meduza | 4e244fe52a1156a8ea5424413777ff1ba0d73d0f02036b78c258fb8ab3b1ef50

Sharing

Copy URL

Twitter E-mail

General

Target

4e244fe52a1156a8ea5424413777ff1ba0d73d0f02036b78c258fb8ab3b1ef50
Size

6.9MB
MD5

a32d148f21d4ea9fc931077c59ed18f2
SHA1

fbc9dafd237f9f1a7dd1c7abc26985e308295125
SHA256

4e244fe52a1156a8ea5424413777ff1ba0d73d0f02036b78c258fb8ab3b1ef50
SHA512

26e7c1dac269d149b4b8ce9644dc21df499c5beddcea245e717a97da4ab53c10d330d8cf20e8039524dcdd60d139d630ce0af9480ce42885a2aaed1a8a2f129f
SSDEEP

98304:KF3ilqDQQlZH+j8tYEwhL1HEojZesjI8ub5zS3:K0lqXEEwhLeo08uI3

Score

10^/10

meduza

Malware Config

Signatures

Meduza Stealer payload 1 IoCs

Processes:

resource yara_rule

sample family_meduza
Meduza family
meduza

resource	yara_rule
sample	family_meduza

Files

4e244fe52a1156a8ea5424413777ff1ba0d73d0f02036b78c258fb8ab3b1ef50
.exe windows:5 windows x86 arch:x86

256a980809e1717a4e69352a711493b9

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6a
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

17-09-2018 00:00

Not After

10-10-2020 23:59

Subject

CN=RealVNC Ltd,O=RealVNC Ltd,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6a
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

17-09-2018 00:00

Not After

10-10-2020 23:59

Subject

CN=RealVNC Ltd,O=RealVNC Ltd,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

23-12-2017 00:00

Not After

22-03-2029 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

d3:60:25:95:c6:e8:4f:56:9b:e1:61:31:18:79:6c:79:9a:26:5c:94:f1:32:f8:b5:fb:7f:10:ee:9d:0a:be:11
Signer

Actual PE Digest

d3:60:25:95:c6:e8:4f:56:9b:e1:61:31:18:79:6c:79:9a:26:5c:94:f1:32:f8:b5:fb:7f:10:ee:9d:0a:be:11

Digest Algorithm

sha256

PE Digest Matches

true

53:25:f0:13:79:67:51:b8:ce:63:5d:16:03:9d:39:b6:8b:6e:11:2d
Signer

Actual PE Digest

53:25:f0:13:79:67:51:b8:ce:63:5d:16:03:9d:39:b6:8b:6e:11:2d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\jenkins-root\workspace\VNC_6.7.x\label\win-ent\bld32\RelWithDebInfo\vncviewer.pdb

Imports

crypt32

CryptUnprotectData
CryptProtectData
CryptAcquireCertificatePrivateKey
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertCloseStore
CertOpenStore

ws2_32

WSADuplicateSocketW
WSASocketW
htons
ntohs
WSAEnumNetworkEvents
WSAEventSelect
WSAIoctl
accept
bind
closesocket
ioctlsocket
getsockopt
setsockopt
socket
WSAStartup
WSAConnect
getpeername
getservbyname
getsockname
shutdown
send
recv
select
listen
WSASendTo
WSASend
WSASetLastError
htonl
getservbyport
gethostbyname
gethostbyaddr
ntohl
inet_ntoa
inet_addr
WSAGetLastError

comctl32

ImageList_ReplaceIcon
ImageList_Add
ImageList_Create
ImageList_Destroy
InitCommonControlsEx
_TrackMouseEvent

