meduza | e450ca946d4bf6173ebe3f00c3d08d81[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

e450ca946d4bf6173ebe3f00c3d08d81.bin
Size

402KB
MD5

65603b2126f0f6b0858979ff7d95ca74
SHA1

4d25a1aa0a06eaad27f93bd013dc11d304f216c2
SHA256

d278aa079205cf4bb605de28bc6d6eca5a63b4cdd9d0c7488c40945d2b90b0a0
SHA512

55eb708f7506b6eea7abb83e7fb8d0adae5a4bb20c64d9446c8609fdfc40c730c24e2a46144ab5ae97880460692fb67aaf5b8d72441da9f722bec6a11a7cad67
SSDEEP

12288:b4EVLllbzI6QoKD4sBVQKACTITZJ1Ls/mST:5BHsnoKD5XTi4

Score

10^/10

meduza

Malware Config

Signatures

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff.exe	family_meduza

Meduza family
meduza

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff.exe

Files

e450ca946d4bf6173ebe3f00c3d08d81.bin
.zip

Password: infected
44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff.exe
.exe windows:6 windows x64 arch:x64

Password: infected

f82d1586094622bb592b2c4ed0e8dfb3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSACleanup
htons
inet_pton
WSAStartup
send
socket
connect
recv
closesocket

crypt32

CryptUnprotectData

wininet

InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoW
InternetCloseHandle
InternetOpenUrlA
InternetOpenA

ntdll

NtQueryObject
NtQuerySystemInformation

rstrtmgr

RmStartSession
RmEndSession
RmGetList
RmRegisterResources

kernel32

FindFirstFileW
FindNextFileW
FindClose
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
LoadLibraryA
Process32FirstW
CloseHandle
GetSystemInfo
GetProcAddress
ReadProcessMemory
FreeLibrary
VirtualQueryEx
MultiByteToWideChar
LocalFree
WideCharToMultiByte
TerminateProcess
GetModuleFileNameW
CreateMutexA
ReleaseMutex
OpenMutexA
ExitProcess
ReadFile
GetModuleFileNameA
GetVolumeInformationW
GetGeoInfoA
HeapFree
EnterCriticalSection
GetCurrentProcess
GetProcessId
GetProductInfo
LeaveCriticalSection
SetFilePointer
InitializeCriticalSectionEx
FreeEnvironmentStringsW
GetModuleHandleA
HeapSize
GetLogicalDriveStringsW
GetFinalPathNameByHandleA
GetTimeZoneInformation
GetLastError
HeapReAlloc
GetNativeSystemInfo
HeapAlloc
GetUserGeoID
DecodePointer
GetFileSize
DeleteCriticalSection
GetComputerNameW
GetProcessHeap
GlobalMemoryStatusEx
GetModuleHandleW
GetEnvironmentStringsW
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
IsProcessorFeaturePresent
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
VirtualProtect
VirtualQuery
GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileSizeEx
SetFilePointerEx
FlushFileBuffers
WriteFile
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
RaiseException
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetStringTypeW
SetEndOfFile
SetStdHandle
CreateFileW
WriteConsoleW
OutputDebugStringW
SetEnvironmentVariableW
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
QueryPerformanceCounter
InitializeSListHead
RtlUnwindEx
RtlUnwind
RtlPcToFileHeader
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CompareStringEx
LCMapStringEx
IsDebuggerPresent
GetCommandLineA
GetCommandLineW
RtlVirtualUnwind
GetModuleHandleExW
GetFileInformationByHandleEx
AreFileApisANSI
GetFileAttributesExW
FindFirstFileExW
GetCurrentDirectoryW
GetLocaleInfoEx
FormatMessageA

user32

GetWindowRect
GetDC
EnumDisplayDevicesW
ReleaseDC
GetSystemMetrics
GetDesktopWindow

gdi32

CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
GetDeviceCaps
DeleteDC
GetObjectW
DeleteObject
BitBlt

advapi32

GetCurrentHwProfileW
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
GetUserNameW
RegEnumKeyExA
CredEnumerateA
CredFree

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree
CreateStreamOnHGlobal

shlwapi

ord214
ord213
ord184

gdiplus

GdipCloneImage
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdiplusStartup
GdipAlloc
GdipGetImageEncoders
GdipCreateBitmapFromScan0
GdipSaveImageToStream
GdipGetImageEncodersSize
GdipFree

Sections

.text
Size: 729KB - Virtual size: 728KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 149KB - Virtual size: 148KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

f82d1586094622bb592b2c4ed0e8dfb3

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

crypt32

wininet

ntdll

rstrtmgr

kernel32

user32

gdi32

advapi32

shell32

ole32

shlwapi

gdiplus

Sections

.text Size: 729KB - Virtual size: 728KB

.rdata Size: 149KB - Virtual size: 148KB

.data Size: 8KB - Virtual size: 17KB

.pdata Size: 23KB - Virtual size: 23KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 729KB - Virtual size: 728KB

.rdata
Size: 149KB - Virtual size: 148KB

.data
Size: 8KB - Virtual size: 17KB

.pdata
Size: 23KB - Virtual size: 23KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 2KB