meduza

General

Target

doc.rar
Size

36KB
Sample

240909-r5lp8stdmj
MD5

c7c365fcec491a75854608edb692bb9e
SHA1

44e7d2400584f163a934183702bcc50c632d87fa
SHA256

49c4fb1f92aa13d8791f43cfc039c549ad3fad7ebf115373593557dce07624c3
SHA512

a33828b574e21491ff2e8a2b51aa536108fcb713922033aec75250a993cd160d0369da2978021441651926d120a52d4c05aa0ae4a5f90e67afb55f0fd3fe9733
SSDEEP

768:iwopqcEvXZynUwuqegpQsGCALm9FWkAhHj2UKAUvWQBbJbicuv5ulv6zFS:iGxXZjwNGCALGokg6OLcQulyz4

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

one

C2

101.99.93.144:4899

101.99.93.144:8080

101.99.93.144:2404

101.99.93.144:80

101.99.93.144:465

101.99.93.144:50255

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
goosddfvv-L97IFZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  scan_privatbank_94638939.pdf
- Size
  
  25KB
- MD5
  
  8ea62c288f233a6009f2f8b3820455a1
- SHA1
  
  72c019ca26cfad9bb7fe46f370e8d8d1aa8e795d
- SHA256
  
  4ea5b6a86864c79e0460e57509c8174b061b2a8a715377028384acbd31196dbc
- SHA512
  
  767d03e7c02a435bb6e4ae6c3d361ff1c1a6602fb8c14ef1b3bfc8f8c3b51b56efee45ed927bd449d712ef00121c5881f36a8266377dfad56e5413a46f5354f8
- SSDEEP
  
  768:yWIl/JQ6z04wx0CIyDTyXAB9n6g/qLl1uYnAr:85cx06DTyQHFfZ
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Копія з позначкою банку.vbs
- Size
  
  15KB
- MD5
  
  ab1766e20f7dcd989dbe5178f79f1021
- SHA1
  
  13c6d022745280d08981a625ab810b0f0400a10c
- SHA256
  
  f3d1ba12a5642f65761296e6b5c32c5293864c8413c5fb31d2879b82ac11d298
- SHA512
  
  c2f4e3447566451551afcf87ccdf5fc2b6ac7af3d9f31b244c103efa40171d6f3c689ebdda7fdd3bb8a744c0d9a4979e86e1cd0a432a5867667f87a108a9963c
- SSDEEP
  
  192:X9Wmqq87qxnoIqCglHyGpItEBgGAoBgD4aM8PjQ97rMM0t/lTd7Ee82FPJQR0cG6:XEmqttNSuBQ2MLPj87OPJmxNSiMFpWB
Score

10^/10

execution meduza collection credential_access discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Платіжне доручення.vbs
- Size
  
  15KB
- MD5
  
  2e401b1d91dfbbb5d3cba4355ed4063c
- SHA1
  
  f19912aca503f7ff3519b29e375d4bdc1debfb5b
- SHA256
  
  ff1cfb2ff5cec597bd7163ab40e8e33b4729eddd1a76e13b8f759a9b0ff35afc
- SHA512
  
  372b48bdd2604c21a0f6c04b2c43e4ca38a8683c64a4ca86ba2a9c53eb8faf1228cce369f7ca8a86228c8d0a35bcc47d8c5d720f20e150cd66ce26788496d22a
- SSDEEP
  
  192:hkcxFVie0Z1xncP4GEs/rxNq6yyMcIEGd0B/7919GQO7uck+ZcGPJZMxu2hlYF9J:hkcR/Cs+0cVej919GrWgPJmxNSiMFpWc
Score

10^/10

execution remcos one discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral5 behavioral6