meduza

Sharing

Copy URL

Twitter E-mail

General

Target

e3d44a5dbe4a4d2f6a20006499541c5907502b14723acc3ce4e07c3a6e3aedc7.zip
Size

53.2MB
Sample

241115-dmcsqaxmcv
MD5

34a89d77819be910779b48603bc45c60
SHA1

5ac7d7bad35486e92df01508755819b87a7d7541
SHA256

e3d44a5dbe4a4d2f6a20006499541c5907502b14723acc3ce4e07c3a6e3aedc7
SHA512

9a42dc00f0d9889496431f1c5b6b500cbf0a6fab13d34f969d231004a38c0eba5a1d54f9fd472439c20ea0d7ebf0378aa790f4afddaed6e76e763bde7831acad
SSDEEP

1572864:6Ua4KLyzV050UW6OHG5j/e1NgBxkVpbziE5+be6mjti/cVa:6Ua4PG5nW6OIjcNP/n4eZj/a

Score

10^/10

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Targets

- Target
  
  Roblox_Injector.exe
- Size
  
  82.3MB
- MD5
  
  0994ad249360e6fbaa2481fbd27dd46a
- SHA1
  
  fe89644ae6d153345921ea89105563af9af2c378
- SHA256
  
  34fbe8cbffafe77563844bc553d2f908dcadb3f850b2655c1e4cbdeb290b5883
- SHA512
  
  bd514c4694f9bbfe51e3d902ae7c82788f26a3ef934b031439c2c747ccf182b898af8463b1ebf44d44a05691de8eba7eb9005899e56ed8b68930fe27cd294cfc
- SSDEEP
  
  6144:HCW+QKVcORrNvIorfohjt3XVcORrNvIorfohjt3Z:4QKVcurNAHDVcurNAHt
Score

10^/10

meduza collection discovery execution spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  bin/d3dcompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  bin/libEGL.dll
- Size
  
  90KB
- MD5
  
  50c717ab7624384b2b2d8a953263beb2
- SHA1
  
  58d82865ab86a193f8f6ff1cbf7677525f6e217d
- SHA256
  
  63580999b8210315b664e7742b6d4f59e587d20b4d0826072a5ef311c6f25b74
- SHA512
  
  8caac7982eba6380df162b62353088339754ff211847e3921dd74f239e8a980d588b36db385acbd2ba0edcaebcfb4d272eb0405672dc158e58666b6f695a02b4
- SSDEEP
  
  1536:KGP6HhCY9bVfdiVkfynyCjUzjBUpgmsWS4dMOe9dl58Zh3Cz0b:KGPG/xViVk4yOUz26KPWHiyzy
Score

1^/10
behavioral5 behavioral6
- Target
  
  bin/libGLESv2.dll
- Size
  
  3.7MB
- MD5
  
  dd3f55559ca3eb1a89e7d696c8c5de53
- SHA1
  
  ce2785277d60aa366e6faf3c3318d5767a3d949e
- SHA256
  
  99f261fa5a69dd2b3bd6192aaf72a0d9f88d769a311fac87963658a7573ec669
- SHA512
  
  bd47d44177970c08bb645f0e92011b2c9143c016d2baaf03a55f26e5e4fc157f1273fda49320815c0cbaa34b531c7fd1f28fa37d2486104d486063b138d75739
- SSDEEP
  
  49152:oVgDuIkH0auiXZR2oWisTDLKvka5A9rC1Mw50uaj3cRhONxp7Im8TV659Zx/M70M:QgDWXv96pjkwpcTB5Vf
Score

1^/10
behavioral7 behavioral8
- Target
  
  bin/libcrypto-1_1-x64.dll
- Size
  
  3.3MB
- MD5
  
  3390d76a13973bd46b512bf257c171c8
- SHA1
  
  cd269f1f752c272e3868b4dd6dc65464715ae0b0
- SHA256
  
  deb034588ef43db62809cc2c599374894bf7fef5df990da6eaaa0674fbec0301
- SHA512
  
  8d714e4859ffe4beb2c6a499b4d62cd549679411b5af2b50ec4f75e522e7af1943c4c29cc5d4266409351c596c6a0bb470e4ec0301e23425191f059752458620
- SSDEEP
  
  49152:cVwASOC3IU6ixBGtlqREzGbOggxFSAnVJcjp15QAMa4OHjbtNPA6UsQ0H1CPwDvF:l4+0SgbhVUsIjJW6UsB1CPwDv3uFfJ
Score

1^/10
behavioral10 behavioral9
- Target
  
  bin/natives_blob.bin
- Size
  
  240KB
- MD5
  
  94855c31f6c24656a6d67ceae0b04cca
- SHA1
  
  1d5346516d5f1f7546d4400ca3eea55022ddd9bd
- SHA256
  
  20210a0e530832a0267d584015eecb331c2ac0d841faf7b36feb9d326c32c113
- SHA512
  
  1043759ed4b4e1df6f05724cf5132bbcf410bc5d6ffe791ad243a6c66a577965993d72908f032805bdc14ee8b69f93417535fcc8b38bfdb006de20f7c7b0d1c4
- SSDEEP
  