imm32

ImmGetVirtualKey
ImmGetContext
ImmSetOpenStatus

kernel32

SetCurrentDirectoryW
GetCurrentDirectoryW
CreateDirectoryW
RemoveDirectoryW
GetFileAttributesW
GetFileAttributesExW
DeleteFileW
MoveFileW
LockResource
LoadResource
SizeofResource
FindResourceW
GetComputerNameW
LoadLibraryA
CompareStringW
GetSystemDirectoryW
GetVersionExW
GetTempPathW
GetTempFileNameW
CreateThread
GetCurrentThread
GetThreadTimes
TerminateThread
ResumeThread
OutputDebugStringW
RtlCaptureStackBackTrace
GetModuleHandleExW
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
GetExitCodeProcess
LocalAlloc
GetSystemInfo
FlushFileBuffers
GetNumberFormatW
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
GetTimeFormatW
GetDateFormatW
ExitProcess
RaiseException
VirtualProtect
VirtualQuery
LoadLibraryExA
UnhandledExceptionFilter
WaitForSingleObjectEx
InitializeCriticalSectionAndSpinCount
CreateNamedPipeW
ConnectNamedPipe
WaitForMultipleObjects
GetUserDefaultLCID
GetLocaleInfoW
FindNextFileW
FindFirstFileW
OpenProcess
CreateProcessW
SetHandleInformation
DuplicateHandle
GetProcessId
SearchPathW
GetCurrentProcess
SetEndOfFile
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetProcAddress
GetCommandLineW
WriteConsoleW
ReadConsoleW
FreeConsole
AllocConsole
GetConsoleMode
SetStdHandle
GetFileType
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
WideCharToMultiByte
MultiByteToWideChar
InterlockedDecrement
InterlockedIncrement
GetModuleHandleW
LocalFree
CancelIo
GetOverlappedResult
WaitForSingleObject
Sleep
GetCurrentThreadId
ExpandEnvironmentStringsW
SetFileAttributesW
CreateFileW
GlobalFree
GlobalAlloc
GlobalUnlock
GlobalLock
GlobalSize
CreateEventW
CloseHandle
ResetEvent
SetEvent
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetVolumeInformationW
FindFirstFileA
GetFileAttributesA
GetHandleInformation
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetDriveTypeW
FindClose
GetLogicalDrives
SetErrorMode
GetModuleFileNameW
LoadLibraryW
FreeLibrary
LeaveCriticalSection
ReadFile
WriteFile
GetStdHandle
GetLastError
GetCurrentProcessId
SetFilePointer
HeapSize
FormatMessageW
QueryPerformanceFrequency
LCMapStringW
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
InterlockedPushEntrySList
InterlockedFlushSList
EncodePointer
LoadLibraryExW
SetFilePointerEx
GetConsoleCP
GetModuleFileNameA
GetACP
HeapAlloc
HeapFree
IsValidLocale
EnumSystemLocalesW
GetStringTypeW
DecodePointer
SetConsoleCtrlHandler
OutputDebugStringA
HeapReAlloc
SetEnvironmentVariableA
SetEnvironmentVariableW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetSystemDirectoryA

user32

DefWindowProcW
ChangeDisplaySettingsExW
EnumDisplaySettingsW
MonitorFromRect
MonitorFromWindow
GetMonitorInfoW
EnumDisplayMonitors
MsgWaitForMultipleObjects
DefDlgProcW
DestroyWindow
CreateWindowExW
RegisterClassExW
UnregisterClassW
CallWindowProcW
ChangeClipboardChain
SetClipboardViewer
SendMessageTimeoutW
CreateMenu
SetMenu
SetParent
ShowCursor
ScrollWindowEx
GetDoubleClickTime
IsWindowVisible
SetWindowRgn
IsZoomed
CloseClipboard
OpenClipboard
GetClipboardOwner
GetParent
CallNextHookEx
UnhookWindowsHookEx
GetForegroundWindow
MessageBoxW
IsDialogMessageW
EnumChildWindows
SetWindowTextW
EndDialog
DialogBoxParamW
CreateDialogParamW
SetMenuItemInfoW
PeekMessageW
DeleteMenu
GetMenuItemCount
CheckMenuItem
GetMenuState
GetKeyboardLayoutNameW
WindowFromPoint
IsWindowEnabled
PostMessageW
GetCursor
OffsetRect
GetWindowTextLengthW
GetWindowTextW
GetKeyState
GetClipboardData
LoadIconW
GetDesktopWindow
SetForegroundWindow
ReleaseCapture
SetCapture
GetDlgCtrlID
GetWindowPlacement
IsChild
GetMessageW
MapVirtualKeyW
keybd_event
VkKeyScanExW
VkKeyScanExA
ToAsciiEx
GetAsyncKeyState
GetKeyboardLayoutList
ToUnicodeEx
SendInput
mouse_event
SetWindowsHookExW
PostThreadMessageW
PostQuitMessage
GetSystemMetrics
GetCursorPos
SendMessageW
GetSystemMenu
EnableMenuItem
GetDlgItem
EnableWindow
ShowWindow
SetWindowPos
DrawTextW
BeginPaint
EndPaint
GetClientRect
GetClassNameW
GetWindowRect
TranslateMessage
DispatchMessageW
GetWindowLongW
CreateIconIndirect
RegisterWindowMessageW
RedrawWindow
KillTimer
InsertMenuItemW
SetTimer
GetComboBoxInfo
InflateRect
DrawFocusRect
DrawFrameControl
GetKeyboardState
GetKeyboardLayout
MapWindowPoints
SetCursor
MessageBeep
AdjustWindowRectEx
UpdateWindow
IsIconic
FrameRect
GetAncestor
GetNextDlgTabItem
SystemParametersInfoW
FillRect
ReleaseDC
GetWindowDC
GetDC
GetScrollInfo
SetScrollInfo
DrawIconEx
DestroyIcon
LoadCursorW
GetSysColorBrush
ScreenToClient
ClientToScreen
InvalidateRect
SetMenuDefaultItem
TrackPopupMenu
AppendMenuW
DestroyMenu
CreatePopupMenu
GetMessagePos
RegisterClipboardFormatW
GetSysColor
GetFocus
SetFocus
EmptyClipboard
SetClipboardData
GetWindowThreadProcessId
GetOpenClipboardWindow
SetWindowLongW

gdi32

StretchBlt
GetClipBox
CreateDCW
CreateCompatibleDC
CreateDIBSection
GdiAlphaBlend
SetPixelV
CreateBitmap
SetMapMode
GetTextExtentPoint32W
CreateFontIndirectW
GetTextMetricsW
CreateRectRgnIndirect
ExcludeClipRect
GetPixel
PatBlt
GetCharWidthW
SetBrushOrgEx
SetWindowOrgEx
SetStretchBltMode
SetRectRgn
SetPaletteEntries
SelectPalette
RealizePalette
OffsetRgn
GetRegionData
GetRandomRgn
CreateRectRgn
CreatePalette
CombineRgn
BitBlt
GetObjectW
RoundRect
CreateSolidBrush
CreateCompatibleBitmap
SetBkColor
Rectangle
GetStockObject
CreateBrushIndirect
MoveToEx
LineTo
DeleteObject
CreatePen
StretchDIBits
GetDeviceCaps
EndPage
StartPage
EndDoc
StartDocW
ResetDCW
DeleteDC
SetTextColor
SetBkMode
GetDIBits
SetDIBColorTable
SelectObject

shell32

SHGetFolderPathW
SHGetMalloc
SHAddToRecentDocs
SHFileOperationW
Shell_NotifyIconW
ord74
SHGetPathFromIDListW
ShellExecuteW
SHBrowseForFolderW
SHGetFileInfoW
SHGetDesktopFolder

ole32

CoTaskMemFree
OleGetClipboard
ReleaseStgMedium
OleSetClipboard
CoTaskMemAlloc
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoCreateInstance
PropVariantClear
OleInitialize
RegisterDragDrop
DoDragDrop
CoTaskMemRealloc
CoInitializeSecurity
OleUninitialize
CoUninitialize
CoInitializeEx
CoSetProxyBlanket

oleaut32

SafeArrayGetDim
SysFreeString
SysAllocString
SafeArrayGetElement
VariantClear

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

advapi32

DeregisterEventSource
CreateProcessAsUserW
OpenProcessToken
EqualSid
CryptReleaseContext
CryptSetProvParam
CryptCreateHash
CryptHashData
CryptDestroyHash
RegCloseKey
CryptGenRandom
CryptAcquireContextW
MakeAbsoluteSD
MakeSelfRelativeSD
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorSacl
SetSecurityDescriptorDacl
GetSecurityDescriptorControl
GetSecurityDescriptorLength
InitializeSecurityDescriptor
SetEntriesInAclW
GetAclInformation
InitializeAcl
LookupAccountNameW
LookupAccountSidW
CopySid
GetLengthSid
GetSidIdentifierAuthority
FreeSid
AllocateAndInitializeSid
IsValidSid
CreateProcessWithLogonW
LogonUserW
GetTokenInformation
ReportEventW
RegisterEventSourceW
RegCreateKeyExW
GetUserNameW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
SetSecurityInfo
GetSecurityInfo
RegSetValueExW
RegQueryValueExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegNotifyChangeKeyValue
RegOpenKeyExW
RegQueryInfoKeyW
CryptSignHashW

Sections

.text
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 70KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 838KB - Virtual size: 838KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 274KB - Virtual size: 273KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

256a980809e1717a4e69352a711493b9

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6aCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6aCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate

Extended Key Usages

Key Usages

d3:60:25:95:c6:e8:4f:56:9b:e1:61:31:18:79:6c:79:9a:26:5c:94:f1:32:f8:b5:fb:7f:10:ee:9d:0a:be:11Signer

53:25:f0:13:79:67:51:b8:ce:63:5d:16:03:9d:39:b6:8b:6e:11:2dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

crypt32

ws2_32

comctl32

imm32

kernel32

user32

gdi32

shell32

ole32

oleaut32

comdlg32

advapi32

Sections

.text Size: 4.5MB - Virtual size: 4.5MB

.rdata Size: 1.2MB - Virtual size: 1.2MB

.data Size: 70KB - Virtual size: 104KB

.rsrc Size: 838KB - Virtual size: 838KB

.reloc Size: 274KB - Virtual size: 273KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6a
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

42:44:02:ab:01:b4:22:4f:31:4b:ca:6b:e1:1f:b8:6a
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

d3:60:25:95:c6:e8:4f:56:9b:e1:61:31:18:79:6c:79:9a:26:5c:94:f1:32:f8:b5:fb:7f:10:ee:9d:0a:be:11
Signer

53:25:f0:13:79:67:51:b8:ce:63:5d:16:03:9d:39:b6:8b:6e:11:2d
Signer

.text
Size: 4.5MB - Virtual size: 4.5MB

.rdata
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 70KB - Virtual size: 104KB

.rsrc
Size: 838KB - Virtual size: 838KB

.reloc
Size: 274KB - Virtual size: 273KB