Extracted

Extracted

Extracted

• • Target

    config.lnk.mal.lnk

  • Size

    1KB

  • MD5

    c6d3234e6d234ac35340b68402d65f7d

  • SHA1

    b6af26d59817c43729d48c46b9a4feee284f94eb

  • SHA256

    85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

  • SHA512

    78794b7a77cd027b8dce320b6d1aaf918600a2d5c350ee676c705700a739fe7e55104ba29475ef6555adce4fec2ba0f13b0c9ca10d9730b7d8cfa44632d460b4

  Score

  10^/10

  meduzacollectiondefense_evasiondiscoveryexecutionspywarestealer

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza

  • Meduza Stealer payload

  • Meduza family

    meduza

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indirect Command Execution

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2