S1059 · threatengine.sh

Home/Malware/metaMain

Malware

metaMain

S1059 · Windows

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines.

it has also been used to decrypt Mafalda into memory.

ATT&CK S1059 Malware family

Sigma rules0 YARA rules0 Live IOCs0

▤

Techniques Used

ATT&CK techniques this malware is documented performing. Each links to its detections - Sigma, vendor SIEM rules, and analytics - so you catch the behaviour even when the binary changes.
T1005Data from Local System · detections ↗
T1027.013Encrypted/Encoded File · detections ↗
T1033System Owner/User Discovery · detections ↗
T1041Exfiltration Over C2 Channel · detections ↗
T1055Process Injection · detections ↗
T1056Input Capture · detections ↗
T1056.001Keylogging · detections ↗
T1057Process Discovery · detections ↗
T1070.004File Deletion · detections ↗
T1070.006Timestomp · detections ↗
T1071.001Web Protocols · detections ↗
T1074.001Local Data Staging · detections ↗
T1082System Information Discovery · detections ↗
T1083File and Directory Discovery · detections ↗
T1090.001Internal Proxy · detections ↗
T1095Non-Application Layer Protocol · detections ↗
T1105Ingress Tool Transfer · detections ↗
T1106Native API · detections ↗
T1112Modify Registry · detections ↗
T1113Screen Capture · detections ↗
T1140Deobfuscate/Decode Files or Information · detections ↗
T1205.001Port Knocking · detections ↗
T1497.003Time Based Checks · detections ↗
T1546.003Windows Management Instrumentation Event Subscription · detections ↗
T1560.003Archive via Custom Method · detections ↗
T1573.001Symmetric Cryptography · detections ↗
T1574.001DLL · detections ↗
T1620Reflective Code Loading · detections ↗

⚊

Live Indicators

Indicators are defanged for safe handling. Newest first.

Aliases

metaMain

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Malpedia MalwareBazaar ThreatFox