{
	"id": "3b49b929-ecd2-41c6-9c46-d77dd3fdc2dd",
	"created_at": "2026-04-06T00:10:44.585567Z",
	"updated_at": "2026-04-10T03:20:18.162028Z",
	"deleted_at": null,
	"sha1_hash": "ccc3bcde62e3ba7b658d0901e755d23f828e1770",
	"title": "Windows MetaStealer Malware - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3025139,
	"plain_text": "Windows MetaStealer Malware - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:41:16 UTC\r\nIntroduction\r\nSince Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to\r\nVirusTotal.\r\nThese malicious Excel files are distributed as email attachments.\r\nPost-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats\r\nPro (ETPRO) ruleset.\r\nThis infection process uses data binaries to create the malicious EXE and DLL files used for the infection.\r\nThe malware abuses legitimate services by Github and transfer.sh to host these data binaries.\r\nAll URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I\r\nposted this diary.\r\nShown above:  Flow chart for the MetaStealer infection chain reviewed in today's diary.\r\nImages from an infection\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 1 of 8\n\nShown above:  Screenshot from an email distributing the malicious Excel file.\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 2 of 8\n\nShown above:  Screenshot of the malicious Excel file.\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 3 of 8\n\nShown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.\r\nShown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 4 of 8\n\nShown above:  UAC alert generated by malicious EXE during the infection.\r\nShown above:  Malicious EXE file generated during the infection.\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 5 of 8\n\nShown above:  Malicious EXE persistent on the infected Windows host.\r\nIndicators of Compromise (IOCs)\r\nTraffic generated after enabling Excel macro:\r\nhxxps://github[.]com/michel15P/1/raw/main/notice.zip\r\nhxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip\r\nNote: File returned from the above URL is a data binary and not a zip archive\r\nTraffic generated by persistent EXE created from the above binary:\r\nport 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp              \r\nport 443 - hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  \r\n193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update                                    \r\n193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new                                 \r\n193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker\r\nAlerts on traffic to 193.106.191[.]162 over TCP port 1775:\r\nETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362\r\nETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 6 of 8\n\nAssociated malware and artifacts:\r\nSHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e\r\nFile size: 88,069 bytes\r\nFile name: transfer_info2460.xls\r\nFile description: Example of email attachment, an Excel file with macro for malware\r\nSandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca\r\nSHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc\r\nFile size: 2,828 bytes\r\nFile name: open.vbs\r\nFile location: same directory as the above Excel file or the user's AppData/Local/Temp directory\r\nFile description: After enabling macro, this VBS file is used to create the persistent EXE\r\nNote: I could not find this file on my infected lab host\r\nSHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5\r\nFile size: 417,512 bytes\r\nFile location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip\r\nFile type: data\r\nFile description: data binary retrieved by open.vbs used to persistent EXE (below)\r\nSHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d\r\nFile size: 367,001,600 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\notice.exe\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\qwveqwveqw.exe\r\nFile description: Malware EXE persistent on the infected Windows host\r\nNote: This binary is appended with more than 366 MB of zero byte filler\r\nNote: Persistent through \"Shell\" value at HKCU\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\r\nSHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b\r\nFile size: 143,400 bytes\r\nFile description: Persistent malware EXE with most of the zero byte filler removed\r\nSHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b\r\nFile size: 716,288 bytes\r\nFile location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp\r\nFile type: data\r\nFile description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order\r\nSHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 7 of 8\n\nFile size: 716,288 bytes\r\nFile description: Windows DLL file created by reserving the above binary\r\nFile type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nRun method: loaded/run by persistent EXE\r\nSHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89\r\nFile size: 2,182,488 bytes\r\nFile location: hxxp://193.106.191[.]162:1775/avast_update\r\nFile description: base64 text representing a Windows DLL file\r\nSHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738\r\nFile size: 1,636,864 bytes\r\nFile descrip-tion: Windows DLL file converted from the above text\r\nFile type: PE32 executable (DLL) (console) Intel 80386, for MS Windows\r\nRun method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE\r\nFinal words\r\nEach time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL\r\nand re-started the infection process without the Github traffic.\r\nMalware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures\r\nidentifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.\r\nMy thanks to Security Onion, Proofpoint's EmergingThreats team, and Didier Stevens' tools for reversing binaries.\r\nThese three resources were a big help in my analysis for this diary.\r\nA pcap of the infection traffic and the associated malware/artifacts can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nhttps://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/\r\nPage 8 of 8\n\n  https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/  \nShown above: Screenshot from an email distributing the malicious Excel file.\n   Page 2 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/"
	],
	"report_names": [
		"28522"
	],
	"threat_actors": [],
	"ts_created_at": 1775434244,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccc3bcde62e3ba7b658d0901e755d23f828e1770.pdf",
		"text": "https://archive.orkl.eu/ccc3bcde62e3ba7b658d0901e755d23f828e1770.txt",
		"img": "https://archive.orkl.eu/ccc3bcde62e3ba7b658d0901e755d23f828e1770.jpg"
	}
}