Genel Bakis

Bu ornek, MetaMask kripto cuzdani ve Chrome tarayiciyi hedef alan 84KB'lik uzman bir credential stealer'dir. webextension@metamask.io uzantisini calarken ayni anda Chrome cookie'lerini SQL ile sorgulayan bu malware, Firefox NSS PK11SDR_Decrypt API'si ve Windows DPAPI CryptUnprotectData kullanarak sifreleri cozmektedir.

Teknik Analiz

MetaMask Cuzdani Hedefleme

  • metamask.io domain referansi
  • webextension@metamask.io — MetaMask tarayici uzantisi
  • "webextension@metamask.io":" — Firefox uzanti deposu sorgusu
  • MetaMask tohumunu (seed phrase) cekmek icin uzanti verisi hedefleniyor

Chrome Cookie Calma

SELECT host_key, path, is_secure, expires_utc, name, encrypted_value FROM cookies
  • cookies.txt, Web Data, Login Data
  • CryptUnprotectData — DPAPI ile sifre cozme
  • CryptStringToBinaryA/W, CryptBinaryToStringW

Firefox NSS Sifre Cozme

  • PK11SDR_Decrypt — Firefox master password gecirmeden sifre cozme

Ayricalik Yukseltme

  • OpenProcessToken, DuplicateTokenEx, GetTokenInformation
  • CreateProcessWithTokenW — token ile yeni islem baslatma

Teknik Ozellikler

OzellikValue
FormatPE32 GUI Intel 80386
Size84.480 bayt
HedefMetaMask, Chrome, Firefox
Cookie SQLSELECT ... FROM cookies
Sifre CozmeDPAPI CryptUnprotectData + PK11SDR_Decrypt

IOC Ozeti

  • Email: webextension@metamask.io
  • SHA256: fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853

IOC List (2 indicators)

IOC — MetaMask Stealer
# SHA256 fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853 # EMAIL webextension@metamask.io
TypeValueNote
sha256 fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853
email webextension@metamask.io
Tags
stealermetamaskchromefirefoxcookiesdpapicryptunprotectdatapk11sdrsqlcredentialcrypto-walletextensions