{
	"id": "48e407cc-8522-41c2-9cdf-a74c0f7cd376",
	"created_at": "2026-04-06T00:17:03.410226Z",
	"updated_at": "2026-04-10T03:21:59.591143Z",
	"deleted_at": null,
	"sha1_hash": "b234b08d287f0b508e8fa502408b085744bcd705",
	"title": "Metastealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41575,
	"plain_text": "Metastealer\r\nPublished: 2023-05-11 · Archived: 2026-04-05 19:45:14 UTC\r\nAnalysis\r\nThis sample has many strings related to the build process that have not been stripped. We can use these for our\r\nyara rule.\r\n\"powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension\r\nC:\\Workspace\\Projects\\rat\\client\\stealer\\third_party\r\nC:\\Workspace\\Projects\\rat\\client\\stealer\\out\\build\\x86-Releaseird_party\\cryptopp\\_deps\\cryptopp\\rijndael_simd.cp\r\nstealertest.dll\r\nIBrowserBase@stealer\r\nChromeBrowser@stealer\r\nEdgeBrowser@stealer\r\nFirefoxBrowser@stealer\r\nThis sample looks similar maybe an earlier version\r\n5e5cc4f42c7d5481db280b28d1227568c17ed8cc4208970b7a963a4f30c7cc83\r\nC:\\3001_1\\notbotnet\\client\\stealer\\out\\third_party\\cryptopp\r\nC:\\3001_1\\notbotnet\\client\\stealer\\third_party\r\nstealertest.dll\r\nYara Rule\r\nrule metastealer_dga {\r\nstrings:\r\n $libs = \"rat\\\\client\\\\stealer\" ascii wide\r\n $rtti_1 = \"IBrowserBase@stealer\"\r\n $rtti_2 = \"ChromeBrowser@stealer\"\r\n $rtti_3 = \"EdgeBrowser@stealer\"\r\n $rtti_4 = \"FirefoxBrowser@stealer\"\r\n $name = \"stealertest.dll\"\r\ncondition:\r\n $name or\r\n all of ($rtti_*) or\r\nhttps://research.openanalysis.net/metatealer/stealer/dga/obfuscation/2023/05/11/metastealer.html\r\nPage 1 of 2\n\n$libs\r\n}\r\nString Decryption\r\nThis is a modified version of Jason Reeves' script from his blog\r\nDGA\r\nWe want to statically extract the DGA seed.\r\n68 EF 06 00 00 push 1775\r\n89 85 84 FD FF FF mov [ebp-27Ch], eax\r\n8D 85 F0 FD FF FF lea eax, [ebp-210h]\r\n68 34 12 00 00 push 1234h\r\nSource: https://research.openanalysis.net/metatealer/stealer/dga/obfuscation/2023/05/11/metastealer.html\r\nhttps://research.openanalysis.net/metatealer/stealer/dga/obfuscation/2023/05/11/metastealer.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.openanalysis.net/metatealer/stealer/dga/obfuscation/2023/05/11/metastealer.html"
	],
	"report_names": [
		"metastealer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434623,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b234b08d287f0b508e8fa502408b085744bcd705.pdf",
		"text": "https://archive.orkl.eu/b234b08d287f0b508e8fa502408b085744bcd705.txt",
		"img": "https://archive.orkl.eu/b234b08d287f0b508e8fa502408b085744bcd705.jpg"
	}
}