meduza

Sharing

Copy URL

Twitter E-mail

General

Target

Launcher.zip
Size

5.6MB
Sample

241003-wmypasyfkq
MD5

3bafb9dc32cf60f0eb4ddab0d90299d7
SHA1

28cda0f9f0d5d4a3bd244857431853adfe84f1c5
SHA256

57254b0a2702fa00ca5fffe1839106a5f9cf582ac48152955ed100fe00935b59
SHA512

c15e28a76ab1bdb237a9e9ad56357688959359dc537fc4411f07bcc92f2b1749c3e92bc3e922c823efa6ebcd4fa5752c84fd86a4f3009d3ae0857e1be84feb55
SSDEEP

98304:c5M1ediySTFV/E8gKPQKgesLhqH3itnhF09n7DHpgnZ5c0rbILBBATb:IM1Oi3bER4Q9Ciz0N7DOZ55/ILBBATb

Score

10^/10

Malware Config

Extracted

Family

meduza

109.107.181.162

Targets

- Target
  
  Launcher/Launcher.exe
- Size
  
  810KB
- MD5
  
  7f3587a7b13053d1a827d74ed6783c59
- SHA1
  
  f34454fe0873e07a7c45b76173873e88eb7baf35
- SHA256
  
  cf8a506f3cf42a271bfa342941dfdedf9e05dde1b4061e421df4730d7a0a4c7e
- SHA512
  
  7da24433f46df699332721e0449f618208b60225d4b4fcd957d40ab2806ca6f0ea65375766a529411f73994b334c83d05c256a6e46a968e2b94d751384c11be8
- SSDEEP
  
  12288:MVYUeD1zgrmoxdGxa1PI+QDXMZ6GQ6ov2m+UtbVkGDvAd1slDXg:y+1UrmyWalINbQUv2gVbAdgDXg
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Launcher/libffi-8.dll
- Size
  
  38KB
- MD5
  
  0f8e4992ca92baaf54cc0b43aaccce21
- SHA1
  
  c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
- SHA256
  
  eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
- SHA512
  
  6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
- SSDEEP
  
  768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
Score

1^/10
behavioral3 behavioral4
- Target
  
  Launcher/libssl-3.dll
- Size
  
  768KB
- MD5
  
  19a2aba25456181d5fb572d88ac0e73e
- SHA1
  
  656ca8cdfc9c3a6379536e2027e93408851483db
- SHA256
  
  2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
- SHA512
  
  df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337
- SSDEEP
  
  12288:ytPc2nnGoNg4kSHoxX09yO5EavUFe9Xb12:y9jnnpTHoxXUsFe9XbM
Score

1^/10
behavioral5 behavioral6
- Target
  
  Launcher/python312.dll
- Size
  
  6.7MB
- MD5
  
  550288a078dffc3430c08da888e70810
- SHA1
  
  01b1d31f37fb3fd81d893cc5e4a258e976f5884f
- SHA256
  
  789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
- SHA512
  
  7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723
- SSDEEP
  
  49152:mz0oCxOqKWneF3o1VLCClOTNRpaOviXEYWyb3eOYTvuFsx/iac84YNFXiTlv5WF4:mooCcqKLHX+az2Ro8Kv7HDMiEB/
Score

1^/10
behavioral7 behavioral8
- Target
  
  Launcher/resource/scripts/vscripts/_items.nut
- Size
  
  411KB
- MD5
  
  5fa2f4f4aa23f69965e9f1cd6e5a5ba2
- SHA1
  
  49f54a067f01f06e785a91d1240aac7705a7e479
- SHA256
  
  28cd4b31ae100c3188fe324de04611315c127e70010d4a750da46c105bfad92d
- SHA512
  
  07606a5f0c04560d4bd42f0d878520ddb7d2eed48384ac46f1e6dc0c82854f293fbd9338d8e1ee4151ed064922d8410887abbb722fd0d586d9353f800809168c
- SSDEEP
  
  6144:SnXh9tDZngabFboarZnYG/nNQ67FzYmTx3cGTB3YG5JnNE/d/CXtX615jmNdl8nD:WwOav/zwAlHVtG6F
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  Launcher/resource/scripts/vscripts/sp/cl_pilot_speedometer.gnut
- Size
  
  982B
- MD5
  
  5bf7669661a2ba4e234bcbb3835ed48d
- SHA1
  
  aee91fdc19aca051def3db35559c49024b8adde9
- SHA256
  
  1a4ec84dc9aa9d5767dda19bdfad87a265bd79e9aa01a2102dd90913da36b6a2
- SHA512
  
  25f8bfecc7546eab9e89d6d34cee163868e9d71cb2b540be8ee6373dd663a50e0f949892b0b344894c8a56742a889b58f57641da7882c6135c1a02f23c1d3c73
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Launcher/resource/scripts/vscripts/sp/cl_sp_hud.gnut
- Size
  
  7KB
- MD5
  
  ac771321dd3ee2a03a6aec4648ebaa81
- SHA1
  
  751752c185a4ba47c7963f14526a1d3501684a4c
- SHA256
  
  91b3ece4da76c74de06b0a8310586405b6dcd2ef092e29eeddef3cbc96019dca
- SHA512
  
  8c84823603822a6be4c3f731b6bf69b22360d7de88acb4e2a2e838b674052be0b6cdd71f4cab071dd9f9bac90c8ec40cc4323b1162e4f158a6b54b355abdeb99
- SSDEEP
  
  192:0Q56Cw1QaccA9uqM7Kp/wF6AoqA3fZunvrwy0jXTYN:0Q56Cw1fccA9ubq/k6BZ3fZuvrwy0jXU
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Launcher/resource/scripts/vscripts/ui/_menus.nut
- Size
  
  54KB
- MD5
  
  698c8d7a0c9f41159a25effc3fee4988
- SHA1
  
  8122e951b3a1fc3939084edb28f7d81e1a263408
- SHA256
  
  8f5b4c45d0fb3ee449367af68af5164784a7076c0b57b0c4bdba4cab7fb16d3b
- SHA512
  
  650bf7ada9f471820f1995b64b0b890c5e21abf1b253307f4571c5d569c9532bf10409c031e340305daa9c17e8845b6df3c13c03eb6c566d11900e0dc533625c
- SSDEEP
  
  1536:7QW2qnZCKsRRdNtNXKMQIiKEex25upzdh4wYqnH3DhEy6RoVlPbQhxSlWlNTXOT:eqZCNRRdNtNXKMQhKEex25upzdh4wYqr
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Launcher/resource/scripts/vscripts/ui/menu_advanced_hud.nut
- Size
  
  7KB
- MD5
  
  0ea22fb3e339c47074e9f1b57264eb98
- SHA1
  
  d695d1d55214b2a041b953b85aa14b88c8910a33
- SHA256
  
  0da23cde01334c76228710b540307c7a7a81cd72cd7483d04281eba790b20b83
- SHA512
  
  5e33ae72cfb6bece52fc2fa40259c119986f5a65ddc048227ba8e97ad3996e5c1aa060c4e9c07c67633b73b328f7b9b96acf8f9c993c3b6dc9332926ccdf0899
- SSDEEP
  
  192:Mx3AFVAFBkxoepbw8nQ+z2Q+Kf8pcs2HbL9IN:Mx3MVMBkxoexwqPjv7L9IN
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Launcher/resource/scripts/vscripts/ui/menu_audio_settings.nut
- Size
  
  3KB
- MD5
  
  0445bd8b245934c11d368c7a8438e6a0
- SHA1
  
  e70383d812e043b94046d4612997b84a49af0b8f
- SHA256
  
  8a0f8d0e2f7613f56d61cd2514005bc72c0d64af7ea72f51f4492a290d45016e
- SHA512
  
  1f4eb9e58d5f6f02bda0b0abc3fe089252a1cd49a7ac6c17bcb24ea2181fe2ab6e99691bd772323d33fa226c9dba7ff22c72587840fb154d69119b6781c841e0
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Launcher/resource/scripts/vscripts/ui/menu_controls.nut
- Size
  
