Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2024-11-07_36f5bfe08c2fb0f5385835e2020729f8_ryuk

  • Size

    3.6MB

  • Sample

    241107-jx4bbaxphz

  • MD5

    36f5bfe08c2fb0f5385835e2020729f8

  • SHA1

    14f6d8353c99a64406e0fa3aab8956801423a6a1

  • SHA256

    2c502b3c1f644848ab35b0234b6687794aa59eeec64df7f20d82870d223f0708

  • SHA512

    76ea17463460b83263d31b996bca18abf9fe728a7aa66e1beee2225612d78ad592c08cf52dba2c55ebb2f66bf460bcae9dfa59230dcd80097c7164c9fa4ec7f8

  • SSDEEP

    24576:bw317sPycp8nCB3CyRtSrpz1wh98/vkSzWw/fzFzOxVuixd0HPoKO/Q+CzCkrjKg:bByPnIfep1u98nkk/pJvo7iwB

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    570

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      2024-11-07_36f5bfe08c2fb0f5385835e2020729f8_ryuk

    • Size

      3.6MB

    • MD5

      36f5bfe08c2fb0f5385835e2020729f8

    • SHA1

      14f6d8353c99a64406e0fa3aab8956801423a6a1

    • SHA256

      2c502b3c1f644848ab35b0234b6687794aa59eeec64df7f20d82870d223f0708

    • SHA512

      76ea17463460b83263d31b996bca18abf9fe728a7aa66e1beee2225612d78ad592c08cf52dba2c55ebb2f66bf460bcae9dfa59230dcd80097c7164c9fa4ec7f8

    • SSDEEP

      24576:bw317sPycp8nCB3CyRtSrpz1wh98/vkSzWw/fzFzOxVuixd0HPoKO/Q+CzCkrjKg:bByPnIfep1u98nkk/pJvo7iwB

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks