File name:	EonVPNSetup.exe
Full analysis:	https://app.any.run/tasks/96f05c92-5990-4dbc-94b5-b4c9d7abd720
Verdict:	Malicious activity
Threats:	MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Malware Trends Tracker >>>
Analysis date:	February 07, 2025, 17:41:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor metastealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	77E1AAE69BC102022A5DAFDA5990BAE3
SHA1:	0483823BED14678EE39ADEB44B3CBFAD9DC9F09A
SHA256:	0081AE05F460B1AC62C02B42CA548FF9756FE4533D487AB2E82E0AF25D00F663
SSDEEP:	98304:g1svXJG6gIS6LdN/HwWcT3/FPEDOzuJl/g0VE/nxT+038prUbh5qjLkvf04dCgVA:UUuOk+BGk

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:22 22:14:43+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	314368
InitializedDataSize:	364544
UninitializedDataSize:	-
EntryPoint:	0x302e5
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.1.0.0
ProductVersionNumber:	2.1.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	-
FileDescription:	EonVPN
FileVersion:	2.1.0.0
InternalName:	setup
LegalCopyright:	Copyright (c). All rights reserved.
OriginalFileName:	eonvpn_setup.exe
ProductName:	EonVPN
ProductVersion:	2.1.0.0


(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleCachePath
Value: C:\ProgramData\Package Cache\{47055cfd-4e71-46c7-b696-0cbbb901d865}\eonvpn_setup.exe
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleUpgradeCode
Value: {6F330B47-2577-43AD-9095-1861BB25844B}
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleVersion
Value: 2.1.0.0
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	VersionMajor
Value: 2
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	VersionMinor
Value: 1
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleProviderKey
Value: {47055cfd-4e71-46c7-b696-0cbbb901d865}
(PID) Process:	(5748) eonvpn_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{47055cfd-4e71-46c7-b696-0cbbb901d865}
Operation:	write	Name:	BundleTag
Value:

PID	Process	Filename		Type
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\mbahost.dll		executable
		MD5:E3471734DF4345B4EC9F60333A96982B	SHA256:D728E7449243BC7099890BADB6FAE3F2B082A80D9C950E498051F89A65D48687
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\mbapreq.dll		executable
		MD5:87C8A7EA44E8EE0D9358E25B7DCD397D	SHA256:B7DE0A0CA3A94738747ABD708E30BA1F9638A8C8B7D8173C76D4F39FAE3D9346
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\mbapreq.png		image
		MD5:A356956FD269567B8F4612A33802637B	SHA256:A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\mbapreq.thm		xml
		MD5:A20778EC90A094A62A6C3A6AB2A6DC7D	SHA256:F8C3A03F47F0B9B3C20F0522A2481DA28C77FECDBB302F8DD8FBED87758CBAEA
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\1029\mbapreq.wxl		xml
		MD5:CC8C6D04DC707B38E0F0C08BA16FE49B	SHA256:DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\1028\mbapreq.wxl		xml
		MD5:1D4B831F77EFEC96FFBC70BC4B59B8B5	SHA256:1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\mbapreq.wxl		xml
		MD5:4D2C8D10C5DCCA6B938B71C8F02CA8A8	SHA256:C63DE5F309502F9272402587A6BE22624D1BC2FEACD1BD33FB11E44CD6614B96
5128	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{EE81BAE3-5CD0-45E2-8118-9D2AB1647001}\.cr\EonVPNSetup.exe		executable
		MD5:56FA90831933E6CF5BB1E5513475C0FB	SHA256:8D57C25A27206EFEBEF5790BBA8821D02C6D04D59951D773769A6F3364BD53F1
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\1031\mbapreq.wxl		xml
		MD5:C8E7E0B4E63B3076047B7F49C76D56E1	SHA256:631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
3172	EonVPNSetup.exe	C:\Users\admin\AppData\Local\Temp\{7F4FF819-A401-4ECF-BAFB-AC263CE3F52A}\.ba\1032\mbapreq.wxl		xml
		MD5:074D5921AF07E6126049CB45814246ED	SHA256:B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.145:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	—	45.11.36.254:443	https://s3.eu-central-003.backblazeb2.com/public-bucket-23581/eonvpn/EonVPN_Common_2.1.0.0.zip	unknown	—	—	—
—	—	GET	—	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.67.212.27:443	https://api.eonvpn.com/app_versions/check_update?current_version=2.1.0.0&device_uuid=3b81d71a-0a6b-424a-ae6b-7f6faa247844&ws_identifier=&environment=production&app_version=2.1.0.0	unknown	binary	868 b	—
—	—	GET	302	104.21.85.237:443	https://api.eonvpn.com/app_versions/download_package/AltNZ3SxPdBFzQ?environment=production	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.145:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
372	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.48.23.145 23.48.23.147 23.48.23.140 23.48.23.195 23.48.23.138 23.48.23.142 23.48.23.135 23.48.23.139 23.48.23.150	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
api.eonvpn.com	172.67.212.27 104.21.85.237	unknown
s3.eu-central-003.backblazeb2.com	45.11.38.254 45.11.37.254 45.11.39.254 45.11.36.254	unknown
self.events.data.microsoft.com	20.189.173.3	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2088	EonVPNInstaller.exe	Not Suspicious Traffic	INFO [ANY.RUN] B2 Cloud Storage (.backblazeb2 .com)

General Info

EonVPNSetup.exe

77E1AAE69BC102022A5DAFDA5990BAE3

0483823BED14678EE39ADEB44B3CBFAD9DC9F09A

0081AE05F460B1AC62C02B42CA548FF9756FE4533D487AB2E82E0AF25D00F663

98304:g1svXJG6gIS6LdN/HwWcT3/FPEDOzuJl/g0VE/nxT+038prUbh5qjLkvf04dCgVA:UUuOk+BGk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

METASTEALER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Creates a software uninstall entry

Starts itself from another location

Searches for installed software

Uses TASKKILL.EXE to kill process

INFO

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Creates files in the program directory

Reads the software policy settings

Disables trace logs

Checks proxy server information

.NET Reactor protector has been detected

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings