meduza

Sharing

Copy URL

Twitter E-mail

General

Target

XmS.rar
Size

18.7MB
Sample

241010-nk2zyazgkj
MD5

e435cf094cc89dc2c7e631824c56868b
SHA1

2baa0947c2d01daeb5e1b72f19f1dd31f916435e
SHA256

e02386ddc6215fda512f352df0b1456bb17ac8e15ed05f631b1d18b466755adc
SHA512

4f5ee6026090db95efd0061fdbbf87b6217ffc048174e59a8c19dda019b757a9f9952f9a245d047dd130a9bd21b88e63b5faa9863a1303844defe7eff6f0b429
SSDEEP

393216:UvXHYBQorHnPWC7KvkSLfnhr4tzE4LiZu4ow6XSiB0h7rhr/KD93:UvH3YH7e9Lfhr49E4LiZu4ow6XzBknh6

Score

10^/10

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
28
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Targets

- Target
  
  XmS.rar
- Size
  
  18.7MB
- MD5
  
  e435cf094cc89dc2c7e631824c56868b
- SHA1
  
  2baa0947c2d01daeb5e1b72f19f1dd31f916435e
- SHA256
  
  e02386ddc6215fda512f352df0b1456bb17ac8e15ed05f631b1d18b466755adc
- SHA512
  
  4f5ee6026090db95efd0061fdbbf87b6217ffc048174e59a8c19dda019b757a9f9952f9a245d047dd130a9bd21b88e63b5faa9863a1303844defe7eff6f0b429
- SSDEEP
  
  393216:UvXHYBQorHnPWC7KvkSLfnhr4tzE4LiZu4ow6XSiB0h7rhr/KD93:UvH3YH7e9Lfhr49E4LiZu4ow6XzBknh6
Score

4^/10

discovery
behavioral1
- Target
  
  0FC343C0.dll
- Size
  
  185KB
- MD5
  
  8a3d01666b5298d61b015e693747f5a9
- SHA1
  
  34c46fa33d7b582839e4c2fd9a80ac0c22485d83
- SHA256
  
  58832b5533b8b0f44ff523c921dcd795c0c461cb89cbd92e808e856e864a55b3
- SHA512
  
  688e636ee3d06d575e71c0a6bc70a737bbfee395c3ff8858dc557911d15baead1d1fad6a37555b9a1472b40bd84bfca07487ab894b30442e008cafa6bdc03aab
- SSDEEP
  
  3072:+qDD5P+vXIZX1LXHuYGCTMDxHHI4fyj1yCnmh2m5sHrE8VW:HAvyXHuYGCTMD5IX1yimh2m5sHro
Score

1^/10
behavioral2
- Target
  
  B7091C83.dll
- Size
  
  5.3MB
- MD5
  
  aa1be9b9e40060a624164b01eaa6e55c
- SHA1
  
  6c8cca8965b325f17989d83be13c099bab4c0824
- SHA256
  
  126eca08930ad2fafe002a1f00c024193b20974519e77a7abe22e509b469d858
- SHA512
  
  f1dccb50b186c004389556dbc9bd0f68cc446494a28a896199bd555ef0bd0fc71bd003c5b0d3b8134f92a2e6ab6248ee21d447ecfdb81ef38aa2b92624b213c2
- SSDEEP
  
  98304:RtT7NoG8VgjPsRLoLvPNdVWoI69knRedI:RteSsdoxWOknRedI
Score

3^/10

discovery
behavioral3
- Target
  
  CbsMsg.dll
- Size
  
  53KB
- MD5
  
  a58a5aca4fcf07434202bd4decf0dfed
- SHA1
  
  290abf765b488fc89a0fc63e638b2a7bbf267d21
- SHA256
  
  c8d8885e53c0396d441344a9bc996964b28caef4805bf7e2978f1b96bc2d0fa3
- SHA512
  
  349f27bcf01a57c81f92865165b93360f6c2c150f881ae6ee3093dd6e6ed8507e67f50632715f994b250466b861bf8cdf9a0b5c773e7f70f1a780a4420c81349
- SSDEEP
  
  768:W9F+BgRT7gcMp3MBWm21P8dDwER9zVY69X:Wn+UT7gf3ZDP8dNzy69X
Score

1^/10
behavioral4
- Target
  
  DICTS/mshwchtrIME.dll
- Size
  
  7.1MB
- MD5
  
  df0257dfb0f880e0d550174a3377ab6e
- SHA1
  
  27dcbbe2bcfcd67774be04d4fd05fdc4ababe77f
- SHA256
  
  25f3237a5c72a87625fc90eef7859ea1bfbd041150befad7483c697aac20d872
- SHA512
  
  2e9e3e4ec6b381ec97f337a2c212b0668f46b4f7b9a39264ced0d76197d67e4099408924be8f04d3a04e35a967f6861dec9931f9fcb8c7b09717bf6bb5a9fa4f
- SSDEEP
  
  98304:85fUB7+6mFZEcw1xCHyvM7rveXaoL4/5ob:sUhlkLaxCSokapRob
Score

1^/10
behavioral5
- Target
  
  PresentationCore/PresentationCore.dll
- Size
  
  3.6MB
- MD5
  
  a40fc39482b6f65c06cf0417643d8131
- SHA1
  
  b148b13094a841134051f6c968613c92124cdebc
- SHA256
  
  0831ef1b10ec42bc941c86504d5d7ef24654d469e4a97ccf9b3ac7070d74ba6c
- SHA512
  
  da263ddc4d881bc562ab5b76424645747ceac8de6f086d3fd51b4d6d4238281e5ba7fe007d823c53f9733e8831672b1924a70fca44357f955ef69e0270004a26
- SSDEEP
  
  24576:wnkHcjsgvz/CXn04pV4HOAX03xHr37AOyLL24w+MF9jC649AF615VlUSrIJH9RAf:wKc4gv+V4RKHr37StqCXAI0uNHI
Score

3^/10

discovery
behavioral6
- Target
  
  PresentationCore/System.Data.dll
- Size
  
  3.3MB
- MD5
  
  83a2b80e3da259deb5e9c5fa94f9bd4a
- SHA1
  
  e0bac10318e87746486d0d18bf699472277829ac
- SHA256
  
  a2e9a2caec0547767219ddb6a9891458d125bf27c63f27074e038c7266046ae1
- SHA512
  
  04ac56038159af5e7f48e161b1b6bda80e25d7a89b0c6f7a8b4ad168bef5b4f7b8a7138cc1efe537bad16c4244682972a20f9f331a3241c51c6f0494e8a79c05
- SSDEEP
  
  49152:VaAygWgelDp0nh0dibjHms52Ng9fUNLs2l68ezWm6/6GSeHLnK+cgioq/5AeC8C:Vh43E3EK7mvg02/z
Score

3^/10

discovery
behavioral7
- Target
  
  RUN.exe
- Size
  
  1.5MB
- MD5
  
  80fb69110342f1a031b10484ea356055
- SHA1
  
  70a77fd61066eaf936feec994301f1c3693c7a28
- SHA256
  
  7c2f43b18bb5f18cb9b8967323a3c68befff6fbf8dceae39f786e8152f493a65
- SHA512
  
  bfacbb61f1c68e0b4e5d7a249512f839933377acb0070d865d202947e948a7e74f84cc55618adfb34a205f8de466ee43962f087aaa27beac5d09f57497783d23
- SSDEEP
  
  24576:K9hSDFEfJ3HW802gQzSMZs8A+xoZYqPLYnNBa1ndKFyzqxVAPI4WTG+G0lzOp91v:K9hMFEfVHW802gQmMZs8A+uX0nNBvFy5
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  mscorlib/SettingsHandlers_InputPersonalization.dll
- Size
  
  331KB
- MD5
  
  2fe68dcb804879afb1213f99830ee39c
- SHA1
  
  7eafdd8c19cacbc0ecf009a8ea6ddfd59bcbab90
- SHA256
  
  a52795d441653748f8769281235017fadeb52b1a9846e4022e5e0411cbee6419
- SHA512
  
  bc3aff446edaafac9a75dee79de37ca371d80856b0e1955f679a0cf8cd8cfcef1ea928fe69643cbb4152c7d3d8c7519524903b42047728679ff356ee7c37e17c
- SSDEEP
  
  6144:qyc/k1NugdBxoouvr+dTMywX4OZWLMHr/xgq7ZTAV4qRE04uUsmk6:3c/kvuQBxoo8idTv1NMHzxgq7mRE0/
Score

1^/10
behavioral9
- Target
  
  mscorlib/SettingsHandlers_ManagePhone.dll
- Size
  
  299KB
- MD5
  
  6f186dad5e59ee35373e9c3276a83693
- SHA1
  
  e0efa75d1a8c8417b58af954a097d354cf652127
- SHA256
  
  47db47684cb533239b5d1ab667e307bdcbeafef4336dddee3ee80b25916d9f7f
- SHA512
  
  f5432134057773406b76342af1d16537ba75543919f1f3318ab5d14931e00229fa6d0a56a6647fcde5df9269dba3a5bb840153b8bc156e8295ceb72c69f8bc1f
- SSDEEP
  
  3072:RlGIwzVYbiZP4AMWWakLPXnDz1MTvtVrXwszBZNun65Z+vAfODa42jS0lq6xeJaG:nimGZP4A8LVMTvtKszlun6iW7N50Jv
Score

