General

  • Target

    phantom.exe

  • Size

    5.5MB

  • Sample

    240419-pfdl8ace7v

  • MD5

    e659b6b749fca9d7e3f180d4ab7ab9e7

  • SHA1

    0b1e82833c266eed2d2674360eb2a99c7abab798

  • SHA256

    a162e0a322aaa6aa33b9f612d1c4821e53c1ecb6f1eacea332c6a00fd5ceec6f

  • SHA512

    ccaff427db8a1c8914840b80da5d08fc3c31be6f88e09666d0245e41e8090ac4ebb46172b0ed1c6fa54ea86251874ca2345370c8ea9e3750ab32890a257ed38f

  • SSDEEP

    98304:8tt1lBiCkK4x/kWVVjMZQf5bhDvnuTtCOPjqDb9teNYWcWQ38UfxE/wzEP7Svg:8tt1lBi/K4x/kuVjMs5bhDctCOru9teb

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Targets

    • Target

      phantom.exe

    • Size

      5.5MB

    • MD5

      e659b6b749fca9d7e3f180d4ab7ab9e7

    • SHA1

      0b1e82833c266eed2d2674360eb2a99c7abab798

    • SHA256

      a162e0a322aaa6aa33b9f612d1c4821e53c1ecb6f1eacea332c6a00fd5ceec6f

    • SHA512

      ccaff427db8a1c8914840b80da5d08fc3c31be6f88e09666d0245e41e8090ac4ebb46172b0ed1c6fa54ea86251874ca2345370c8ea9e3750ab32890a257ed38f

    • SSDEEP

      98304:8tt1lBiCkK4x/kWVVjMZQf5bhDvnuTtCOPjqDb9teNYWcWQ38UfxE/wzEP7Svg:8tt1lBi/K4x/kuVjMs5bhDctCOru9teb

    • Detect ZGRat V1

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks