SYMBOLCOMMON_NAMEaka. SYNONYMS
win.metastealer (Back to overview)

MetaStealer

Actor(s): UNC5537

VTCollection    

On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.

References
2025-08-28DefentiveDefentive Threat Research
The Phantom Threat: Inside UNC5518’s Invisible Empire of MetaStealer Operations
MetaStealer
2024-06-10MandiantMandiant
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Lumma Stealer MetaStealer Raccoon RedLine Stealer RisePro Vidar UNC5537
2023-12-28Russian Panda Research BlogRussianPanda
MetaStealer Part 2, Google Cookie Refresher Madness and Stealer Drama
MetaStealer
2023-12-08Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Meta
MetaStealer
2023-11-20Russian Panda Research BlogRussianPanda
MetaStealer - Redline's Doppelgänger
MetaStealer RedLine Stealer
2023-05-11OALabsOALabs
Metastealer | DGAs and obfuscation as malware goes meta
MetaStealer
2023-05-09Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
MetaStealer string decryption and DGA overview
MetaStealer
2022-12-05AccenturePaul Mansfield, Thomas Willkan
Popularity spikes for information stealer malware on the dark web
MetaStealer Rhadamanthys
2022-08-29SekoiaLivia Tibirna, Quentin Bourgue, Threat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-20nccgroupPeter Gurney
Metastealer – filling the Racoon void
MetaStealer
2022-04-06InfoSec Handlers Diary BlogBrad Duncan
Windows MetaStealer Malware
MetaStealer
Yara Rules
[TLP:WHITE] win_metastealer_auto (20260504 | Detects win.metastealer.)
rule win_metastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.metastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff74c120 ff7514 e8???????? 83c410 eb32 50 53 }
            // n = 7, score = 300
            //   ff74c120             | push                dword ptr [ecx + eax*8 + 0x20]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   eb32                 | jmp                 0x34
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_1 = { ff710c 68???????? 50 e8???????? 8b16 83c424 8b4208 }
            // n = 7, score = 300
            //   ff710c               | push                dword ptr [ecx + 0xc]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   83c424               | add                 esp, 0x24
            //   8b4208               | mov                 eax, dword ptr [edx + 8]

        $sequence_2 = { f7d9 51 50 e8???????? 83c408 c640ff2d 48 }
            // n = 7, score = 300
            //   f7d9                 | neg                 ecx
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c640ff2d             | mov                 byte ptr [eax - 1], 0x2d
            //   48                   | dec                 eax

        $sequence_3 = { e8???????? 8bc8 0fb6d1 c1f908 898d88f6ffff 85d2 0f84b0000000 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   0fb6d1               | movzx               edx, cl
            //   c1f908               | sar                 ecx, 8
            //   898d88f6ffff         | mov                 dword ptr [ebp - 0x978], ecx
            //   85d2                 | test                edx, edx
            //   0f84b0000000         | je                  0xb6

        $sequence_4 = { e8???????? 837e1410 8bc6 7202 8b06 6a00 6a00 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   8bc6                 | mov                 eax, esi
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_5 = { f7d8 3bd0 737c 8d42ff 33d2 03c6 f7f6 }
            // n = 7, score = 300
            //   f7d8                 | neg                 eax
            //   3bd0                 | cmp                 edx, eax
            //   737c                 | jae                 0x7e
            //   8d42ff               | lea                 eax, [edx - 1]
            //   33d2                 | xor                 edx, edx
            //   03c6                 | add                 eax, esi
            //   f7f6                 | div                 esi

        $sequence_6 = { ffb52ceeffff 50 8d8560ffffff 50 ff9510eeffff 83c41c c645fc0a }
            // n = 7, score = 300
            //   ffb52ceeffff         | push                dword ptr [ebp - 0x11d4]
            //   50                   | push                eax
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]
            //   50                   | push                eax
            //   ff9510eeffff         | call                dword ptr [ebp - 0x11f0]
            //   83c41c               | add                 esp, 0x1c
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa

        $sequence_7 = { f7470c00040000 740b 8b9f80020000 895d08 eb0e 57 e8???????? }
            // n = 7, score = 300
            //   f7470c00040000       | test                dword ptr [edi + 0xc], 0x400
            //   740b                 | je                  0xd
            //   8b9f80020000         | mov                 ebx, dword ptr [edi + 0x280]
            //   895d08               | mov                 dword ptr [ebp + 8], ebx
            //   eb0e                 | jmp                 0x10
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_8 = { ffb568ffffff 6a00 8b08 50 ff5114 8b4f24 8d573c }
            // n = 7, score = 300
            //   ffb568ffffff         | push                dword ptr [ebp - 0x98]
            //   6a00                 | push                0
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax
            //   ff5114               | call                dword ptr [ecx + 0x14]
            //   8b4f24               | mov                 ecx, dword ptr [edi + 0x24]
            //   8d573c               | lea                 edx, [edi + 0x3c]

        $sequence_9 = { ff7010 52 e8???????? 8d4358 8d4f58 3bc8 7413 }
            // n = 7, score = 300
            //   ff7010               | push                dword ptr [eax + 0x10]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8d4358               | lea                 eax, [ebx + 0x58]
            //   8d4f58               | lea                 ecx, [edi + 0x58]
            //   3bc8                 | cmp                 ecx, eax
            //   7413                 | je                  0x15

    condition:
        7 of them and filesize < 26230784
}
[TLP:WHITE] win_metastealer_w0   (20230131 | MetaStealer Memory)
rule win_metastealer_w0 {
    meta:
        description = "MetaStealer Memory"
        author = "Peter Gurney"
        date = "2022-04-29"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer"
        malpedia_rule_date = "20230119"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str_c2_parse = {B8 56 55 55 55 F7 6D C4 8B C2 C1 E8 1F 03 C2 8B 55 C0 8D 04 40 2B 45 C4}
        $str_filename = ".xyz -newname hyper-v.exe" fullword wide
        $str_stackstring = {FF FF FF C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF}
    condition:
        uint16(0) == 0x5a4d and
        2 of ($str_*)
}
Download all Yara Rules