Windows MetaStealer Malware - SANS Internet Storm Center
By SANS Internet Storm Center
Archived: 2026-04-05 17:41:16 UTC
Introduction
Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to
VirusTotal.
These malicious Excel files are distributed as email attachments.
Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats
Pro (ETPRO) ruleset.
This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.
The malware abuses legitimate services by Github and transfer.sh to host these data binaries.
All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I
posted this diary.
Shown above:  Flow chart for the MetaStealer infection chain reviewed in today's diary.
Images from an infection
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 1 of 8

Shown above:  Screenshot from an email distributing the malicious Excel file.
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 2 of 8

Shown above:  Screenshot of the malicious Excel file.
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 3 of 8

Shown above:  Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark.
Shown above:  Alerts from the infection Security Onion using the Suricata and the ETPRO ruleset.
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 4 of 8

Shown above:  UAC alert generated by malicious EXE during the infection.
Shown above:  Malicious EXE file generated during the infection.
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 5 of 8

Shown above:  Malicious EXE persistent on the infected Windows host.
Indicators of Compromise (IOCs)
Traffic generated after enabling Excel macro:
hxxps://github[.]com/michel15P/1/raw/main/notice.zip
hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
Note: File returned from the above URL is a data binary and not a zip archive
Traffic generated by persistent EXE created from the above binary:
port 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp              
port 443 - hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp                                                  
193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update                                    
193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new                                 
193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker
Alerts on traffic to 193.106.191[.]162 over TCP port 1775:
ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 6 of 8

Associated malware and artifacts:
SHA256 hash: 981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e
File size: 88,069 bytes
File name: transfer_info2460.xls
File description: Example of email attachment, an Excel file with macro for malware
Sandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca
SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc
File size: 2,828 bytes
File name: open.vbs
File location: same directory as the above Excel file or the user's AppData/Local/Temp directory
File description: After enabling macro, this VBS file is used to create the persistent EXE
Note: I could not find this file on my infected lab host
SHA256 hash: 8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5
File size: 417,512 bytes
File location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip
File type: data
File description: data binary retrieved by open.vbs used to persistent EXE (below)
SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
File size: 367,001,600 bytes
File location: C:\Users\[username]\AppData\Local\Temp\notice.exe
File location: C:\Users\[username]\AppData\Roaming\qwveqwveqw.exe
File description: Malware EXE persistent on the infected Windows host
Note: This binary is appended with more than 366 MB of zero byte filler
Note: Persistent through "Shell" value at HKCU\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
SHA256 hash: 7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b
File size: 143,400 bytes
File description: Persistent malware EXE with most of the zero byte filler removed
SHA256 hash: fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b
File size: 716,288 bytes
File location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp
File type: data
File description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order
SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 7 of 8

File size: 716,288 bytes
File description: Windows DLL file created by reserving the above binary
File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Run method: loaded/run by persistent EXE
SHA256 hash: cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89
File size: 2,182,488 bytes
File location: hxxp://193.106.191[.]162:1775/avast_update
File description: base64 text representing a Windows DLL file
SHA256 hash: 71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738
File size: 1,636,864 bytes
File descrip-tion: Windows DLL file converted from the above text
File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Run method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE
Final words
Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL
and re-started the infection process without the Github traffic.
Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30.  ETPRO signatures
identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01.
My thanks to Security Onion, Proofpoint's EmergingThreats team, and Didier Stevens' tools for reversing binaries.
These three resources were a big help in my analysis for this diary.
A pcap of the infection traffic and the associated malware/artifacts can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Source: https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/
Page 8 of 8

  https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/  
Shown above: Screenshot from an email distributing the malicious Excel file.
   Page 2 of 8