Windows MetaStealer Malware

TRAFFIC GENERATED AFTER ENALBING EXCEL MACRO:

– port 443 – https://github.com/michel15P/1/raw/main/notice.zip
– port 443 – https://raw.githubusercontent.com/michel15P/1/main/notice.zip

TRAFFIC GENERATED BY NOTICE.EXE

– port 80 – transfer.sh – GET /get/qT523D/Wlniornez_Dablvtrq.bmp
– port 443 – https://transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – GET /avast_update
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – GET /api/client/new
– 193.106.191.162 port 1775 – 193.106.191.162:1775 – POST /tasks/get_worker

ALERTS ON POST-INFECTION TRAFFIC TO 193.106.191.162 OVER TCP PORT 1775:

– ETPRO MALWARE Win32/MetaStealer Related Activity (GET) (sid:2851362)
– ETPRO MALWARE Win32/MetaStealer Related Activity (POST) (sid:2851363)

ASSOCIATED MALWARE:

– SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e
– File size: 88,069 bytes
– File name: transfer_info2460.xls
– File description: Email attachment, Excel file with macro for malware

– SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
– File size: 2,828 bytes
– File name: open.vbs
– File location: same directory as the Excel file
– File description: VBS file used to create persistent EXE

– SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
– File size: 417,512 bytes
– File location: https://raw.githubusercontent.com/michel15P/1/main/notice.zip
– File description: data binary retrieved by open.vbs and used to persistent EXE (below)

– SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
– File size: 367,001,600 bytes
– File location: C:Users[username]AppDataLocalTempnotice.exe
– File location: C:Users[username]AppDataRoamingqwveqwveqw.exe
– File description: Windows EXE persistent on the infected Windows host
– Note: This binary is appended with more than 366 MB of zero-byte filler
– Note: Persistent through “Shell” value at HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

– SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b
– File size: 143,400 bytes
– File description: Persistent malware notice.exe with most of the zero-byte filler removed

– SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b
– File size: 716,288 bytes
– File location: https://transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
– File description: Retrieved by notice.exe, this binary is a Windows DLL file in reverse byte order

– SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87
– File size: 716,288 bytes
– File description: Windows DLL file created by reserving the above binary
– File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
– Run method: run by notice.exe

– SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
– File size: 2,182,488 bytes
– File location: http://193.106.191.162:1775/avast_update
– File description: base64 text representing a Windows DLL file

– SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738
– File size: 1,636,864 bytes
– File description: Windows DLL file converted from avast_update text
– File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
– Run method: unknown, run by notice.exe or the above DLL run by notice.exe