1^/10
behavioral10
- Target
  
  mscorlib/SettingsHandlers_WorkAccess.dll
- Size
  
  437KB
- MD5
  
  219db4095e0f1f0fb69768d1faa5b2da
- SHA1
  
  acc4880b23eaabbda5608ae35a8eec4f94b888d6
- SHA256
  
  8162b5cfde31f9ce630459624a2051f88427a9ec79a860ad74a6c60c13b7b6ad
- SHA512
  
  165bb9085336a0cdb1a3d1265ab00da2d7d7e498255a415529bf330ea9bd27008fb5e85b72f33b06727c31d8c2891b8a1778bc2839db643f42c4617567d2c636
- SSDEEP
  
  6144:1V3F725fEgAUeEN5g9XsavS3cDGj4WmDVqRVCmFXG+v7gVGc4/OiG:bk58fUn0XJvS3J1M+zqGc4Gi
Score

1^/10
behavioral11
- Target
  
  mscorlib/SettingsHandlers_nt.dll
- Size
  
  3.4MB
- MD5
  
  a68cc23a379fcb31da09b93b5b96ab9b
- SHA1
  
  7fe463ad91b5ad02fae791ae3516b9212af7488b
- SHA256
  
  fd9f50cb087c81b1f515485e2834ed3d1016a83c251207def1653648ed4f3cd5
- SHA512
  
  fa18a8872634804383da07f2586f3e94b19fb63c13c2e0f1f3619d6c98f648b75684666f1fb17fa52f8f0d37876301900dfce7b5f1148eabce5990a056dd4089
- SSDEEP
  
  49152:8n4KebvJNzQko+otm1kzmeqBJD0LlYD7pxdalXve54oYFf+:nB9eQYXx
Score

1^/10
behavioral12
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/mscorlib.dll
- Size
  
  5.5MB
- MD5
  
  5fca079e64eab4592a612d06e0043f98
- SHA1
  
  f78aba3a6eb6c74748a6c65518f01047be6fe285
- SHA256
  
  c4abfac85ef278a98d894a949c436a8bb1e4aed2217a7db679775e9f05944f10
- SHA512
  
  758dcc4ab67ed5f32601a10f762f9ae2f6ec580a15e7fa6e7ecfff05d6cf02e21b21ac38e1a23e7d941cbdf14402466b982f37de7bcde78f0bf95d76931428af
- SSDEEP
  
  49152:7u//QUyNVzD4zpClWx5qqWlgfMkkYISbYT3exOXMEFFmRh03ul92b9sk/IRUn+FV:cQJzDg8lW2qkgfMknJaJ3wum
Score

3^/10

discovery
behavioral13
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/normidna.nlp
- Size
  
  57KB
- MD5
  
  da5748a89e22a3932387e65694b25bbb
- SHA1
  
  c1ee3598b01c15d6e772971416eef2f51e8c0482
- SHA256
  
  157105a9940b35dc8f1800e0a14765b91513cd5906508fc7ec53a2b8d5038ee9
- SHA512
  
  d937184c29cc6df2517b9de7389f72b065a383b49fb5d56b93d60fb48abae1d790ba90b08f3f86ca3c1e36c68288ccc77c1d4054ba7777058dc29b7a28170c79
- SSDEEP
  
  768:TyLy9olP5ppV9tewIljbMvyH8UR+MRsTQCXpKcAXLRMe6ZM6oM1kS0u2oi2:TyLy2jvWWfXD+LReM601/2
Score

3^/10
behavioral14
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/normnfc.nlp
- Size
  
  45KB
- MD5
  
  ab0188447cfa74e646c9aeca1c232430
- SHA1
  
  acf377c8503c3b9eadc2ae988fdfac30526cb927
- SHA256
  
  9d2f2d92e8fde1fd2d6ea45e3f62e4e174f2337f84b746ceb14c4bcfa2c71367
- SHA512
  
  d67b19d5b7c81bfaaeaac6f61e9a289372310f08aca276692b6dec044cc5a4a857f4c811935d551c0c4950349ce04170fccc44c9c30e2c2aafdb941e4d6d9274
- SSDEEP
  
  768:QQ0pq+fVgEKI5UbgZjFQUpEwQECEaLR59:P0pzO/i9zZoR59
Score

3^/10
behavioral15
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/normnfd.nlp
- Size
  
  39KB
- MD5
  
  a9bd54b9fde1a660dfdbecc9e94a8e22
- SHA1
  
  a2503cf9849180c4396adc0b1a443bc5b9d4ae09
- SHA256
  
  90138996a68319099bca2f0f3015a90b0e4300a49c071a04614a99ea9d3bcd91
- SHA512
  
  ec7295b89ddeb0b0184dfb65928d369a788932acfc385fc677d425d26a940d228b31231ab4ed044edf4e1bf924cd9cd1ba9b043d6da2aec848189b1f49760517
- SSDEEP
  