  3072:kUotXVrxNpyXcsR/H/UxRjh7z5/w7JrMCOL2ZHJSSC/s9a:kUopVrxNpyXcsRf/UxRjhxw7JoCOLuI
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  bin/reports/amd_ags_x64.dll
- Size
  
  177KB
- MD5
  
  c69e3e05bf240d7762286833e39c9029
- SHA1
  
  0bc12517a8ee4173867d54081a6d26527ab62672
- SHA256
  
  2449e8339e0f031bc4f954398f5917b8eb5a2d20c32d4688a083d5dd9f637ab8
- SHA512
  
  655ba29b6dc96d88a188647f8b4a0dbf8dfaac2d9c33269105bc0985afb4d8bd1b8d6daa0d3cf11e6c9fd82ee174fca6d2607adf826d01da5edaa42a21266cf3
- SSDEEP
  
  3072:ZbGOZiVbwfB/GT0yAajwsw3iTW2jl+uToE23JKjBaBW/L:ZbGOZ1BK0yAajw+W2jl+Al28L
Score

1^/10
behavioral13 behavioral14
- Target
  
  bin/reports/animationsystem.dll
- Size
  
  6.0MB
- MD5
  
  0e1bf601bffc4b5e4cdd6deb75d59b83
- SHA1
  
  8909467b21fb6e6095e7aa2944234518e5ed7bfd
- SHA256
  
  9697e7f265210559b0cb5aa023cd0b1cfbbb50cad06d8c38905aba012bcdb229
- SHA512
  
  3b87fe9fb2b8f066da6f144c2fc55f7e36b0cff2a0b88ef29a04995fd34a95b02416bb5334ab4608ee4439f71703b77eddfc10426617f3681715686558dc22d1
- SSDEEP
  
  49152:QWyF999XhMwgz32urMXhLztNyDL6FMNDR/7PSIcKewd9XCFrvOWqOXFIgnHTbzXl:3sX9i207EC5gna2v7S7Qpcu
Score

1^/10
behavioral15 behavioral16
- Target
  
  bin/reports/assetpreview.dll
- Size
  
  5.4MB
- MD5
  
  92791e8fe8f475b0f10525a93afda182
- SHA1
  
  301a963889cb181777e448f9b974eaa4effc2181
- SHA256
  
  386b8145f1db7797d659cddda75a4cab8ebd930d2e9c9e83474b768ad5a87e2f
- SHA512
  
  d089f2bbef45e33f9f2eb680a539d089fe542171979ba87956004e20595435acd18a1c23304534d2377eaf236a358801fb2a1a400dba8c662b89ae0af3045e15
- SSDEEP
  
  98304:eLILqiln5Meagy6A7Bka2RdfoUZbzkBfd:eLILrnry6A7Bka2RdfoUZ/kBd
Score

1^/10
behavioral17 behavioral18
- Target
  
  bin/reports/ati_compress_wrapper.dll
- Size
  
  736KB
- MD5
  
  6289cb9973840bde3258392cc07b4420
- SHA1
  
  84aaa5491087ffb7aa5453f48bdf3a837839f770
- SHA256
  
  59b8e6afa8bd163213b63bbc8b7af18e495ddebee801ebda39ef62fd559901c3
- SHA512
  
  8e64cdfa9f916b1b86a2e1798562c61d63bd13920e5d76a4a80d74f46991219961ca8354d359fcddfaba25b358254e632c73a4c74f61b444cad4fe6f10c6f0c1
- SSDEEP
  
  12288:nWVwk2whmH7nU7OV/EWvpu1jvb+HE8SHs3dv/T58kr1Jmy:nEhmH7nU7OV/E4c1TMy8N8Hy
Score

1^/10
behavioral19 behavioral20
- Target
  
  bin/reports/cs2.exe
- Size
  
  2.8MB
- MD5
  
  6c4bec50e1f595caa7f308fbe1de3c4a
- SHA1
  
  fc063651fcc015100f5107fb789a2cd2a39966ff
- SHA256
  
  96fb21e9e74f9c1b1bac42d0553ee9eba93e55bb6fd32a18165dc4c3d75ccd24
- SHA512
  
  0e9ebcefc2018e8665be19d5620c60dbf0209e9007f00a5b6cb4a74f3c6fa3f8ea604b09d2484970034392dc6c88a9a45cc66d7c1de47a1e701ff2bf0df3a58f
- SSDEEP
  
  12288:Prv+M0vksnul4PKgN6AqBCjta3CR5riFJnO+xtb5QqvcJCCFVdRTLnsJGU:TvX0Mi69SD5MJnO+xsqvcgCFVbcJGU
Score

1^/10
behavioral21 behavioral22
- Target
  
  bin/reports/d3dcompiler_47.dll
- Size
  
  4.1MB
- MD5
  
  222d020bd33c90170a8296adc1b7036a
- SHA1
  
  612e6f443d927330b9b8ac13cc4a2a6b959cee48
- SHA256
  
  4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
- SHA512
  
  ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
- SSDEEP
  
  49152:D5EfJYiVk9w6hAPqzag2At6i5K/8Ub6Lg3MEq/NHiQTtVr+5kb62QgdD6zoodr7P:l7iNPWHYE+Bnm8
Score

1^/10
behavioral23
- Target
  
  bin/reports/dbghelp.dll
- Size
  
  1.5MB
- MD5
  
  a5e4b3ff51cf5b7926d9651908feb666
- SHA1
  
  4ef5d229709e40f3f84e46c3a28341eadbd1a044
- SHA256
  
  13f0c74845318b52b76e6000564b1a99c37de48422b44ac74d034fa222c65a23
- SHA512
  
  0615ff581b648715461349b1622fbc208042fc8c395cb2d271203b25b036f59edb0fc3470065dc15061af1be0fff48981f55bbea7f00c88906e9b470764a86fa
- SSDEEP
  
  24576:xU5lL6v/X5lknycQFrQ8gKt/X95WqbQLZopKjMcqpzd1YWLfY:Kni/X5lknDFUCaQLq8
Score

1^/10
behavioral24 behavioral25
- Target
  
  bin/reports/engine2.dll
- Size
  
  5.7MB
- MD5
  
  002869af9a2cacb11010ba04ebad84f5
- SHA1
  
  f3c33917301c983c0635a5f89e504fe72a325ad6
- SHA256
  
  a288aa28f68225c5af0aea2dbfcb9e13eea04d41383d2ee7fdc06b9a0f8bb8f6
- SHA512
  
  0831366bea7122498e40b29febe311863c146eebfe2c00cb2bbcab62d39d5e29f189290dfb3806e33b03717eb8def480959cee2e8d15cc29bcb6d28a96b7d035
- SSDEEP
  
  98304:cDiPlCM18Qd0z1DEIQUt6vNce2rnnOmFNkETX:S+CM18Qd0zVETxFceFm7
Score

1^/10
behavioral26 behavioral27
- Target
  
  bin/reports/filesystem_stdio.dll
- Size
  
  2.1MB
- MD5
  
  35b2ad0e8f6f73ae8808b3b92d9e176e
- SHA1
  
  d28ebd01da8494d0054d6eafec49fe219e45932a
- SHA256
  
  2d86739d202c4803559c19fc6f5f8b6b44a3df5181a1075f994a4c1279c8d111
- SHA512
  
  1b2520de20236cdc0e515a84ce2b093250e5c1ada61e2b2add75a58268535123ccd35c06bcef2cfa1afa716fa48cdd2cd5de4029294b6d91f06e53d9cf3c1789
- SSDEEP
  
  49152:kOjPWZbTKuk214ScfZ8Jh2b/anK9GjXLmn/DnogdjnIU6iMLPQDW:kSqKB7nogds+bDW
Score

1^/10
behavioral28 behavioral29
- Target
  
  bin/reports/gfsdk_aftermath_lib.x64.dll
- Size
  
  1.2MB
- MD5
  
  820a8d1a32385a355c8b568fe15c8a54
- SHA1
  
  f53f6f4c0114f022e0fd9bd32181c2268e1cb178
- SHA256
  
  38ebf6883aa8ffa94f7c1d70817aaee32a283a7a135ed3ddc383a513dee959f2
- SHA512
  
  00ff27e355a03d4142c783485a8e930215ae2536c20fb4bab806f220e61488229cf96ccb668a8bf8eb280950188f99bd443181c79344ce70d608fdb36c204999
- SSDEEP
  
  24576:UBKGscNMHvIajUhvPQ5sxjB7cIgTnAewIokkJMLd8lz4cV:UBKGsfHvIAUJQ5sxjB7cIgTnAzIruMWZ
Score

1^/10
behavioral30 behavioral31
- Target
  
  bin/reports/helpsystem.dll
- Size
  
  670KB
- MD5
  
  a9bd3d9ff8cb2cc307a1ffcb9f919b65
- SHA1
  
  3ec5e68ce8a61f127491e503f3dd8bec1f25d634
- SHA256
  
  643762ea2a16b1ddf982e72a12c0c73263918a7fd6a8d1e81104559b39f12c53
- SHA512
  
  9a29a979bf27861bdd77d77781836cc9a843d23148b98921167e33d5a643b5c7b931816690dca29206eb67666dddb47e9fd2ef550b4318cc0b77f1f09f862fc1
- SSDEEP
  
  12288:NHdecaFFJZz0lvV9rW17p4ZAePX2g6S01qrF6DcizW+JJE29c6Ijx:NHdlaX3u9072iePUS08pwTzWZrx
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32