meduza

Resubmissions

08-11-2024 18:35

241108-w8a55azldl 10

Sharing

Copy URL

Twitter E-mail

General

Target

Crosshair-X.rar
Size

22.5MB
Sample

241108-w8a55azldl
MD5

550d99966f776df5a4bcaf5fbeda7eb8
SHA1

2f38b80de6b9968b8d5a8974e99188f310a63577
SHA256

ea6d08a9b5f2f4dc3b8f6eecfa39cc2b0c29fe33b84fbc57460e8cf2efaeea30
SHA512

694d876065e9ff55720a61188d54ca9d0f3a2d76bc9d014bce5fbffe26c5e12aba55a50080c660d23867797f25713de5164e736fbd4b06bcafc2dfdd14b0a71e
SSDEEP

393216:C+HbwC742kXV0z4e3lHJuPLApQXKjDedMvQV1O9YJao4/F/8RTQ/jbsb/:VH97nkl0z4kuTSQXKjuMvA1CYYok8RT3

Score

10^/10

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
665
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Targets

- Target
  
  Crosshair-X/.eslintrc.js
- Size
  
  1KB
- MD5
  
  fb71d76bdf761e6546f654210437a945
- SHA1
  
  11c66d27f5235879b103c2ca0cbdf30bae7dc073
- SHA256
  
  879ef141f617f950d748509e94f05e6a8d872eb349d2dd994ac47d8e46b4bc46
- SHA512
  
  bf157cddd1fbfe76e194a4fd36f5c1507cc495f5866797613491a76fc34848fab64685351c485381d60f7cb2ef95c9d88cc114f69e589bc3cebffdb402d9ff63
Score

3^/10

execution
behavioral1 behavioral2
- Target
  
  Crosshair-X/.github/workflows/crossover-ci.yml
- Size
  
  4KB
- MD5
  
  d97a0eb3d15595c19415a6263737ff31
- SHA1
  
  a87d0e9f45119a80de94f8bea233a877aed8ec7c
- SHA256
  
  cd6e9f71ad2e40ff09bb8a5a7764e5b416394500cf67f7d594b005f29f3d275b
- SHA512
  
  b6b8e13e32ba29b45e077e213184432a29e3ec20f2a68c8fd90e5ab8c4544ac8fce888754133994958dfa0c2594c96ed81e25b6f8be6fbd731a68e1987c5dce1
- SSDEEP
  
  48:n5KANiw69mXqt0dyP5keIIRG5EVL/xmMzPUKWJzjgOE3Lt6dyWnn7ibOkylxnR6T:5yuyDc+WnnrrzyvquN
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  Crosshair-X/Crosshair-X.exe
- Size
  
  3.6MB
- MD5
  
  979f82f61cbec2d6a3612f31c48c1e68
- SHA1
  
  dd201171c887c24563736d759e80ff4a804f6058
- SHA256
  
  25bb8fb4cf7b57c2b1cea335f113ade65f33b5e797f1f5ce973ad4a9fd0d9cf6
- SHA512
  
  93d52fbd30adce86789bda8b76361ee902f2813bf35d399c1ca3b6f035a7c300d2323b732b5926ffb4567043170a07465dd1f9a57e28bcaa2ec6d5169bc90cb5
- SSDEEP
  
  24576:bw317sPycp8nCB3Cfk4B48vPEcGF5fKn3PT2lr/lmqeHsJpHLm5RUefngd1t0XQ1:bByPnICXr4Kf82ElmT7HA4pP8
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Crosshair-X/index.js
- Size
  
  859B
- MD5
  
  55be8b0ebb46aac7328636c61863f76e
- SHA1
  
  364ee737196aa2fd58ab5bcf620e781c8fe0b93f
- SHA256
  
  b7398611a3cd78de6a79e546e84c5585d185a7658b61661b5051aabcf1495782
- SHA512
  
  69f31881108e9354720099799daf822814c12867d7d1d0b504b3f087f3ade7060c2d4b639f3bf030f54d942f721f3d3231da54e91f2612a1288035bc78526c8d
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  Crosshair-X/src/config/config.js
- Size
  