  384:YxZD5Ay8UUDXdElnVYQMbzKMUnTweLJ8N9zgM+KkFFQUpEwROSj:qZD+yQ0nVYw9nTNY1gZjFQUpEwQ0
Score

3^/10
behavioral16
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/normnfkc.nlp
- Size
  
  66KB
- MD5
  
  a52f03c8df33dcdfcc6c44e947eba685
- SHA1
  
  a4e6ec137d8dcfd7beca4ee8bacba19eb878f37f
- SHA256
  
  c0958d6f476e55be7458a55620f99826cbdde3bf66da94c6a5f7d08f88e77b60
- SHA512
  
  4829c7a449beaf4c6dfc2775246dd59563090456b7395fde1bad9a7e7353d9c638c7b32c549c28b5b572fec9947a16caa9dc230ce5f7de519af6761a2ac92efd
- SSDEEP
  
  768:z0JlR1avaSWhVP6JoVb/1gFbCR3NjGvI4vkSOUhbBUB1TEXLRJz:z0naLWTE6bubCRtGJby4RJz
Score

3^/10
behavioral17
- Target
  
  mscorlib/v4.0_4.0.0.0__b77a5c561934e089/normnfkd.nlp
- Size
  
  60KB
- MD5
  
  4d8620e00dd771b58534a00218c60a58
- SHA1
  
  5dc02a1757bbccbf388466bf6580864d99136e9c
- SHA256
  
  a1bd4e75958ccc7bb8073651950f23c7115054a32fbdbefe86f455a3480dbd9d
- SHA512
  
  d20b243f615b1232a1924bdcebdda5d89551daef20c6ad5256285097fbbab7ced5fdbbbdef34775889f689387c55622d4e15f3887a3a405d8685eda2d4d9e079
- SSDEEP
  
  768:9BypmUEImoYQvP17WgVbFTylKjWvtZ4HkSOUhbBUB1a:ny0UEbQvt7F80jWvtAby6
Score

3^/10
behavioral18
- Target
  
  mshwkorrIME.dll
- Size
  
  7.0MB
- MD5
  
  25d0eb59bb5c2ed73203d9522ec65aee
- SHA1
  
  af4520901299a4511088761f9e7846fb2978cef2
- SHA256
  
  7b9e1a1d1a10b16465bcaf3374dfafa8bcb3876c208fbf6b83549954b7449eb2
- SHA512
  
  af39caa86fccb2491b2f7e2e2f644ef615c401fd63085057f69b355662fa745c04b5911138b832915d593aaac5387794658bf6e8f82ec5080f8216b74ad23dbe
- SSDEEP
  
  98304:fFoX7nyokE7N3r3Jv112NMhpw0Oqa7jLUxa4d2bvLTs7:f67nVnZ3dvraDuT2bv/Y
Score

1^/10
behavioral19
- Target
  
  twain_32.dll
- Size
  
  63KB
- MD5
  
  afe119dd4e17891b227684f38aa25d4d
- SHA1
  
  2159772933e0ba4fb108edb93067cfdd067abf15
- SHA256
  
  eec41d62ab5d2e1d880b338c47a2156a5ee7e58f3448f58cc8120392ddc8c730
- SHA512
  
  37309c74f3b6e356506c40c871a90294d9f874388a1417af9eb27cde085cf62a72af79b258c78cac0ac2ed8a183e349ffb8f67f2a9c3f46c1d19f2fe3ea9408f
- SSDEEP
  
  768:uPC0xySqWNPwcKnReqpxORBoWNOMFN5cYsFx1gAmOURksWrk/VwLtkKavNi3IJzU:uPC0xyowcklqHw9xGkLrNLtBiNR
Score

3^/10

discovery
behavioral20
- Target
  
  wrpintapi.dll
- Size
  
  14KB
- MD5
  
  a55e16fe16e2f92228b8b47b301f9879
- SHA1
  
  e8550ebaf849e6c07736bcd77b07b6e9a4c73906
- SHA256
  
  94d6e407276edb401b2f4c0741f66d1f440e19068c93c16f9a1dd095f934ef0e
- SHA512
  
  aecdbeab4a95677f6b57162b344dd082cbc21b6572b823349f96c6a5719c8f02e144bd05b45f79efc9f926942fb48c01285396056143539e96c7ab2b47a9c7ae
- SSDEEP
  
  192:PR1wf+fTfRDcmg6ZrA+Y1mR5pvUgFqTl8L5rjWVfW:PPwfeDng6ZrA/IOlwrjWVfW
Score

1^/10
behavioral21