General

  • Target

    2024-11-18_2c4c10262e5593b2959b865f24ebfced_ryuk

  • Size

    3.6MB

  • Sample

    241118-cbyelszphj

  • MD5

    2c4c10262e5593b2959b865f24ebfced

  • SHA1

    b648bbac2c6d612080a0e3500d93cdfb05dead95

  • SHA256

    cfd16c5e23c09bc2eb0cc56bc13dd480b5aec86e5a077e2e1a81251b8f58e467

  • SHA512

    71b346c1c31c8bb2ef52176669765fdaeee7c02483109587e2a7583561d8439bcc8b38df9cf297b1b2611f70d097cd807bc79dba07137e4e2af9864518816638

  • SSDEEP

    49152:7+suA+uKb6Ji8yiW93rZMVmEM0jGiCzED:7Xu5u

Malware Config

Extracted

Family

meduza

C2

127.0.0.1

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Meduza

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite;.kdbx

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      2024-11-18_2c4c10262e5593b2959b865f24ebfced_ryuk

    • Size

      3.6MB

    • MD5

      2c4c10262e5593b2959b865f24ebfced

    • SHA1

      b648bbac2c6d612080a0e3500d93cdfb05dead95

    • SHA256

      cfd16c5e23c09bc2eb0cc56bc13dd480b5aec86e5a077e2e1a81251b8f58e467

    • SHA512

      71b346c1c31c8bb2ef52176669765fdaeee7c02483109587e2a7583561d8439bcc8b38df9cf297b1b2611f70d097cd807bc79dba07137e4e2af9864518816638

    • SSDEEP

      49152:7+suA+uKb6Ji8yiW93rZMVmEM0jGiCzED:7Xu5u

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks