Windows MetaStealer Malware
TRAFFIC GENERATED AFTER ENALBING EXCEL MACRO: – port 443 – https://github.com/michel15P/1/raw/main/notice.zip
– port 443 – https://raw.githubusercontent.com/michel15P/1/main/notice.zip TRAFFIC GENERATED BY NOTICE.EXE – port 80 – transfer.sh – GET /get/qT523D/Wlniornez_Dablvtrq.bmp
– port 443 – https://transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – GET /avast_update
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – GET /api/client/new
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – POST /tasks/get_worker ALERTS ON POST-INFECTION TRAFFIC TO 193.106.191.162 OVER TCP PORT 1775: – ETPRO MALWARE Win32/MetaStealer Related Activity (GET) (sid:2851362)
– ETPRO MALWARE Win32/MetaStealer Related Activity (POST) (sid:2851363) ASSOCIATED MALWARE: – SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e
– File size: 88,069 bytes
– File name: transfer_info2460.xls
– File description: Email attachment, Excel file with macro for malware – SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
– File size: 2,828 bytes
– File name: open.vbs
– File location: same directory as the Excel file
– File description: VBS file used to create persistent EXE – SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
– File size: 417,512 bytes
– File location: https://raw.githubusercontent.com/michel15P/1/main/notice.zip
– File description: data binary retrieved by open.vbs and used to persistent EXE (below) – SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
– File size: 367,001,600 bytes
– File location: C:Users[username]AppDataLocalTempnotice.exe
– File location: C:Users[username]AppDataRoamingqwveqwveqw.exe
– File description: Windows EXE persistent on the infected Windows host
– Note: This binary is appended with more than 366 MB of zero-byte filler
– Note: Persistent through “Shell” value at HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon – SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b
– File size: 143,400 bytes
– File description: Persistent malware notice.exe with most of the zero-byte filler removed – SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b
– File size: 716,288 bytes
– File location: https://transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
– File description: Retrieved by notice.exe, this binary is a Windows DLL file in reverse byte order – SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87
– File size: 716,288 bytes
– File description: Windows DLL file created by reserving the above binary
– File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
– Run method: run by notice.exe – SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
– File size: 2,182,488 bytes
– File location: http://193.106.191.162:1775/avast_update
– File description: base64 text representing a Windows DLL file – SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738
– File size: 1,636,864 bytes
– File description: Windows DLL file converted from avast_update text
– File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
– Run method: unknown, run by notice.exe or the above DLL run by notice.exe
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe