MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df
SHA3-384 hash: bb40855e4f0584f13c961a54fa931b1d3758cb840ca54dbf84f2bb4eb69cf111dbeeb7e4ffafa5f501fd566ba66408b9
SHA1 hash: b4befefba8a0c82bcfeb398313fa010efa258d91
MD5 hash: 8643394f91138d207dda09b2c98ed18e
humanhash: foxtrot-coffee-bravo-arkansas
File name:file
Download: download sample
Signature MetaStealer
Create hunting rule
File size:679'424 bytes
First seen:2024-09-09 17:58:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:79nyeYC74B+fbnFje8RRHSlSuKcB5mAwlBN/AqrR0ah4eSs1k2s5YqK7:79yeJ4yn2BKcbwlBN4qlyeSsQY9
Threatray 11 similar samples on MalwareBazaar
TLSH T156E429166621D4ACE0F813F1E34743646B75CC246252C63AAE99370DE97B3D9988BF0F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon e8d2aecd4f8b8ee4 (2 x Stealc, 1 x MetaStealer)
Reporter Bitsight
Tags:exe metastealer


Avatar
Bitsight
url: http://147.45.44.104/prog/66dd9bbd1c1b9_w2.exe#ww2metakis

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-09 18:01:10 UTC
Tags:
stealer metastealer
Link:
https://app.any.run/tasks/66273a9a-9fa4-4ecd-b07f-2c19578efff2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.38313.26064.16338.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66df376876bc4542b049483b
Tags:
Generic Infostealer Redline
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Creating a file
Stealing user critical data
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor overlay packed redline redline
Link:
https://www.filescan.io/uploads/66df37674a2597249d52e5b3/reports/948e131e-e520-48bc-bf2e-7f4cb3a7f696/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kuhaname
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ce35ae5-1947-478c-bb71-cd0a57bf6ca8
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1508175
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the System eventlog
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-09-08 14:58:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
55
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rb3irmxhvuambrswueyaihtkk33jh7nupbgcwkm6ly3wv7jqq3pq._file
Verdict:
unknown
Similar samples:
37bdbeada0c0b18a66d581fb0e3d320478cadc52f644ea0486a44c008dd300ad
MetaStealer
61233c38ece219efc52b96189b470aad5dab514eb76231a980b4e80e0928fd1d
MetaStealer
887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df
MetaStealer
a9bf49d95c4e6d3c9e33e5de82a721ef8f02790daba204d9816b1d581a46b345
MetaStealer
fb3994d810b72176481c2f24b5fed150432b788afd8d00efcaef21c209a09603
MetaStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240909-wkp95s1gkp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf51f900-431e-4b3d-9521-7db599ef8bbd
Unpacked files
SH256 hash:
887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df
MD5 hash:
8643394f91138d207dda09b2c98ed18e
SHA1 hash:
b4befefba8a0c82bcfeb398313fa010efa258d91
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/21a78893-a66e-4fb1-9b87-b8bb704f06cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/887688b2e7ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Executable exe 887688b2e7ad00c0c656a130041e6a56f693fdb4784c2b299e5e376afd3086df

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3164404/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments