meduza

Resubmissions

29-11-2024 14:08

241129-rfpqlazjg1 10

29-11-2024 14:03

241129-rcyjbsyrd1 10

Sharing

Copy URL

Twitter E-mail

General

Target

RobloxInjector.zip
Size

60.2MB
Sample

241129-rfpqlazjg1
MD5

2ed3af541da6acaa73c0834dd058cbed
SHA1

2b539e7e92de69df9e9a3535c85f8374c936f8d5
SHA256

0ee6265fb360ff4f06ac38b3f69689d3e74889a8ed9f92c2cb21a90e9efb2263
SHA512

c373a8ca06de30fbdf16285f9f7c16b337767cada484e9839a2152a7b3e3e587300f589d99271ae941c80741fe17266af5ee021ca73950880b088cd0d1c9f6f1
SSDEEP

1572864:rMziE5+be6mjti/cVpUa4KLyzV050UW6OHG5j/e1NgBxkVqvvFAusYA:ron4eZj/pUa4PG5nW6OIjcNgvKusT

Score

10^/10

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Targets

- Target
  
  RobloxInjector.exe
- Size
  
  643.6MB
- MD5
  
  a726fea7cdd1d2a92cbeac73348b421e
- SHA1
  
  a5f69df93108582acc64f6dd657ba8bbcf3f59a0
- SHA256
  
  e64730dd7dafd54e6c2071bd4ea593183bea7f13cb9565b49868b791c0038fc1
- SHA512
  
  08eea35ade0f717e8e4dd642d3d6d43ccd9961744ce88847f8f6550c95b5c3e4262cda5587041f40fcb3151acdfee21341c3de014e244c167c0167bb2dce47dd
- SSDEEP
  
  196608:SQMOi4kWU+f6zuiVkwzAqdyT+Qf+RLmN45Rk:SQMOddff6PVkwttQf+RLy45R
Score

10^/10

meduza stealer collection discovery spyware
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  bin/d3dcompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  bin/reports/gfsdk_aftermath_lib.x64.dll
- Size
  
  1.2MB
- MD5
  
  820a8d1a32385a355c8b568fe15c8a54
- SHA1
  
  f53f6f4c0114f022e0fd9bd32181c2268e1cb178
- SHA256
  
  38ebf6883aa8ffa94f7c1d70817aaee32a283a7a135ed3ddc383a513dee959f2
- SHA512
  
  00ff27e355a03d4142c783485a8e930215ae2536c20fb4bab806f220e61488229cf96ccb668a8bf8eb280950188f99bd443181c79344ce70d608fdb36c204999
- SSDEEP
  
  24576:UBKGscNMHvIajUhvPQ5sxjB7cIgTnAewIokkJMLd8lz4cV:UBKGsfHvIAUJQ5sxjB7cIgTnAzIruMWZ
Score

1^/10
behavioral5 behavioral6
- Target
  
  bin/reports/libmpg123-0.dll
- Size
  
  343KB
- MD5
  
  3f7eaeae23e4314139b52979c9a18702
- SHA1
  
  4e64337033f6a7db7d0355c6a2b54c0cbc037e3c
- SHA256
  
  24e71004d29377b42a5145acdac4195da073a3a0b8e96d9a37b286fb09b2cba7
- SHA512
  
  e0090dc693711ea5fa061b6dcc9bd7f0f81f281b000b3d77ad2c4777a367fa3f7c3d0628668d0f6afabad8fc05c508f5014198de79b6cc4e2b890d2e916516ff
- SSDEEP
  
  6144:Mb9EIu7V5XCvMGyyXts3Hilvqj5euBtYJFSv+:Mb9pYXCUGyv3HWv0HIJFSv+
Score

1^/10
behavioral7 behavioral8
- Target
  
  bin/tbb12.dll
- Size
  
  374KB
- MD5
  
  123404fa3ab377e006e8bb777dc58b36
- SHA1
  
  f716b9bc1dd30bd903c377de8ba08d1dee2827c0
- SHA256
  
  061f3b283b3e5b24c5ac45772ee19e2f4b24cdacb3ff8ae4f815fe62836e5a45
- SHA512
  
  4762511c8f75f0ee88e0b0c030fc4ded3681bd95f57b44d858a5f97bfb918d8f51df7fbed2fd473e3bd491ffec4dc1a290c3894a985cd2d7a959de140659782e
- SSDEEP
  
  3072:LMz+pybccWv9lxKs66IYtmm17NakuCzbLModItR4KzdyHohj6bdJ9qDyh6tm4MBS:LMqpyOlxKOmm17NfLPSwKL8ItmhxpLO
Score

1^/10
behavioral10 behavioral9
- Target
  
  lib/CEF3.dll
- Size
  
  695KB
- MD5
  
  1340a58ff6cf1847f322e405761abab1
- SHA1
  
  c2861973d7371e7eba69a9ccbb32172c982a09bd
- SHA256
  
  8c70385d509677b3a501f2b708e5f6178544405ad88357869a166e9913d46baa
- SHA512
  
  a6605c37e3741b9e3424d7cce9f10c535248f227f90995fae4b729812597b1f9350170e29c6200d77d3d21709bcea756c3839fcf81965752389999055c1905b5
- SSDEEP
  
  12288:antsZ5qc7rU0oHg5I16p6mRnBAvrXS7wd:a+qc7rloHg5I16p7nBAvEwd
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  lib/CSteamworks.dll
- Size
  
  117KB
- MD5
  
  cd09cdd6fe37e2e30ecbad5663df5523
- SHA1
  
  0e4f1dbc4a5bdaed8629651fa9f9599141085e08
- SHA256
  
  21da08ace79c2443067180ec7efcf5358d21d79e2befa8ffe217541edf02acf1
- SHA512
  
  42523b2a3eb1185584bc81896e772c644602842ab5dbdc7d6358045afa5b25a39aa1157c4841a9990dfb0070502d52866dd679f171821b70218ddb3da1616de7
- SSDEEP
  
  1536:I7GrXp0h5u3iAzEB3OOUlFaP4enQBVbctQbU+NH06YUWrSJyyC:I7GrXp0/uyOcUPbVbEQgi0brSQyC
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  lib/HttpServer.dll
- Size
  
  168KB
- MD5
  
  8a4a581ea13389c0de4f074d9356cdb5
- SHA1
  
  7959c191345a101e44bd405525fccc1673a4031f
- SHA256
  
  cef2b90e93aced611df477cdfa6eaa358850375b4061142012bbef8eac96751a
- SHA512
  
  0ad0e5f7bb9000ea7597d3f53b0ea572c71f4c0737ef396c204c7c8038730a43494823fe6969f99048210414dbc041704b639a5c9852957b2cfcb02a0cd25c68
- SSDEEP
  
  3072:GOzneiLHIf0k6eGTup/Sn0XnGTVDkFl0TgbWKSXkzM/du74A4:jnei7ISeIup/jXn+864
Score

1^/10
behavioral15 behavioral16
- Target
  
  lib/Qt5Concurrent.dll
- Size
  
  128KB
- MD5
  
  31955f92dd3ca70cab821b6199018ebf
- SHA1
  
  3177661f6e066460f2c859d2d5453323b68d6eda
- SHA256
  
  d4a01961fff02cc38ab906d3bffaeb49db893edc624f840e06d07985086db29f
- SHA512
  
  ec5b65741685882008769abd68fb88cf12c58b0b9d76f0a6326f352ee7a78cc4567473c50e9abe12fd8af0c06bb1ae9840ee0d5f78024580aaaf1c34e0b14504
- SSDEEP
  
  3072:3Q8Eh7XgsZxlePu00k7hkNKSBMU+m3EkbnW6//V:3rg7wmePu01CXrUkV
Score

1^/10
behavioral17 behavioral18
- Target
  
  lib/Qt5Core.dll
- Size
  
  6.0MB
- MD5
  
  c49ac6ad9630be526b2f9c3a9f094b53
- SHA1
  
  5f5173c825810bbd849e32b5e6e2cb32f6c456d2
- SHA256
  
  b72018655360463896edbd86b120be6dfa7235ae8a0aaa728165cb496573acb9
- SHA512
  
  31ac473ddd3a7d4b93b9e5d023c5fa964543683b9a0429381e0ab30079a0bea39c77196533d1f94381a787ddbeae28087861f450a23b10a79192cc80cc6c9d66
- SSDEEP
  
  98304:T9eXMaQVsUlo3PakaZJsv6tWKFdu9C7izxqfhSsbyMI:EXMaQVsUlmjaZJsv6tWKFdu9C72xqfh2
Score

