meduza | 9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad

General

Target

9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe
Size

2.5MB
MD5

713454ca909efaf3a83b636423a6c248
SHA1

6c197870b9646b90f5b55bdcd4cfd07019864e98
SHA256

9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad
SHA512

8a31b7fdfe7a4d1c21f7af401e14c7ae7b420e66bab2fc8310c1341fc8b559a80a12b6b3fb1544358f1e505eb931e466abdf1bd3289618846c4a9167b789a80b
SSDEEP

24576:xf2KQ7MvYPh0lhSMXlJu78bG8AQs7QZqxwB42EyuzCBorM5c9ech:tpHvZM78b9Ab7aTEZzwoN

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Mazti
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2380-0-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-9-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-8-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-7-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-14-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-13-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-11-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-10-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-5-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-4-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-3-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza
behavioral1/memory/2380-2-0x0000000001BD0000-0x0000000001DCA000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	api.ipify.org
5	api.ipify.org

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe

description	pid	Process
Token: SeDebugPrivilege	2380	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe
Token: SeImpersonatePrivilege	2380	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 2536	2380	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe	30
PID 2380 wrote to memory of 2536	2380	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe	30
PID 2380 wrote to memory of 2536	2380	9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe	30

C:\Users\Admin\AppData\Local\Temp\9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe
"C:\Users\Admin\AppData\Local\Temp\9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2380 -s 648
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-0-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-9-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-8-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-7-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-14-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-13-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-11-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-10-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-5-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-4-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-3-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download
memory/2380-2-0x0000000001BD0000-0x0000000001DCA000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads