MetaStealer Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (71)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en62
ru8
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us36
ru10
ag2
cn2
is2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

MetaStealer8
RedLine Stealer2
Meterpreter2
Conti1
RagnarLocker1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined32
Groupware Software6
Programming Language Software4
Web Server4
Content Management System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined26
Microsoft8
Apache4
Proxmox2
13enforme2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

PHP4
Microsoft Exchange Server4
Proxmox proxmox-widget-toolkit2
13enforme CMS2
GNU Bash2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Red Lion HMI Panel URI 7pk error6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002380.00CVE-2017-14855
2GNU Bash mod_cgi os command injection9.89.4$0-$5k$0-$5kHighOfficial Fix0.973480.00CVE-2014-7169
3Hostel Searching Project view-property.php sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.002660.05CVE-2022-4051
4Ovidentia CMS index.php sql injection4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.000890.07CVE-2021-29343
5phpBB XS bb_usage_stats.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.079550.02CVE-2006-4893
6SourceCodester Online Student Admission System Student User Page edit-profile.php cross site scripting3.53.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.000680.00CVE-2022-2681
7Microsoft Exchange Server Privilege Escalation8.37.6$25k-$100k$5k-$25kUnprovenOfficial Fix0.000800.04CVE-2023-36745
8Elementor Plugin Template Import unrestricted upload6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000540.04CVE-2023-48777
9News & Blog Designer Pack Plugin file inclusion7.37.1$0-$5k$0-$5kNot DefinedNot Defined0.003220.02CVE-2023-5815
10LearnPress Plugin command injection7.87.7$0-$5k$0-$5kNot DefinedNot Defined0.202800.00CVE-2023-6634
11Likeshop HTTP POST Request File.php userFormImage unrestricted upload8.17.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.008600.00CVE-2024-0352
12Proxmox proxmox-widget-toolkit Edit Notes cross site scripting5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000520.05CVE-2023-46854
13GG18/GG20 ECDSA Private Key injection7.77.5$0-$5k$0-$5kProof-of-ConceptNot Defined0.000700.00CVE-2023-33241
14Mozilla Firefox SPDY/HTTP/2 cryptographic issues5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.004110.02CVE-2014-1584
15Microsoft Exchange Server Privilege Escalation8.87.7$25k-$100k$5k-$25kUnprovenOfficial Fix0.011920.02CVE-2023-21529
16MetInfo URL Redirector login.php redirect6.66.6$0-$5k$0-$5kNot DefinedNot Defined0.001070.00CVE-2017-11718
17SourceCodester Sanitization Management System Admin Login sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.001200.04CVE-2022-4726
18Microsoft SharePoint Workflow input validation10.08.7$25k-$100k$0-$5kProof-of-ConceptOfficial Fix0.910720.04CVE-2013-1330
19NdkAdvancedCustomizationFields createPdf.php cross site scripting4.84.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.000700.00CVE-2022-40840
20Redis XAUTOCLAIM Command heap-based overflow8.28.1$0-$5k$0-$5kNot DefinedOfficial Fix0.005980.05CVE-2022-31144