  9KB
- MD5
  
  0b642bfef275045db16f345e2754f3c6
- SHA1
  
  dec735293fed2586e1300899f70836dfa71df228
- SHA256
  
  7d36ce5dce5076db341dccd9d6d64f43bb733756609939020e94d17a3e4605fa
- SHA512
  
  da32100fa5c15d03c06b4fc2d9b50c95768b33281d9b808a73155e26f34cdce1a79067d65dcb5361326388e94635b67c6b4664dda045d057b7c1321987688477
- SSDEEP
  
  192:M2nAFqAF2JHf6WmthaGAThKdqhXpVd1DUlgUq9ZfTzw18H:M2nMqM2J/6WmtyToohXV1kC9Z7ziS
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Launcher/resource/scripts/vscripts/ui/menu_extra_settings.nut
- Size
  
  3KB
- MD5
  
  a6f45c20bd144e60bdcc41d8121bba12
- SHA1
  
  934375272728a5f75c4df7de2c68a041a657e46c
- SHA256
  
  f38c15e3802e452b4c8a04f10a75a9aa2f5fab35bacabc88626bcd190a526091
- SHA512
  
  db3b020ecc2e3bc887ead26df2d81f11035af5ba108dbe0b74e4c620502a4cc1bcc7519aab7c0155a2c01165795d26e0c3120ef92e088c1c2e84722d19e14f52
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Launcher/scripts/vscripts/ui/menu_controls.nut
- Size
  
  9KB
- MD5
  
  0b642bfef275045db16f345e2754f3c6
- SHA1
  
  dec735293fed2586e1300899f70836dfa71df228
- SHA256
  
  7d36ce5dce5076db341dccd9d6d64f43bb733756609939020e94d17a3e4605fa
- SHA512
  
  da32100fa5c15d03c06b4fc2d9b50c95768b33281d9b808a73155e26f34cdce1a79067d65dcb5361326388e94635b67c6b4664dda045d057b7c1321987688477
- SSDEEP
  
  192:M2nAFqAF2JHf6WmthaGAThKdqhXpVd1DUlgUq9ZfTzw18H:M2nMqM2J/6WmtyToohXV1kC9Z7ziS
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Launcher/tk86t.dll
- Size
  
  1.5MB
- MD5
  
  ef0d7469a88afb64944e2b2d91eb3e7f
- SHA1
  
  a26fd3de8da3e4aec417cebfa2de78f9ba7cf05b
- SHA256
  
  23a195e1e3922215148e1e09a249b4fe017a73b3564af90b0f6fd4d9e5dda4da
- SHA512
  
  909f0b73b64bad84b896a973b58735747d87b5133207cb3d9fa9ce0c026ee59255b7660c43bb86b1ddeef9fbb80b2250719fd379cff7afd9dbec6f6a007ed093
- SSDEEP
  
  24576:gR3uXVFKflt2zwvzPYHURwgVdF9EWyCzfdmHQnveD4CGan9nViFoHb15K3cmwdbi:SeFSpvzg0RwgVdF9EWyCzfdmHQnveD4r
Score

1^/10
behavioral27 behavioral28
- Target
  
  Launcher/vcruntime140.dll
- Size
  
  116KB
- MD5
  
  be8dbe2dc77ebe7f88f910c61aec691a
- SHA1
  
  a19f08bb2b1c1de5bb61daf9f2304531321e0e40
- SHA256
  
  4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
- SHA512
  
  0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
- SSDEEP
  
  1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
Score

1^/10
behavioral29 behavioral30
- Target
  
  Launcher/zlib1.dll
- Size
  
  141KB
- MD5
  
  b4a0b3d5abc631e95c074eee44e73f96
- SHA1
  
  c22c8baa23d731a0e08757d0449ca3dd662fd9e6
- SHA256
  
  c89c8a2fcf11d8191c7690027055431906aae827fc7f443f0908ad062e7e653e
- SHA512
  
  56bafd1c6c77343f724a8430a1f496b4a3160faa9a19ea40796438ae67d6c45f8a13224dcf3d1defb97140a2e47a248dd837801a8cb4674e7890b495aeec538e
- SSDEEP
  
  3072:jqLKjJj3yg1shVjm4OvfqnKAh2mrohmR5JHDbu4cCxp/:jqGEgSefI3roCDbH/
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32