METAStealer-DGA Routine

3 min readMay 11, 2024

Sample

6cf8bfba1b221effcb1eccec0c91fb0906d0b8996932167f654680cb3ac53aac

Analysis

metastealer does a great way of evading its executable from the defender by running a PowerShell command, which turns off scanning of files with the ‘.exe’ extension. :

"powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension \"exe\"",

String Encryption

The MetaStealer binary is heavily obfuscated, with the author employing various concealment techniques. Garbage code insertion alongside encoding onboard strings complicates analysis. Though the encoding method is known, efficient decoding remains a challenge.

Strings are organized as DWORD values and pushed onto the stack with the XOR key. The PXOR instruction operates on 64-bit (MMX) or 128-bit (XMM) operands. Many DWORD values are identical due to NULL padding for length compatibility.

Decoding requires identifying PXOR and VPXOR instructions. Longer strings use VPXOR, handling 128-bit (XMM) or 256-bit (YMM) operands. Decoding involves tracing back to DWORD stack loads.

using a modified version of Jason Reeves’ script, I have decrypted some strings

the decrypted strings

b'sys'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'ip'
b'ip'
b'ip'
b'cmd'
b'cmd'
b'FG Started'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'chrome'
b'ok'
b'ok'
b'ok'
b'ok'
b'ok'
b':1775'
b':1775'
b'ok'
b'ok'
b'/api/client/new'
b'ok'
b'ffox'
b'dir=in '
b'version'
b'.xyz'
b'ok'
b'os_crypt'
b'os_crypt'
b'RtlGetVersion'
b'RtlGetVersion'
b'Windows 10'
b'Windows 10'
b'Windows 10'
b'Windows 10'
b'Windows 10'
b'Windows 10'
b'Pro'
b'action'
b'action'
b'action'
b'action'
b'action'
b'uuid'
b'uuid'
b'ok'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'files'
b'/tasks/collect'
b'status'
b'uuid'
b'uuid'
b'uuid'
b'/tasks/collect'
b'status'
b'status'
b'status'
b'status'
b'/tasks/collect'
b'ROOT'
b'name'
b'name'
b'name'
b'value'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'host_key'
b'domain'
b'domain'
b'path'
b'path'
b'path'
b'path'
b'path'
b'host'
b'isHttpOnly'
b'path'
b'isSecure'
b'expiry'
b'name'
b'value'
b'domain'
b'domain'
b'path'
b'path'
b'path'
b'name'
b'value'
b'origin_url'
b'origin_url'
b'origin_url'
b'url'
b'url'
b'url'
b'ntdll'
b'Uuid'
b'File-Type'
b'files'
b'cmd.exe'
b'cmd.exe'
b'cmd.exe'
b'H\x07\x01\x01'
b'\x02\x01'
b'\x01\x02\x01\x02\x02\x01'
b'\x02\x08\x02\x03\x03'
b''
b'\x0f'
b'a\x06\x01\x10\x18'

Uniqe-strings

C:\Workspace\Projects\rat\client\stealer\third_party

C:\Workspace\Projects\rat\client\stealer\out\build\x86-Releaseird_party\cryptopp\_deps\cryptopp\rijndael_simd.cpp

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension \"exe\
rat\\client\\stealer
?AV?$_Func_impl_no_alloc@V<lambda_8>@?CL@??Listen@TaskManager@st
stealertest.dll
IBrowserBase@stealer
ChromeBrowser@stealer
EdgeBrowser@stealer
FirefoxBrowser@stealer

DGA-Routine

A DGA is a type of software routine inside of malware that generates many pseudo-random domain names, which are then used by the malware to establish a connection to their command-and-control (C2) servers. These domain generation techniques make it particularly challenging for security systems such as anti-virus software and firewalls to detect and block malware

metastealer using the DGA routine in its functionality by pushing the seed and then calling the DGA routine function