  1KB
- MD5
  
  2265a4a1c029a3ab964075320b235db5
- SHA1
  
  2cb408f709e15da4a18d4b5c3291b1a2746eff24
- SHA256
  
  ebaa4064e5af2f206ba445b7f4ad3257c431a04d5ad914e0486a4b309d9ffb5f
- SHA512
  
  a03949b5e1ce58296a0b06751f7b66472191dc0b26dfd7ecc6486085c684a64ed973b69cdfe043ab3d8f4182e65cbc6108a7f8978338fcbe859986f08b9a1c23
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  Crosshair-X/src/config/exit-codes.js
- Size
  
  199B
- MD5
  
  ad7efa05dd922f07823fb1e8e34c8baf
- SHA1
  
  6ef02b4689b525ef91e8025c6b5398043d1bc561
- SHA256
  
  41938482318d151c48a4bf602749417ef6b949c12b74d597d5028ee9d387728c
- SHA512
  
  44ff43adc9cb02cd13520466f051659b7e8327697d2306e8371ad71e137e566426eaf7b0a055541643541e786c8b99016ab1acd559ec1e655810226ade7470df
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Crosshair-X/src/config/index.js
- Size
  
  225B
- MD5
  
  2713cfb0f081a4539857c7284346eb94
- SHA1
  
  924501cb9cb9f8fab18d4b70e19efc28efdab99d
- SHA256
  
  476cc845951e34390462857b7baea8db023c51677fcd2e3c811034f5c2ffe801
- SHA512
  
  e0cc489f379cd9b0ca34f5bfbf31312bd1b924a49d28357922036a546502677fcc2e9294d0df8eab441c94b59e849942fa6dacbdc12471dc95ea330576f059da
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Crosshair-X/src/config/keycode.js
- Size
  
  1KB
- MD5
  
  9db85691b11141eb6b1785577b6560f7
- SHA1
  
  8f8ab58d0431764aca80a13bad424e5e18473737
- SHA256
  
  d3678e159d022a31101424b67310bb1214c9821e65a334fd96c8c91ad2a49267
- SHA512
  
  496a21cb636cfb7fc1849680cf398574d6031b1f0b6da6baa21e9d5021009752c4432c7799a312e27fc849f34e38db751444ed1548ea8d5842e9ca3485f84405
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Crosshair-X/src/config/utils.js
- Size
  
  2KB
- MD5
  
  d8c71e177dfc2efa7edc840c9d3f7820
- SHA1
  
  4b2640ba421286cba4fddf937ed1efb51e0d23ae
- SHA256
  
  f369586c32555fd41d74fc88bcbe8fb115620868024953640df0f1ce2e631a56
- SHA512
  
  752de35f8bdbaa3e277ceae2cd33ef08aea190e29b35d4a09bcac1895cc3064aa688ad855294af315f90052d91b44f9d6a1446021a7e818aa492e16a34237fe6
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Crosshair-X/src/index.js
- Size
  
  59B
- MD5
  
  3d8c8146ff2a9bd339b3cc2c17e74689
- SHA1
  
  f5a1c5ec3dc7003e768ba4141e7594dd8c3bb0bf
- SHA256
  
  d2b763897de705514596ff6fdf9ae0c14df93c669fb0326376f8e4001f8125ee
- SHA512
  
  30ba5d602e7f32c5154a7bc3d250d472f8a81957d500e403a5d63402d069cd2eacfbaef75b6e418e2474f6cadeb534e7117b88ba0e0d666cf81069316ca948ef
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Crosshair-X/src/main.js
- Size
  
  5KB
- MD5
  
  94589e1c635e6b074d1a66161744b06e
- SHA1
  
  2f94279c8fe24921bca0640bbf829760a3daa4a5
- SHA256
  
  2d6cc7a54d734810261b2a5fbcec0dc98b74e7892b50f6f83444ba8e3eeb9413
- SHA512
  
  c3df673cb174ef76f5b876a7541f617828d50c550cf52759a6178c13ea412a61e4599b7d7bc0bd1c5f6a076585c3e34d9eef81f0e0cb1f6bf2581a1b1aa4dd11
- SSDEEP
  
  96:QH56m/Y5AkCuu4YsdB64/pgXA3oAxpfyUbeMI3ILEWM2cRs2g7HIWyIMaAvpJXp/:QH5NBke+dB64/VxpdaMYmEWjcBgT0J9z
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Crosshair-X/src/main/alert.js
- Size
  
  874B
- MD5
  
  40f1544be6b46244182125fc7f78f479
- SHA1
  
  ba731f2362b07f83eb82aaaae7e87e64e1a2b4a9
- SHA256
  
  76e06de746fdc777787593550a6b63806afa715adaf8d088ab7896ec0499bb6b
- SHA512
  
  a83c72307005c3f5dcb5a17656b1cd182d9aab91342520b8ce0ca8b5704c98c61fafe172ff115d4148ad06e3247352c3ef9267229fb6a0c902bb56c5b27a0160
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Crosshair-X/src/main/auto-launch.js
- Size
  
  603B
- MD5
  
  63e8d675ee56dd7295f62ad16a8ef04f
- SHA1
  
  0c586a2d6d1433920464b26829921394b3e227aa
- SHA256
  
  c134b364d6ead8e04eceedee530c45bbcda6648a5cbec0ccb19f6d006b33e723
- SHA512
  
  eccc29e0cd87a16cb78afd1ae4e222ffd338106c1ae315053ac64e995bfb6a5ee189e73eab77afa453691c84e889d7116a703362af1a408fdf3fd2b04f03412a
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Crosshair-X/src/main/auto-update.js
- Size
  
  2KB
- MD5
  
  09bf6f1facc8b25ec64d79c3fe672aa0
- SHA1
  
  4813ed74dcca69eb837c6a389e7c026cc5eba8af
- SHA256
  
  0d310385fe25a709f4d4e783eddc3a286f67ebc2c9b18abb2e20e7c2cf352c50
- SHA512
  
  8dae117cf9acbd9b5891c306e7aadaeb279368983687e1eb227021ae4cb747c2a71571c860319cc7f3a335e528d6de646e4d4ec5623f5dc35060520ec44c7a4d
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  Crosshair-X/src/main/crossover.js
- Size
  
  13KB
- MD5
  
  2143c6ef00969bd38018dcb0a7900a00
- SHA1
  
  0c5c9c1da68731572d5522aaae26d66fbc006956
- SHA256
  
  c4442f63ab12102d4d5437f559d329cd6b08920dd26d1aaa9f34c679d507734f
- SHA512
  
  22daa50fb93da0546b9a78f4f8967531d6dbb0585459e1070155da849f06237fe4ad8ca8a6d982b9af6abdcdc2ef9aeba59ae3536a7f972f51c3bffd6ce104c5
- SSDEEP
  
  384:g+EwejbpbDL+t7laP5t9yjxoAJ7F/uSvpHuU0kqAH+5Tj2ADqSRd6a3IPD:edeto+7FWSvpHpJW0
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  Crosshair-X/src/main/dialog.js
- Size
  
  3KB
- MD5
  
  e4429519f10e34a16582531506e50c47
- SHA1
  
  a5f858a64574213795f0808cf6faf275d5223ebd
- SHA256
  
  d9d5726a5c670e7b6fba31021e9bb8d66f4efbeeb27545a9209903e8b035b8bf
- SHA512
  
  e65a3d2a5294992d5a244d0d0d1721208c6f6354704378db62432f9f38f0195c9a3e718d326335d582bdc231be71da9bf1d65104f9942bb411b4f58f7a1f3e2e
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32