-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-04-13-IOCs-for-MetaStealer-infection.txt
87 lines (66 loc) · 4.37 KB
/
2023-04-13-IOCs-for-MetaStealer-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
2023-04-13 (THURSDAY): ONENOTE FILE LEADS TO METASTEALER INFECTION
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1646934179043594240
NOTES:
- More information on MetaStealer at: https://isc.sans.edu/diary/Windows+MetaStealer+Malware/28522
CHAIN OF EVENTS:
- Docusign-themed email --> link --> redirect to Github URL --> downloaded OneNote File --> embedded MSI file --> post-infection traffic
SOME HEADERS FROM THE EMAIL:
- Received: from mail.almassa.site (mail.almassa.site [109.248.42.11])
- From: DocuSign Support <[email protected]>
- Subject: Listed here are the docs available for you to approve from DocuSign.
- Date: Thu, 13 Apr 2023 07:55:26 -0700
PATH TO THE ONENOTE DOWNLOAD:
- Link from email: hxxps://kvckz.engineercoin.xyz/
- Redirects to: hxxps://github.com/Gufgh/1/raw/main/review.one
ASSOCIATED MALWARE:
- SHA256 hash: 96f8bda7e072baf4a55e1c3557f6d79d30a7eb5432294019536e28cfa07cce82
- File size: 6,607,352 bytes
- File location: hxxps://github.com/Gufgh/1/raw/main/review.one
- File name: review.one
- File description: OneNote document downloaded from link in the email
- SHA256 hash: 4b35a2e57b7f2b3eca1ddb2c2ebc678af68f7046e06bcf3e3b389f95ea6d7f14
- File size: 3,076,096 bytes
- File name: install.msi
- File description: MSI file embedded in above OneNote document
- SHA256 hash: ad60bcf7cb8d60e1e06293f8a2088b307fbc1812e9cf3ba18a327891785b51c8
- File size: 2,765,504 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\MW-12a50927-3080-44dc-a864-e68fe2a29c61\files.cab
- File description: .cab file containing inflated MetaStealer EXE
- SHA256 hash: 30bceaa1fd47a886187a1c0df4e60a2100c45035fdec021cd49ab65caf28c938
- File size: 2,765,504 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\MW-12a50927-3080-44dc-a864-e68fe2a29c61\msiwrapper.ini
- SHA256 hash: f55ebf82f6d99ed95df3e5c0afd9a9978056fac37620c53f78722b50fde53a3e
- File size: 367,001,600 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\MW-12a50927-3080-44dc-a864-e68fe2a29c61\files\install.exe
- File description: MetaStealer EXE, inflated with null-byte padding
- SHA256 hash: 3dbf4ebef9eda13a62a38602ead57eed49028f593abc344a88240c0c5236d8c7
- File size: 3,112,560 bytes
- File description: MetaStealer EXE with most of the null-byte padding removed
EXAMPLE OF MSIWRAPPER.INI TEXT:
W�r�a�p�p�e�d�A�p�p�l�i�c�a�t�i�o�n�I�d�=�G�o�o�g�l�e� �C�h�r�o�m�e�
�W�r�a�p�p�e�d�R�e�g�i�s�t�r�a�t�i�o�n�=�N�o�n�e�
�I�n�s�t�a�l�l�S�u�c�c�e�s�s�C�o�d�e�s�=�0�
�E�l�e�v�a�t�i�o�n�M�o�d�e�=�n�e�v�e�r�
�B�a�s�e�N�a�m�e�=�i�n�s�t�a�l�l�.�e�x�e�
�C�a�b�H�a�s�h�=�a�d�6�0�b�c�f�7�c�b�8�d�6�0�e�1�e�0�6�2�9�3�f�8�a�2�0�8�8�b�3�0�7�f�b�c�1�8�1�2�e�9�c�f�3�b�a�1�8�a�3�2�7�8�9�1�7�8�5�b�5�1�c�8�
�S�e�t�u�p�P�a�r�a�m�e�t�e�r�s�=�/�V�E�R�Y�S�I�L�E�N�T� � �/�V�E�R�Y�S�I�L�E�N�T� �
�W�o�r�k�i�n�g�D�i�r�=�
�C�u�r�r�e�n�t�D�i�r�=�*�S�O�U�R�C�E�D�I�R�*�
�U�I�L�e�v�e�l�=�5�
�F�o�c�u�s�=�y�e�s�
�S�e�s�s�i�o�n�D�i�r�=�C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�M�W�-�8�6�c�8�5�1�3�5�-�4�b�f�b�-�4�0�0�c�-�8�f�3�8�-�4�8�5�c�c�7�c�8�4�a�f�1�\�
�F�i�l�e�s�D�i�r�=�C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�M�W�-�8�6�c�8�5�1�3�5�-�4�b�f�b�-�4�0�0�c�-�8�f�3�8�-�4�8�5�c�c�7�c�8�4�a�f�1�\�f�i�l�e�s�\�
�R�u�n�B�e�f�o�r�e�I�n�s�t�a�l�l�F�i�l�e�=�
�R�u�n�B�e�f�o�r�e�I�n�s�t�a�l�l�P�a�r�a�m�e�t�e�r�s�=�
�R�u�n�A�f�t�e�r�I�n�s�t�a�l�l�F�i�l�e�=�
�R�u�n�A�f�t�e�r�I�n�s�t�a�l�l�P�a�r�a�m�e�t�e�r�s�=�
�S�e�t�u�p�F�i�l�e�N�a�m�e�=�C�:�\�U�s�e�r�s�\�a�d�m�i�n�\�A�p�p�D�a�t�a�\�L�o�c�a�l�\�T�e�m�p�\�M�W�-�8�6�c�8�5�1�3�5�-�4�b�f�b�-�4�0�0�c�-�8�f�3�8�-�4�8�5�c�c�7�c�8�4�a�f�1�\�f�i�l�e�s�\�i�n�s�t�a�l�l�.�e�x�e�
�H�a�s�h�=�0�9�9�e�4�b�9�6�1�3�4�a�d�b�5�d�9�6�c�d�9�e�f�9�a�6�d�d�9�0�2�9�d�a�7�1�4�6�e�4�6�5�d�0�7�d�3�f�f�4�7�5�1�d�1�e�9�2�5�5�c�8�0�7�
METASTEALER C2 TRAFFIC:
- DNS query for mmswgeewswyyywqk.xyz (did not resolve)
- 185.172.129.192 port 1775 - wgcuwcgociewewoo.xyz:1775 - GET /api/client_hello HTTP/1.1
- 185.172.129.192 port 1775 - wgcuwcgociewewoo.xyz:1775 - GET /avast_update HTTP/1.1
- 185.172.129.192 port 1775 - wgcuwcgociewewoo.xyz:1775 - POST /api/client/new HTTP/1.1 , JavaScript Object Notation (application/json)
- 185.172.129.192 port 1775 - wgcuwcgociewewoo.xyz:1775 - POST /tasks/get_worker HTTP/1.1 , JavaScript Object Notation (application/json)
- 185.172.129.192 port 1775 - wgcuwcgociewewoo.xyz:1775 - POST /tasks/collect HTTP/1.1 , JavaScript Object Notation (application/json)