General

  • Target

    2024-11-16_dd0b9382bc7d77840b168800bc8cb812_ryuk

  • Size

    4.1MB

  • Sample

    241116-tc9ygayje1

  • MD5

    dd0b9382bc7d77840b168800bc8cb812

  • SHA1

    d5b635efbf79662929b311572e41d7ea612749cc

  • SHA256

    93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29

  • SHA512

    d59b6f1496eade71a929c054523fa4815b5786226e0f1a62a6c0855ce5f2d2759ade49f1c00f657474c87a0d0a8a01fbc49644a766dde3556ccc9994152679de

  • SSDEEP

    49152:qxGK0l3e3uIR/ubXjQI9WOizBV4gxvQwnZ:qxGK09yuyZ

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      2024-11-16_dd0b9382bc7d77840b168800bc8cb812_ryuk

    • Size

      4.1MB

    • MD5

      dd0b9382bc7d77840b168800bc8cb812

    • SHA1

      d5b635efbf79662929b311572e41d7ea612749cc

    • SHA256

      93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29

    • SHA512

      d59b6f1496eade71a929c054523fa4815b5786226e0f1a62a6c0855ce5f2d2759ade49f1c00f657474c87a0d0a8a01fbc49644a766dde3556ccc9994152679de

    • SSDEEP

      49152:qxGK0l3e3uIR/ubXjQI9WOizBV4gxvQwnZ:qxGK09yuyZ

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks