meduza | ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef

General

Target

ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe
Size

1.4MB
MD5

82eecea4083e39c33733428c2d845b15
SHA1

02cfb61e8cb6242890cf58e25c26136d4ce46709
SHA256

ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef
SHA512

4528e6033ea1cf4a0de232d3ec74bffead24d17dd2d4a2ceac4f73f2e2b94babd53e14bc9eca5661c41f4692b730d9096f5255936c19de7b2671bf8f226899df
SSDEEP

24576:Yr3uXCxRUKRErpNT3ixen3EyJvRvEx+aFwGSMn/FQiG654Sr:Yreyx7ErOe3XvRvRayM/FU+4s

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

C2

95.181.173.8

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/3368-7-0x0000000140000000-0x000000014011D000-memory.dmp	family_meduza
behavioral2/memory/3368-9-0x0000000140000000-0x000000014011D000-memory.dmp	family_meduza
behavioral2/memory/3368-6-0x0000000140000000-0x000000014011D000-memory.dmp	family_meduza
behavioral2/memory/3368-4-0x0000000140000000-0x000000014011D000-memory.dmp	family_meduza
behavioral2/memory/3368-10-0x0000000140000000-0x000000014011D000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe

Loads dropped DLL 1 IoCs

pid	Process
5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\a.exe:extractor.dll	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92
PID 5056 wrote to memory of 3368	5056	ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe	92

C:\Users\Admin\AppData\Local\Temp\ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe
"C:\Users\Admin\AppData\Local\Temp\ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe
  "C:\Users\Admin\AppData\Local\Temp\ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef.exe"
  2⤵
  - Checks computer location settings
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.exe:extractor.dll

Filesize
1.2MB

MD5
da062f6ed87871e46de3c6e49a26fcaf

SHA1
46e9d281db92e3bc53323e01f40c471fc6a340e1

SHA256
80c88bebf99127e65da9563876866708d0badee46a235c39456ca27e7dc3ef8c

SHA512
900b846219b554830b0f38e001d82ef05b2d1454e178e6fa8eb97aef1f6613e567fcf1e89ecd81465befe75bf7fd814fd5004ce378f5b83d897de66540b173a5

Download Submit
memory/3368-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-4-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/5056-8-0x00007FFFA6470000-0x00007FFFA65A8000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing