Overview

overview

10

Static

static

3

proxy.XmSP...C0.dll

windows10-2004-x64

1

proxy.XmSP...83.dll

windows7-x64

3

proxy.XmSP...83.dll

windows10-2004-x64

3

proxy.XmSP...sg.dll

windows10-2004-x64

1

proxy.XmSP...ME.dll

windows10-2004-x64

1

proxy.XmSP...re.dll

windows7-x64

3

proxy.XmSP...re.dll

windows10-2004-x64

3

proxy.XmSP...ta.dll

windows7-x64

3

proxy.XmSP...ta.dll

windows10-2004-x64

3

proxy.XmSP...UN.exe

windows7-x64

10

proxy.XmSP...UN.exe

windows10-2004-x64

10

proxy.XmSP...on.dll

windows10-2004-x64

1

proxy.XmSP...ne.dll

windows10-2004-x64

1

proxy.XmSP...ss.dll

windows10-2004-x64

1

proxy.XmSP...nt.dll

windows10-2004-x64

1

proxy.XmSP...ib.dll

windows7-x64

3

proxy.XmSP...ib.dll

windows10-2004-x64

3

proxy.XmSP...ME.dll

windows10-2004-x64

1

proxy.XmSP...32.dll

windows10-2004-x64

3

proxy.XmSP...pi.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1af30897308adc5597a9806f7940202676ed2a32d0b8df87e2f36a2a6b30af22.zip

  • Size

    20.8MB

  • Sample

    241011-blejtasepp

  • MD5

    295cfb6ae8b388a5c8d80f874d5e8a91

  • SHA1

    ef9493dd22399b1874dfd311babc26b6081f7f79

  • SHA256

    1af30897308adc5597a9806f7940202676ed2a32d0b8df87e2f36a2a6b30af22

  • SHA512

    e0000bf6829e5c4255ffbe8cd55761c4810a55fdb9ca571a9f2da4264ef90943137e95cc2625e42c0f320b0f6e9621375ed5a3021776cd10dd21ca0e0110e9ea

  • SSDEEP

    393216:m2pdj5VJaGomoUsR8dFMuqlLOzrYB/mcFT1MCzP1rs7XX5hDv6zIoZw7h2AyZz2c:mi1PH/cmMZl2amuOGParXXyzIoZwlapd

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    28

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      proxy.XmSProject/0FC343C0.dll

    • Size

      185KB

    • MD5

      8a3d01666b5298d61b015e693747f5a9

    • SHA1

      34c46fa33d7b582839e4c2fd9a80ac0c22485d83

    • SHA256

      58832b5533b8b0f44ff523c921dcd795c0c461cb89cbd92e808e856e864a55b3

    • SHA512

      688e636ee3d06d575e71c0a6bc70a737bbfee395c3ff8858dc557911d15baead1d1fad6a37555b9a1472b40bd84bfca07487ab894b30442e008cafa6bdc03aab

    • SSDEEP

      3072:+qDD5P+vXIZX1LXHuYGCTMDxHHI4fyj1yCnmh2m5sHrE8VW:HAvyXHuYGCTMD5IX1yimh2m5sHro

    Score
    1/10
    behavioral1

    • Target

      proxy.XmSProject/B7091C83.dll

    • Size

      5.3MB

    • MD5

      aa1be9b9e40060a624164b01eaa6e55c

    • SHA1

      6c8cca8965b325f17989d83be13c099bab4c0824

    • SHA256

      126eca08930ad2fafe002a1f00c024193b20974519e77a7abe22e509b469d858

    • SHA512

      f1dccb50b186c004389556dbc9bd0f68cc446494a28a896199bd555ef0bd0fc71bd003c5b0d3b8134f92a2e6ab6248ee21d447ecfdb81ef38aa2b92624b213c2

    • SSDEEP

      98304:RtT7NoG8VgjPsRLoLvPNdVWoI69knRedI:RteSsdoxWOknRedI

    Score
    3/10
    discovery
    behavioral2behavioral3

    • Target

      proxy.XmSProject/CbsMsg.dll

    • Size

      53KB

    • MD5

      a58a5aca4fcf07434202bd4decf0dfed

    • SHA1

      290abf765b488fc89a0fc63e638b2a7bbf267d21

    • SHA256

      c8d8885e53c0396d441344a9bc996964b28caef4805bf7e2978f1b96bc2d0fa3

    • SHA512

      349f27bcf01a57c81f92865165b93360f6c2c150f881ae6ee3093dd6e6ed8507e67f50632715f994b250466b861bf8cdf9a0b5c773e7f70f1a780a4420c81349

    • SSDEEP

      768:W9F+BgRT7gcMp3MBWm21P8dDwER9zVY69X:Wn+UT7gf3ZDP8dNzy69X

    Score
    1/10
    behavioral4

    • Target

      proxy.XmSProject/DICTS/mshwchtrIME.dll

    • Size

      7.1MB

    • MD5

      df0257dfb0f880e0d550174a3377ab6e

    • SHA1

      27dcbbe2bcfcd67774be04d4fd05fdc4ababe77f

    • SHA256

      25f3237a5c72a87625fc90eef7859ea1bfbd041150befad7483c697aac20d872

    • SHA512

      2e9e3e4ec6b381ec97f337a2c212b0668f46b4f7b9a39264ced0d76197d67e4099408924be8f04d3a04e35a967f6861dec9931f9fcb8c7b09717bf6bb5a9fa4f

    • SSDEEP

      98304:85fUB7+6mFZEcw1xCHyvM7rveXaoL4/5ob:sUhlkLaxCSokapRob

    Score
    1/10
    behavioral5

    • Target

      proxy.XmSProject/PresentationCore/PresentationCore.dll

    • Size

      3.6MB

    • MD5

      a40fc39482b6f65c06cf0417643d8131

    • SHA1

      b148b13094a841134051f6c968613c92124cdebc

    • SHA256

      0831ef1b10ec42bc941c86504d5d7ef24654d469e4a97ccf9b3ac7070d74ba6c

    • SHA512

      da263ddc4d881bc562ab5b76424645747ceac8de6f086d3fd51b4d6d4238281e5ba7fe007d823c53f9733e8831672b1924a70fca44357f955ef69e0270004a26

    • SSDEEP

      24576:wnkHcjsgvz/CXn04pV4HOAX03xHr37AOyLL24w+MF9jC649AF615VlUSrIJH9RAf:wKc4gv+V4RKHr37StqCXAI0uNHI

    Score
    3/10
    discovery
    behavioral6behavioral7

    • Target

      proxy.XmSProject/PresentationCore/System.Data.dll

    • Size

      3.3MB

    • MD5

      83a2b80e3da259deb5e9c5fa94f9bd4a

    • SHA1

      e0bac10318e87746486d0d18bf699472277829ac

    • SHA256

      a2e9a2caec0547767219ddb6a9891458d125bf27c63f27074e038c7266046ae1

    • SHA512

      04ac56038159af5e7f48e161b1b6bda80e25d7a89b0c6f7a8b4ad168bef5b4f7b8a7138cc1efe537bad16c4244682972a20f9f331a3241c51c6f0494e8a79c05

    • SSDEEP

      49152:VaAygWgelDp0nh0dibjHms52Ng9fUNLs2l68ezWm6/6GSeHLnK+cgioq/5AeC8C:Vh43E3EK7mvg02/z

    Score
    3/10
    discovery
    behavioral8behavioral9

    • Target

      proxy.XmSProject/RUN.exe

    • Size

      1.5MB

    • MD5

      80fb69110342f1a031b10484ea356055

    • SHA1

      70a77fd61066eaf936feec994301f1c3693c7a28

    • SHA256

      7c2f43b18bb5f18cb9b8967323a3c68befff6fbf8dceae39f786e8152f493a65

    • SHA512

      bfacbb61f1c68e0b4e5d7a249512f839933377acb0070d865d202947e948a7e74f84cc55618adfb34a205f8de466ee43962f087aaa27beac5d09f57497783d23

    • SSDEEP

      24576:K9hSDFEfJ3HW802gQzSMZs8A+xoZYqPLYnNBa1ndKFyzqxVAPI4WTG+G0lzOp91v:K9hMFEfVHW802gQmMZs8A+uX0nNBvFy5

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral10behavioral11

    • Target

      proxy.XmSProject/mscorlib/SettingsHandlers_InputPersonalization.dll

    • Size

      331KB

    • MD5

      2fe68dcb804879afb1213f99830ee39c

    • SHA1

      7eafdd8c19cacbc0ecf009a8ea6ddfd59bcbab90

    • SHA256

      a52795d441653748f8769281235017fadeb52b1a9846e4022e5e0411cbee6419

    • SHA512

      bc3aff446edaafac9a75dee79de37ca371d80856b0e1955f679a0cf8cd8cfcef1ea928fe69643cbb4152c7d3d8c7519524903b42047728679ff356ee7c37e17c

    • SSDEEP

      6144:qyc/k1NugdBxoouvr+dTMywX4OZWLMHr/xgq7ZTAV4qRE04uUsmk6:3c/kvuQBxoo8idTv1NMHzxgq7mRE0/

    Score
    1/10
    behavioral12

    • Target

      proxy.XmSProject/mscorlib/SettingsHandlers_ManagePhone.dll

    • Size

      299KB

    • MD5

      6f186dad5e59ee35373e9c3276a83693

    • SHA1

      e0efa75d1a8c8417b58af954a097d354cf652127

    • SHA256

      47db47684cb533239b5d1ab667e307bdcbeafef4336dddee3ee80b25916d9f7f

    • SHA512

      f5432134057773406b76342af1d16537ba75543919f1f3318ab5d14931e00229fa6d0a56a6647fcde5df9269dba3a5bb840153b8bc156e8295ceb72c69f8bc1f

    • SSDEEP

      3072:RlGIwzVYbiZP4AMWWakLPXnDz1MTvtVrXwszBZNun65Z+vAfODa42jS0lq6xeJaG:nimGZP4A8LVMTvtKszlun6iW7N50Jv

    Score
    1/10
    behavioral13

    • Target

      proxy.XmSProject/mscorlib/SettingsHandlers_WorkAccess.dll

    • Size

      437KB

    • MD5

      219db4095e0f1f0fb69768d1faa5b2da

    • SHA1

      acc4880b23eaabbda5608ae35a8eec4f94b888d6

    • SHA256

      8162b5cfde31f9ce630459624a2051f88427a9ec79a860ad74a6c60c13b7b6ad

    • SHA512

      165bb9085336a0cdb1a3d1265ab00da2d7d7e498255a415529bf330ea9bd27008fb5e85b72f33b06727c31d8c2891b8a1778bc2839db643f42c4617567d2c636

    • SSDEEP

      6144:1V3F725fEgAUeEN5g9XsavS3cDGj4WmDVqRVCmFXG+v7gVGc4/OiG:bk58fUn0XJvS3J1M+zqGc4Gi

    Score
    1/10
    behavioral14

    • Target

      proxy.XmSProject/mscorlib/SettingsHandlers_nt.dll

    • Size

      3.4MB

    • MD5

      a68cc23a379fcb31da09b93b5b96ab9b

    • SHA1

      7fe463ad91b5ad02fae791ae3516b9212af7488b

    • SHA256

      fd9f50cb087c81b1f515485e2834ed3d1016a83c251207def1653648ed4f3cd5

    • SHA512

      fa18a8872634804383da07f2586f3e94b19fb63c13c2e0f1f3619d6c98f648b75684666f1fb17fa52f8f0d37876301900dfce7b5f1148eabce5990a056dd4089

    • SSDEEP

      49152:8n4KebvJNzQko+otm1kzmeqBJD0LlYD7pxdalXve54oYFf+:nB9eQYXx

    Score
    1/10
    behavioral15

    • Target

      proxy.XmSProject/mscorlib/v4.0_4.0.0.0__b77a5c561934e089/mscorlib.dll

    • Size

      5.5MB

    • MD5

      5fca079e64eab4592a612d06e0043f98

    • SHA1

      f78aba3a6eb6c74748a6c65518f01047be6fe285

    • SHA256

      c4abfac85ef278a98d894a949c436a8bb1e4aed2217a7db679775e9f05944f10

    • SHA512

      758dcc4ab67ed5f32601a10f762f9ae2f6ec580a15e7fa6e7ecfff05d6cf02e21b21ac38e1a23e7d941cbdf14402466b982f37de7bcde78f0bf95d76931428af

    • SSDEEP

      49152:7u//QUyNVzD4zpClWx5qqWlgfMkkYISbYT3exOXMEFFmRh03ul92b9sk/IRUn+FV:cQJzDg8lW2qkgfMknJaJ3wum

    Score
    3/10
    discovery
    behavioral16behavioral17

    • Target

      proxy.XmSProject/mshwkorrIME.dll

    • Size

      7.0MB

    • MD5

      25d0eb59bb5c2ed73203d9522ec65aee

    • SHA1

      af4520901299a4511088761f9e7846fb2978cef2

    • SHA256

      7b9e1a1d1a10b16465bcaf3374dfafa8bcb3876c208fbf6b83549954b7449eb2

    • SHA512

      af39caa86fccb2491b2f7e2e2f644ef615c401fd63085057f69b355662fa745c04b5911138b832915d593aaac5387794658bf6e8f82ec5080f8216b74ad23dbe

    • SSDEEP

      98304:fFoX7nyokE7N3r3Jv112NMhpw0Oqa7jLUxa4d2bvLTs7:f67nVnZ3dvraDuT2bv/Y

    Score
    1/10
    behavioral18

    • Target

      proxy.XmSProject/twain_32.dll

    • Size

      63KB

    • MD5

      afe119dd4e17891b227684f38aa25d4d

    • SHA1

      2159772933e0ba4fb108edb93067cfdd067abf15

    • SHA256

      eec41d62ab5d2e1d880b338c47a2156a5ee7e58f3448f58cc8120392ddc8c730

    • SHA512

      37309c74f3b6e356506c40c871a90294d9f874388a1417af9eb27cde085cf62a72af79b258c78cac0ac2ed8a183e349ffb8f67f2a9c3f46c1d19f2fe3ea9408f

    • SSDEEP

      768:uPC0xySqWNPwcKnReqpxORBoWNOMFN5cYsFx1gAmOURksWrk/VwLtkKavNi3IJzU:uPC0xyowcklqHw9xGkLrNLtBiNR

    Score
    3/10
    discovery
    behavioral19

    • Target

      proxy.XmSProject/wrpintapi.dll

    • Size

      14KB

    • MD5

      a55e16fe16e2f92228b8b47b301f9879

    • SHA1

      e8550ebaf849e6c07736bcd77b07b6e9a4c73906

    • SHA256

      94d6e407276edb401b2f4c0741f66d1f440e19068c93c16f9a1dd095f934ef0e

    • SHA512

      aecdbeab4a95677f6b57162b344dd082cbc21b6572b823349f96c6a5719c8f02e144bd05b45f79efc9f926942fb48c01285396056143539e96c7ab2b47a9c7ae

    • SSDEEP

      192:PR1wf+fTfRDcmg6ZrA+Y1mR5pvUgFqTl8L5rjWVfW:PPwfeDng6ZrA/IOlwrjWVfW

    Score
    1/10
    behavioral20

MITRE ATT&CK Enterprise v15

Tasks