General

  • Target

    clik.exe

  • Size

    14.1MB

  • Sample

    240430-rq7zxsaf55

  • MD5

    a2db986f46fc915b6b9b65d0d8b2c92f

  • SHA1

    2aca2a24c33ea49c99365438cf4eee6c42fa73ed

  • SHA256

    53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d

  • SHA512

    3e7346aba18a18c0e2fcb57baf2822cca67da175c8b7dfd675b1b5cd78092051e7443eac156a954297c16623f9c74cad4347ef015682282bec57fb056435652d

  • SSDEEP

    393216:PXIJM3GodH2ThNzd4VQpier42zXfDmITsttRugNId:fUuozdshA4iXf/iuFd

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Targets

    • Target

      clik.exe

    • Size

      14.1MB

    • MD5

      a2db986f46fc915b6b9b65d0d8b2c92f

    • SHA1

      2aca2a24c33ea49c99365438cf4eee6c42fa73ed

    • SHA256

      53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d

    • SHA512

      3e7346aba18a18c0e2fcb57baf2822cca67da175c8b7dfd675b1b5cd78092051e7443eac156a954297c16623f9c74cad4347ef015682282bec57fb056435652d

    • SSDEEP

      393216:PXIJM3GodH2ThNzd4VQpier42zXfDmITsttRugNId:fUuozdshA4iXf/iuFd

    • Detect ZGRat V1

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks