meduza | 2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d

General

Target

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
Size

2.5MB
MD5

7ec668c3b4c15673fba630de189fb498
SHA1

374c51e20c296bcf6de38c069617576d947a6044
SHA256

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d
SHA512

8999cdbd5bd744f5b933e412d98bf190f81a42ce005aa22da66d0007dab781c6d1a70eb70ceadbbf2cdb43e93186e00c751a75eb27701cf46f9c67504dde770a
SSDEEP

49152:RAhSsz4fvLn4bJphafC8WzffFP30EaInD0Qy:U3zffFMEaCD0

Score

10^/10

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2508-0-0x0000027526B70000-0x0000027526C58000-memory.dmp	family_meduza

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

Email Collection

Processes:

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

pid	process
2508	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe
2508	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

outlook_office_path 1 IoCs

Processes:

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

outlook_win_path 1 IoCs

Processes:

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d.exe