1^/10
behavioral19 behavioral20
- Target
  
  lib/d3dcompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  lib/d3dcompiler_47.dll
- Size
  
  3.5MB
- MD5
  
  02e034cd47aa9a633f6aaef348dbbba0
- SHA1
  
  424682cf2f3878c0195f0f4cd250856a0ef871b8
- SHA256
  
  ff86503cdb204570491a81bd45fd9812652ba20a1bbbaf2533b7203fc4469854
- SHA512
  
  0ffb5efaef0780be68633957a40e27c76625a6558a14d0671c85ac3cf8810f3c1e79f3281084dc05034b69447e999c420c1d248503001454c62d0eff320fd6e1
- SSDEEP
  
  49152:DXxztRVg63VCssRWQnP73DPFeYjLpZyLpsRug4TJz07+GN:DBzrVgoVCbLxTpkpsRugYiN
Score

3^/10

discovery
behavioral23
- Target
  
  lib/lit/CEF3.dll
- Size
  
  695KB
- MD5
  
  1340a58ff6cf1847f322e405761abab1
- SHA1
  
  c2861973d7371e7eba69a9ccbb32172c982a09bd
- SHA256
  
  8c70385d509677b3a501f2b708e5f6178544405ad88357869a166e9913d46baa
- SHA512
  
  a6605c37e3741b9e3424d7cce9f10c535248f227f90995fae4b729812597b1f9350170e29c6200d77d3d21709bcea756c3839fcf81965752389999055c1905b5
- SSDEEP
  
  12288:antsZ5qc7rU0oHg5I16p6mRnBAvrXS7wd:a+qc7rloHg5I16p7nBAvEwd
Score

3^/10

discovery
behavioral24 behavioral25
- Target
  
  lib/lit/CSteamworks.dll
- Size
  
  117KB
- MD5
  
  cd09cdd6fe37e2e30ecbad5663df5523
- SHA1
  
  0e4f1dbc4a5bdaed8629651fa9f9599141085e08
- SHA256
  
  21da08ace79c2443067180ec7efcf5358d21d79e2befa8ffe217541edf02acf1
- SHA512
  
  42523b2a3eb1185584bc81896e772c644602842ab5dbdc7d6358045afa5b25a39aa1157c4841a9990dfb0070502d52866dd679f171821b70218ddb3da1616de7
- SSDEEP
  
  1536:I7GrXp0h5u3iAzEB3OOUlFaP4enQBVbctQbU+NH06YUWrSJyyC:I7GrXp0/uyOcUPbVbEQgi0brSQyC
Score

3^/10

discovery
behavioral26 behavioral27
- Target
  
  lib/lit/HttpServer.dll
- Size
  
  168KB
- MD5
  
  8a4a581ea13389c0de4f074d9356cdb5
- SHA1
  
  7959c191345a101e44bd405525fccc1673a4031f
- SHA256
  
  cef2b90e93aced611df477cdfa6eaa358850375b4061142012bbef8eac96751a
- SHA512
  
  0ad0e5f7bb9000ea7597d3f53b0ea572c71f4c0737ef396c204c7c8038730a43494823fe6969f99048210414dbc041704b639a5c9852957b2cfcb02a0cd25c68
- SSDEEP
  
  3072:GOzneiLHIf0k6eGTup/Sn0XnGTVDkFl0TgbWKSXkzM/du74A4:jnei7ISeIup/jXn+864
Score

1^/10
behavioral28 behavioral29
- Target
  
  lib/lit/d3dcompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral30 behavioral31
- Target
  
  lib/lit/d3dcompiler_47.dll
- Size
  
  3.5MB
- MD5
  
  02e034cd47aa9a633f6aaef348dbbba0
- SHA1
  
  424682cf2f3878c0195f0f4cd250856a0ef871b8
- SHA256
  
  ff86503cdb204570491a81bd45fd9812652ba20a1bbbaf2533b7203fc4469854
- SHA512
  
  0ffb5efaef0780be68633957a40e27c76625a6558a14d0671c85ac3cf8810f3c1e79f3281084dc05034b69447e999c420c1d248503001454c62d0eff320fd6e1
- SSDEEP
  
  49152:DXxztRVg63VCssRWQnP73DPFeYjLpZyLpsRug4TJz07+GN:DBzrVgoVCbLxTpkpsRugYiN
Score

3^/10

discovery
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32