Keypoints
- MetaStealer updated internals: class names changed (e.g., from “Entity” to “Schema”/”TreeObject”), changed binary description and icon, and modified string encryption logic.
- The new string decryption is layered: base64 decode, XOR with a hardcoded key (example “Crayfish”), then base64 decode again.
- The author uses dnlib to load the .NET assembly, identify candidate decryption methods by signature, extract call-site parameters, and invoke those methods to recover decrypted strings at runtime.
- Decrypted output included a base64-encoded .NET executable (qemu-ga.exe, MD5 e6db93b513085fe253753cff76054a2a) which MetaStealer drops into Startup after communicating with its C2.
- MetaStealer includes sandbox-evasion checks using lists of usernames and computer names; if matched, the process exits.
- The article notes multiple stealers abusing a Google cookie-refresh vulnerability to obtain fresh cookies and persistent access to Google accounts.
- IOCs provided include several MD5 hashes and a C2 IP:port (5.42.65[.]34:25530); Yara and Sigma rules are available for detection.
MITRE Techniques
- [T1047] Windows Management Instrumentation – Used to query system management information (example usage: ‘ManagementObjectSearcher class to query system management information… “ROOTSecurityCenter: SELECT * FROM AntivirusProduct”‘)
- [T1547.001] Boot or Logon Autostart Execution: Startup Folder – MetaStealer writes an extracted executable to Startup to persist: ‘MetaStealer writes that executable to the Startup after successfully receiving the configuration from the C2 server and collecting user information.’
- [T1497] Virtualization/Sandbox Evasion – The stealer checks usernames and computer names to detect and exit in sandboxed environments: ‘username and computer name check to avoid sandbox environments; if any of the usernames/computer names are found in the list, the stealer process will exit.’
- [T1027] Obfuscated Files or Information – Strings are obfuscated with layered encoding and XOR; the article describes the decryption: ‘First, the base64-encoded string gets base64-decoded and XOR’ed with the hardcoded key (in our example, it is Crayfish); the XOR’ed string then gets base64-decoded again.’
- [T1071] Application Layer Protocol – Command and control communication is used to retrieve configuration and instructions from a C2 server: ‘after successfully receiving the configuration from the C2 server and collecting user information.’
Indicators of Compromise
- [File hash] MetaStealer/sample and embedded payload – e6db93b513085fe253753cff76054a2a, a8d6e729b4911e1a0e3e9053eab2392b, and 1 more hash
- [IP:Port] C2 server – 5.42.65[.]34:25530 (listed as MetaStealer C2)
- [Filename] dropped executable – qemu-ga.exe (embedded .NET executable recovered from decrypted base64 string and written to Startup)
MetaStealer’s updated build changes class names (from “Entity” to “Schema”/”TreeObject”), binary metadata, and its string handling. Strings are encrypted with a two-stage scheme: a base64 string is decoded, XOR’ed with a hardcoded key (example “Crayfish”), then base64-decoded again. To recover runtime values, the author uses dnlib to load the .NET module and assembly, defines a decryption method signature (methods taking an Int32 and returning System.String), scans types and methods to find candidates, and locates call-sites that pass parameters to those methods.
After identifying suspected decryption methods, the script extracts parameter values from method instruction streams (handling Int32 and string operand types), invokes the decryption routines safely, and collects results mapped to their original method locations. The decrypted output revealed a base64-encoded .NET executable (qemu-ga.exe, MD5 e6db93b513085fe253753cff76054a2a). MetaStealer writes that file to the Startup folder post-configuration, though the sample’s qemu-ga.exe only sleeps and waits in a loop.
Additional behavioral details: the malware queries WMI (ManagementObjectSearcher) to gather system info (example WMI query shown: “ROOTSecurityCenter: SELECT * FROM AntivirusProduct”), performs sandbox-avoidance by checking lists of usernames and computer names and exiting if matched, and communicates with a C2 (listed as 5.42.65[.]34:25530). The article also notes that multiple stealers are abusing a Google cookie-refresh issue to obtain fresh cookies; Yara and Sigma rules are provided for detection and the decryption script should be run in a sandboxed environment.
Read more: https://russianpanda95.github.io/2023/12/28/MetaStealer-Part-2/