# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/28522** ## Windows MetaStealer Malware **Published: 2022-04-06** **Last Updated: 2022-04-06 03:50:00 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/#comments) **_Introduction_** Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal. These malicious Excel files are distributed as email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset. This infection process uses data binaries to create the malicious EXE and DLL files used for the infection. The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary. ----- _Shown above: Flow chart for the MetaStealer infection chain reviewed in today's diary._ **_Images from an infection_** _Shown above: Screenshot from an email distributing the malicious Excel file._ ----- _Shown above: Screenshot of the malicious Excel file._ ----- _Shown above: Traffic from an infection on Tuesday 2022-04-05 filtered in Wireshark._ _Shown above: Alerts from the infection Security Onion using the Suricata and the ETPRO_ _ruleset._ ----- _Shown above: UAC alert generated by malicious EXE during the infection._ _Shown above: Malicious EXE file generated during the infection._ ----- _Shown above: Malicious EXE persistent on the infected Windows host._ **_Indicators of Compromise (IOCs)_** Traffic generated after enabling Excel macro: hxxps://github[.]com/michel15P/1/raw/main/notice.zip hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip Note: File returned from the above URL is a data binary and not a zip archive Traffic generated by persistent EXE created from the above binary: port 80 - transfer[.]sh - GET /get/qT523D/Wlniornez_Dablvtrq.bmp port 443 hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /avast_update 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - GET /api/client/new ----- 193.106.191[.]162 port 1775 - 193.106.191[.]162:1775 - POST /tasks/get_worker Alerts on traffic to 193.106.191[.]162 over TCP port 1775: ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362 ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363 Associated malware and artifacts: SHA256 hash: [981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e](https://www.virustotal.com/gui/file/981247f5f23421e9ed736dd462801919fea2b60594a6ca0b6400ded463723a5e) File size: 88,069 bytes File name: transfer_info2460.xls File description: Example of email attachment, an Excel file with macro for malware [Sandbox analysis: https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca](https://app.any.run/tasks/02a6b252-5ea1-4f2b-96d3-4eb2eaec34ca) [SHA256 hash: 81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc](https://www.virustotal.com/gui/file/81e77fb911c38ae18c268178492224fab7855dd6f78728ffedfff6b62d1279dc) File size: 2,828 bytes File name: open.vbs File location: same directory as the above Excel file or the user's AppData/Local/Temp directory File description: After enabling macro, this VBS file is used to create the persistent EXE Note: I could not find this file on my infected lab host SHA256 hash: [8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5](https://www.virustotal.com/gui/file/8cfa23b5f47ee072d894ee98b1522e3b8acc84a6e9654b71f50536e74a3579a5) File size: 417,512 bytes File location: hxxps://raw.githubusercontent[.]com/michel15P/1/main/notice.zip File type: data File description: data binary retrieved by open.vbs used to persistent EXE (below) [SHA256 hash: f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d](https://www.virustotal.com/gui/file/f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d) File size: 367,001,600 bytes File location: C:\Users\[username]\AppData\Local\Temp\notice.exe File location: C:\Users\[username]\AppData\Roaming\qwveqwveqw.exe File description: Malware EXE persistent on the infected Windows host Note: This binary is appended with more than 366 MB of zero byte filler Note: Persistent through "Shell" value at HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ----- SHA256 hash: [7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b](https://www.virustotal.com/gui/file/7641ae596b53c5de724101bd6df35c999c9616d93503bce0ffd30b1c0d041e3b) File size: 143,400 bytes File description: Persistent malware EXE with most of the zero byte filler removed SHA256 hash: [fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b](https://www.virustotal.com/gui/file/fba945b78715297f922b585445c74a4d7663ea2436b8c32bcb0f4e24324d3b8b) File size: 716,288 bytes File location: hxxps://transfer[.]sh/get/qT523D/Wlniornez_Dablvtrq.bmp File type: data File description: Retrieved by persistent EXE, this binary is a Windows DLL file in reverse byte order [SHA256 hash: bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87](https://www.virustotal.com/gui/file/bf3b78329eccd049e04e248dd82417ce9a2bcaca021cda858affd04e513abe87) File size: 716,288 bytes File description: Windows DLL file created by reserving the above binary File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Run method: loaded/run by persistent EXE SHA256 hash: [cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89](https://www.virustotal.com/gui/file/cb6254808d1685977499a75ed2c0f18b44d15720c480fb407035f3804016ed89) File size: 2,182,488 bytes File location: hxxp://193.106.191[.]162:1775/avast_update File description: base64 text representing a Windows DLL file SHA256 hash: [71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738](https://www.virustotal.com/gui/file/71e54b829631b93adc102824a4d3f99c804581ead8058b684df25f1c9039b738) File size: 1,636,864 bytes File description: Windows DLL file converted from the above text File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows Run method: unknown, loaded/run by persistent EXE or previous DLL loaded/run by persistent EXE **_Final words_** Each time I rebooted my infected Windows host, the persistent EXE generated traffic to the same transfer.sh URL and re-started the infection process without the Github traffic. ----- Malware associated with this infection was first submitted to VT on Wednesday 2022-03-30. ETPRO signatures identifying HTTP traffic generated by this malware as MetaStealer were released on Friday 2022-04-01. My thanks to [Security Onion, Proofpoint's EmergingThreats team, and](https://securityonionsolutions.com/) Didier Stevens' tools for reversing binaries. These three resources were a big help in my analysis for this diary. [A pcap of the infection traffic and the associated malware/artifacts can be found here.](https://www.malware-traffic-analysis.net/2022/04/06/index.html) -- Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: DLL](https://isc.sans.edu/tag.html?tag=DLL) [Excel](https://isc.sans.edu/tag.html?tag=Excel) [EXE](https://isc.sans.edu/tag.html?tag=EXE) [Malspam](https://isc.sans.edu/tag.html?tag=Malspam) [Malware](https://isc.sans.edu/tag.html?tag=Malware) [MetaStealer](https://isc.sans.edu/tag.html?tag=MetaStealer) [Windows](https://isc.sans.edu/tag.html?tag=Windows) [0 comment(s)](https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/28522) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----