | jne                 0x57
            //   90                   | nop                 
            //   85f6                 | test                esi, esi

        $sequence_3 = { ff510c 8bf0 85f6 0f850e010000 895dfc 8b45f8 8d55e8 }
            // n = 7, score = 200
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f850e010000         | jne                 0x114
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8d55e8               | lea                 edx, [ebp - 0x18]

        $sequence_4 = { f7e2 03c1 8b4df8 83d200 8955fc 8b5710 23d0 }
            // n = 7, score = 200
            //   f7e2                 | mul                 edx
            //   03c1                 | add                 eax, ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83d200               | adc                 edx, 0
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b5710               | mov                 edx, dword ptr [edi + 0x10]
            //   23d0                 | and                 edx, eax

        $sequence_5 = { eb29 85ff 7825 33c0 894508 0f1f8000000000 99 }
            // n = 7, score = 200
            //   eb29                 | jmp                 0x2b
            //   85ff                 | test                edi, edi
            //   7825                 | js                  0x27
            //   33c0                 | xor                 eax, eax
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   99                   | cdq                 

        $sequence_6 = { e8???????? 0bc2 7410 c745f801000000 c745fc00000000 eb08 0f57c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0bc2                 | or                  eax, edx
            //   7410                 | je                  0x12
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb08                 | jmp                 0xa
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_7 = { c20800 55 8bec 56 57 8bf9 8d4f70 }
            // n = 7, score = 200
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8d4f70               | lea                 ecx, [edi + 0x70]

        $sequence_8 = { eb17 50 51 e8???????? 83c410 895dec 56 }
            // n = 7, score = 200
            //   eb17                 | jmp                 0x19
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   56                   | push                esi

        $sequence_9 = { f20f110424 50 8d45a0 50 e8???????? 83c410 c645fc00 }
            // n = 7, score = 200
            //   f20f110424           | movsd               qword ptr [esp], xmm0
            //   50                   | push                eax
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0

    condition:
        7 of them and filesize < 26230784
}
[TLP:WHITE] win_metastealer_w0   (20230131 | MetaStealer Memory)
rule win_metastealer_w0 {
    meta:
        description = "MetaStealer Memory"
        author = "Peter Gurney"
        date = "2022-04-29"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer"
        malpedia_rule_date = "20230119"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str_c2_parse = {B8 56 55 55 55 F7 6D C4 8B C2 C1 E8 1F 03 C2 8B 55 C0 8D 04 40 2B 45 C4}
        $str_filename = ".xyz -newname hyper-v.exe" fullword wide
        $str_stackstring = {FF FF FF C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF}
    condition:
        uint16(0) == 0x5a4d and
        2 of ($str_*)
}
Download all Yara Rules