Overview

overview

10

Static

static

3

App_instal...4x.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    App_installer32_64x (github).zip

  • Size

    1.3MB

  • Sample

    241021-g87rrsshja

  • MD5

    8b95d1b1c84e752e2996e139c05775f7

  • SHA1

    f96e0de68e25bf4723994a83fdabf41f77533fbb

  • SHA256

    ad90419efa0f0ceabb963cbde03aa15f4327050375dd5e1e2a6f84dd05068fb7

  • SHA512

    43df404f9d2813f119e842e20073d4c1a10bc12c89118e91be2109faad5af643ef903c387754895ab86f26709af94c64c570bef166eb85f291295ff736cdf030

  • SSDEEP

    24576:Aoz0JvZiGv27dUrgE0o1mCmZD07Lyk236fzrSZi8af8E7T73Xv4TDkW6H66vF/wE:9z0riGv27Krpn7iEXSM7T7kDkW6H66vD

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    458

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      App_installer32_64x.exe

    • Size

      2.4MB

    • MD5

      2552cda61ecc9cffc215808b8310d697

    • SHA1

      bd3c5bfb31cd257606563a44dec61a23b3e2e6e8

    • SHA256

      2e0ccd8d3ca72b4322294b5b3fbead5d454da524b1fe87bd5687ef00481f7bfe

    • SHA512

      dd42dad49c28c3040a1534c88e6ecc5812b9488b2ef59377921ea74db1bb0d258392830f94281a78427b978ed4dc26a1eb2868eabb8b703e9a38533ca84dba31

    • SSDEEP

      49152:pVUJTk3/vizpr2Tv7CJDLeD8O3Rg2JVLe2NKrCAnWwey5:dZ7CJDL4adnzey5

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks