General

  • Target

    1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe

  • Size

    70.3MB

  • Sample

    241116-cky3haxhqq

  • MD5

    34685447de7a88a522e09b360da83bb8

  • SHA1

    d7a051403a980d484bc4e6be11491c7d27b7c6b1

  • SHA256

    1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e

  • SHA512

    ab29904572ecf226832aac8ecf3ad2e0d5f24c1292b25b3af67741352aa428c008b875447f5a61fd03974ba6ef0433a22e4f11d44efb3b21ef5dd9f9d3972eb8

  • SSDEEP

    6144:9ykTQp8xurN4JlU94SyTKJPpTHf3zZOckmhrK:9JTQp8AiJl6+YxzfDZLK

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e.exe

    • Size

      70.3MB

    • MD5

      34685447de7a88a522e09b360da83bb8

    • SHA1

      d7a051403a980d484bc4e6be11491c7d27b7c6b1

    • SHA256

      1164a8f550cdcca584fbef5b09a9acb89fa79fbde89a66e92e1b45dcaa982c8e

    • SHA512

      ab29904572ecf226832aac8ecf3ad2e0d5f24c1292b25b3af67741352aa428c008b875447f5a61fd03974ba6ef0433a22e4f11d44efb3b21ef5dd9f9d3972eb8

    • SSDEEP

      6144:9ykTQp8xurN4JlU94SyTKJPpTHf3zZOckmhrK:9JTQp8AiJl6+YxzfDZLK

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks