General

  • Target

    e4b3eb482bd3d7c29067eacd1e52a0256e49cc1560889822f81f34202c6bd6e5.zip

  • Size

    1.7MB

  • Sample

    241115-nmq1fstcrk

  • MD5

    04e9cdc7c6495536c01624fe0c9050fd

  • SHA1

    fc6cfce674b7735c5ba1dc9f0f613555f1d23334

  • SHA256

    e4b3eb482bd3d7c29067eacd1e52a0256e49cc1560889822f81f34202c6bd6e5

  • SHA512

    6f5ffbc6efad0e49d14dad8bf653b746491186f760fb13cca2ecd573ceae8cff5c3e16185b022d5c75819d90af64a5b515eb7f1649d26fbd55a3c0c49af2e19e

  • SSDEEP

    49152:p2b1O57sp9A1nCh0Dz2oTtfS0b8D+7uSdKWB:J54pF1ojsWB

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://forbidstow.site

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Mazti

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Crack.exe

    • Size

      2.5MB

    • MD5

      713454ca909efaf3a83b636423a6c248

    • SHA1

      6c197870b9646b90f5b55bdcd4cfd07019864e98

    • SHA256

      9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad

    • SHA512

      8a31b7fdfe7a4d1c21f7af401e14c7ae7b420e66bab2fc8310c1341fc8b559a80a12b6b3fb1544358f1e505eb931e466abdf1bd3289618846c4a9167b789a80b

    • SSDEEP

      24576:xf2KQ7MvYPh0lhSMXlJu78bG8AQs7QZqxwB42EyuzCBorM5c9ech:tpHvZM78b9Ab7aTEZzwoN

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      WindowsManager.dll

    • Size

      433KB

    • MD5

      5b7211145cb919b8cac505949d35caa8

    • SHA1

      6373c7181bfc64cf140630219db2aefbca2c9f62

    • SHA256

      29363cf4cd506dcfbfa2f3d954e2130b85db8068c0a8acae7982a6f1fa657c90

    • SHA512

      b553730dc97cfa5e3e920b2484d157757539c7728c693bbce189f911deb5e3697c12eb4bb847d714fc8f83bf481245574ded807e88317b2dd039c97a71384571

    • SSDEEP

      12288:CI11++JcRZtddofKKrzHPJ3ii0bL7E6t7y22a:CIKRZtddoPrjR3sP7RtuS

    Score
    1/10
    • Target

      assets/TapInstaller.dll

    • Size

      25KB

    • MD5

      9cac1ad2f768d22e4aaae577097df7f3

    • SHA1

      b059d99cdd50c46948bd6e4ac264c2fe53169b22

    • SHA256

      9c050c82c065fe5e7553e73393e59d0b3ca3372e6d590d6eb074b014dab0ea78

    • SHA512

      22d59282a9b2aab81884ad1b1391c16755e895b2b79466fc163f30a8e9035498b371781ea0fab40b6e79313a9a54fe90b8903ecb8ad29471eebd02ce269a0be4

    • SSDEEP

      384:hxB7Wf+NkjZwWqXteRRUUmi/6XLNrtMQJK2+Katf5kKFKjqfvGBkSG00:/kjSoghrW29skKFKcMkP00

    Score
    1/10
    • Target

      assets/WSearchMigPlugin.dll

    • Size

      134KB

    • MD5

      b74eb945013d95409a3e071c4029cb02

    • SHA1

      d087775c3f00e9c27842cc44bcb27c0f334a865b

    • SHA256

      2bdbbd40df3b199cd8ebfc359be451971527e602ab999e23fae524f8edab0ef1

    • SHA512

      3c1e8d24a4d0eadec0beb7c3288bbb290d018ddaa104df9e65db0de0d7543ab77c4139de6b20382925e35bb1ee303dca12b2ea418770c70dde33f26be06a1c48

    • SSDEEP

      3072:PBBD02DY32F5K7lxgtRx3aHCHGA+48xgJJ5x5N3DPZtQ68f69ru:PBBD02U32F5K7KRxKiHGAP37QXfS

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      assets/WpcMigration.Uplevel.dll

    • Size

      231KB

    • MD5

      c92661b900b934ce4e4b7d047aba74e5

    • SHA1

      abf1d9b1058fb1f14a091985bd3fa3c2e9140702

    • SHA256

      85302fc70223988f2e94c5b443afe8c95f73695f60778bdc8cd5e1316a701841

    • SHA512

      34921fccfc07d4080c22d7ff056e92df2bfee61f82212501c9c86d532131c43b2b3655e101439396b887a53180159cb372b222e649bcd7d48ed9952df0a22f6d

    • SSDEEP

      3072:aqJFmRDHgpg2Ri14Myz56tvi8UKLBWAUG/+vufW4369gNbv6K9kd+GAmA8C/y:a0otLkMVizsBXUi6qNdkd+GAmA8

    Score
    1/10
    • Target

      assets/WsUpgrade.dll

    • Size

      201KB

    • MD5

      9d99b0e88cc4eaa43141dea9e31ed3be

    • SHA1

      442e48476650e97cfac8e8088a7315b9804be0c1

    • SHA256

      061de26f44da62a17eecb71f078ef90a9c8784e7c58500984314c74b32c12e46

    • SHA512

      2a0cd7adf67e535cf4a40988d6da4ee69970694875504ea7f7e68cef19e01675557bd3021d867c2bb837d1c3e8287d710259c921967324255c53d0351c6d48df

    • SSDEEP

      3072:a0qV+qDh/7k8Rr92ZSbTP6c27UxDOUreaNQbmOhG7/tfxvharBjnt:a0qVHV1IwTPrFtOe/tzarB7

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      library/ARSoft.Tools.Net.dll

    • Size

      302KB

    • MD5

      452def66509f01d15b43e4c57176d1d8

    • SHA1

      fb3438a1b191fb75c76d22023c3478a585756463

    • SHA256

      f1fe59774bf1fd914aea33459631837569d78e2c1a68d8c544cb498fcdbbef10

    • SHA512

      c5ded39b6f8961bf9e1b77fb07fc41ac321f2e5b9e7a0c4d3a55cf7debb483384b51a8abade6edb9601ea2871cfba65886582cceefcc5010f45c819ec30c625e

    • SSDEEP

      6144:/AUw1rf4dPEliWDLdQCc88UviewobzUY+GsKAZ:qbiy3Zc88UtFfU

    Score
    1/10
    • Target

      library/Autofac.dll

    • Size

      236KB

    • MD5

      f879f97c67c2d03cd47bb7ab1e6dfd51

    • SHA1

      a65ec6943e9eb3ca7001f7bc310475709a949d08

    • SHA256

      02c445f70273eff02d30055c83e77ce7434dd24f6da485b0231e88b2675795dc

    • SHA512

      882db30f98796339a610ce5e5ddd8ad161e231fdd75c5ebd3e552fbb44a618faa09904b01c7c7dcf5834a350a2170c516838bc5de363a89a3a01bb6e0171970a

    • SSDEEP

      3072:g36EQo/nAmrSwxl6g6o9We/Bwdc2lSG+qR/EWJS6A6g73yRhxgByGP/aw4cQSOhZ:gBclGKpT6zbcZAhdPSVuoxnBDPTS

    Score
    1/10
    • Target

      library/GalaSoft.MvvmLight.Platform.dll

    • Size

      23KB

    • MD5

      99a0483ce79d57b52b6a1eacd5f86a12

    • SHA1

      443fc60ab490eefea76859cd263fafa15fed26a1

    • SHA256

      16a051d25e5256348affa9f64a0919f69efd860c8fd3c3b28cea0a9fa126cd4f

    • SHA512

      977719f32b0a4bd10f584a0ee82e7c69664a2a75533f1a3c7799eb89bd5d7c98cece830538372fb7e2263f3c99942ada1e90de50e0ba0e59dfacb8ab8e66d20c

    • SSDEEP

      384:2KKUx+mQv787wr/igP39cVT0ojR97dKRSX8iPyZA3gs/bHMQJK2+KatfzNKFKjqI:DKnW3g/oTZjR97dJXTPyA3gs/bk29+Nn

    Score
    1/10
    • Target

      library/GalaSoft.MvvmLight.dll

    • Size

      50KB

    • MD5

      0fe3d6671024ea3d78aa18dd5adfa613

    • SHA1

      3dfdfa5a20c3ded2908198c85aa04b9dae024441

    • SHA256

      3baba32bdbcd1f2e715724e41ad97878bdb9fb7b7f85dfadc2f98d6cd68932fb

    • SHA512

      84b7a7104ea5cce7c713c6bc2e8c686a684b78fe4949367db6652d285d3d01ebe594070cc993456fac9a21ac2f7a39180ecaf6013d674fce4e42206d0c1c6c55

    • SSDEEP

      768:5nVF+heuJxTH6yaDSpAyYZbT0gJHTCNQYRWCiD5MaIN7UAifpzNJ2Ox/KpEsD+KQ:5VKLY5T0gUNQQiltEifpv2sCWRyIr

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks