meduza | 7c10d0fcc53a133655f314e48400ddfef9207148bf1c99741abfc2e2a4fafda9 | Triage

Submit
Reports

Overview

overview

Static

static

3

39409db2a7...f4.exe

windows10-2004-x64

Sharing

General

Target

6d704657924328cb2dd07aef0bdb8777.bin
Size

14.5MB
Sample

240410-bvq9zaeh7z
MD5

435fd52f8c905edd8d4ff5015c1d3489
SHA1

9e6706b6f7ae073cdd1d5897c44cf532b2b98d15
SHA256

7c10d0fcc53a133655f314e48400ddfef9207148bf1c99741abfc2e2a4fafda9
SHA512

fe98bf868a6cb9ab80c607ab27e9d9993c2708bf6a7b08fc47a3a66d6084f317de824199f025edb923d831a7067f8ba42986851ab598c48b97492ab25c83847e
SSDEEP

393216:iad1nqzpSMneYKSSoGBthokW+WBkXP8yOWE+4:5dRqVSMnTKSmhoNZwM

Score

10^/10

meduza purelogstealer zgrat collection persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

39409db2a70039e2cc325529debbb9179981287e4e9a259c1ff3b45c1ca9e0f4.exe

Resource

win10v2004-20240226-en

meduza purelogstealer zgrat collection persistence rat stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Targets

- Target
  
  39409db2a70039e2cc325529debbb9179981287e4e9a259c1ff3b45c1ca9e0f4.exe
- Size
  
  14.5MB
- MD5
  
  6d704657924328cb2dd07aef0bdb8777
- SHA1
  
  b61098798c23791490e459899b3e52948e85b857
- SHA256
  
  39409db2a70039e2cc325529debbb9179981287e4e9a259c1ff3b45c1ca9e0f4
- SHA512
  
  4eb13f851f99a9105ff8386ea0c74b056a10b111c9393ebe4a93ac92c9fa16a24a641e954951b8cbf54d7bf9af2deee605e845b2d954584019eeba95d2b6d407
- SSDEEP
  
  393216:DnZ4GTlYjEYCz35SfXCJdzbSJpnYrkVy/+YrzT43DG9UlpC:d4GyjJaJB/U9MkV8Dn43D0UlpC
Score

10^/10

meduza purelogstealer zgrat collection persistence rat stealer
- Detect ZGRat V1
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

meduzapurelogstealerzgratcollectionpersistenceratstealer

© 2018-2024

Terms | Privacy