IOC - Indicator of Compromise (15)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
14.224.60.120MetaStealer11/21/2023verifiedHigh
213.114.196.60ec2-13-114-196-60.ap-northeast-1.compute.amazonaws.comMetaStealer02/26/2024verifiedMedium
313.125.88.10ec2-13-125-88-10.ap-northeast-2.compute.amazonaws.comMetaStealer02/26/2024verifiedMedium
4XX.XXX.XXX.XXxxxxxx.xx.xxx.xxx.xx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxxxx11/26/2023verifiedHigh
5XXX.XXX.XXX.XXXxxxxxxxxxx04/27/2024verifiedHigh
6XXX.XX.XX.XXXxxx-xx-xx-xxx.xxxxxxx-xxxXxxxxxxxxxx05/16/2023verifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxxXxxxxxxxxxx05/16/2023verifiedHigh
8XXX.XXX.XXX.XXXxxxxxx.xxxXxxxxxxxxxx12/02/2022verifiedHigh
9XXX.XXX.XXX.XXXxxxxxxxxxx05/16/2023verifiedHigh
10XXX.XXX.XXX.XXXxxxxxxxxxx01/31/2023verifiedHigh
11XXX.XXX.XXX.XXXXxxxxxxxxxx04/06/2022verifiedHigh
12XXX.XX.XX.XXXXxxxxxxxxxx11/30/2023verifiedHigh
13XXX.XX.XX.XXXXxxxxxxxxxx11/30/2023verifiedHigh
14XXX.XX.XXX.XXXxxx.xxxXxxxxxxxxxx11/30/2023verifiedHigh
15XXX.XX.XX.XXXXxxxxxxxxxx12/29/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (11)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (63)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/index.phppredictiveMedium
2File/uncpath/predictiveMedium
3Fileabout.phppredictiveMedium
4Fileadmin.phppredictiveMedium
5Fileadmin_feature.phppredictiveHigh
6Fileaj.htmlpredictiveLow
7Fileakocomments.phppredictiveHigh
8Filearchives.phppredictiveMedium
9Filexxxxxxx.xxxpredictiveMedium
10Filexxxx.xxx.xxxpredictiveMedium
11Filexx_xxxxx_xxxxx.xxxpredictiveHigh
12Filexxx-xxxxxx-xxxxxxxxxx-xxxxxx/xxxxxxx.xxxpredictiveHigh
13Filexxx-xxx/xxxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
14Filexxx-xxx/xxxxxx/xxxxx.xxpredictiveHigh
15Filexxxxxxxxxxx.xxx.xxxpredictiveHigh
16Filexxxxxxx.xxxpredictiveMedium
17Filexxxxxxxxx.xxxpredictiveHigh
18Filexxxxxx.xxxpredictiveMedium
19Filexxxxxx.xxxpredictiveMedium
20Filexxxx-xxxxxxx.xxxpredictiveHigh
21Filexxxxxxxxx.xxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxxx.xxxpredictiveMedium
24Filexxxxx.xxxpredictiveMedium
25Filexxxx.xxxpredictiveMedium
26Filexxxxxx/xxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexxxx.xxxpredictiveMedium
29Filexxxxxx/xxx/xx/xxx.xxpredictiveHigh
30Filexxxxxx.xxxpredictiveMedium
31Filexxxxxx/xxxxxxxxxxx/xxx/xxxxxxxxxx/xxxx.xxxpredictiveHigh
32Filexxxxxxx_xxxxxx.xxxpredictiveHigh
33Filexxxx.xxxpredictiveMedium
34Filexxxx-xxxxxxxx.xxxpredictiveHigh
35Filexxxx.xxxxxxxxx.xxxpredictiveHigh
36Filexxxxxxxxx.xxxpredictiveHigh
37Libraryxxxxx/xxxxxxxxx/xxxx.xxxxxxxxx.xxxpredictiveHigh
38Argumentxxxxxx:/xxxxxxxx:/xxxxxxxxxxxxxx:predictiveHigh
39Argumentxxx_xxpredictiveLow
40Argumentxxxxxx_xxxxx_xxxxpredictiveHigh
41ArgumentxxxxpredictiveLow
42Argumentxx_xxxxpredictiveLow
43ArgumentxxxxxxxxpredictiveMedium
44Argumentxxxxxxx[xxxxxx]predictiveHigh
45ArgumentxxxxxpredictiveLow
46Argumentxxxxx_xxpredictiveMedium
47Argumentxxxxx_xxxxpredictiveMedium
48ArgumentxxpredictiveLow
49ArgumentxxpredictiveLow
50Argumentxxxx_xxpredictiveLow
51ArgumentxxxxxpredictiveLow
52Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
53Argumentxxxx_xxxxpredictiveMedium
54Argumentxxxxx_xxxx_xxxxpredictiveHigh
55ArgumentxxxpredictiveLow
56Argumentxxxxxxxx_xxpredictiveMedium
57ArgumentxxxxxxxxpredictiveMedium
58ArgumentxxxpredictiveLow
59Argumentxxxx-xxxxxpredictiveMedium
60ArgumentxxxxxxxxpredictiveMedium
61Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
62Input Value<xxxxxx>xxxxx(/xxx/)</xxxxxx>predictiveHigh
63Input Valuexxxxxx_xxxxxxxxpredictiveHigh

References (9)

The following list contains external sources which discuss the actor and the associated activities:

Samples (1)

The following list contains associated samples:

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!