meduza

Sharing

Copy URL

Twitter E-mail

General

Target

UpdateV4.zip
Size

175.2MB
Sample

241130-fge21atkay
MD5

bf3b4184c09f57a735a28200e974f861
SHA1

1184d6af33e3a7da4e49c40999bb643042c6dc4c
SHA256

da485f602448b5e9d1aeb7fffb94fb5515bb319476ecb6c9e159cef8d96bb46a
SHA512

ba403e78816e3bd109199490d7e7c1406810989d762055587f64c35ab50cc561c930d49210bd3e19f035af32077711b05f040ae49938749792c0578fdd603df8
SSDEEP

3145728:iEZR9BCohjY/J2JCiC2ZKbKIsFfsfgSwkJf7jLrjWKrpbT9XmT4BCohjY/J2JCiL:iEZR5hjSJF2s25NsISxWKrZxwyhjSJFi

Score

10^/10

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Targets

- Target
  
  UpdateV4.zip
- Size
  
  175.2MB
- MD5
  
  bf3b4184c09f57a735a28200e974f861
- SHA1
  
  1184d6af33e3a7da4e49c40999bb643042c6dc4c
- SHA256
  
  da485f602448b5e9d1aeb7fffb94fb5515bb319476ecb6c9e159cef8d96bb46a
- SHA512
  
  ba403e78816e3bd109199490d7e7c1406810989d762055587f64c35ab50cc561c930d49210bd3e19f035af32077711b05f040ae49938749792c0578fdd603df8
- SSDEEP
  
  3145728:iEZR9BCohjY/J2JCiC2ZKbKIsFfsfgSwkJf7jLrjWKrpbT9XmT4BCohjY/J2JCiL:iEZR5hjSJF2s25NsISxWKrZxwyhjSJFi
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  New_Update.zip
- Size
  
  175.2MB
- MD5
  
  e8cac11146227444fe2ecb450245bee3
- SHA1
  
  a19bdc8c782da82f34ba2166e1ef47b3edd41ccf
- SHA256
  
  bd098eb28e97190966f71c19a1d9f5e3fe665329cdef521c321ef1ba63a64928
- SHA512
  
  58d2409bfa3dfa0e3581a16530e2fbf87508c9a4486e5884ca005bfa89370489ac870543d9fb97b9c3bea61f2e7628474ec81155503a034452c560dfefe3f075
- SSDEEP
  
  3145728:PEZR9BCohjY/J2JCiC2ZKbKIsFfsfgSwkJf7jLrjWKrpbT9XmT4BCohjY/J2JCie:PEZR5hjSJF2s25NsISxWKrZxwyhjSJFb
Score

7^/10
- Executes dropped EXE
behavioral3 behavioral4
- Target
  
  ClientSDK/90/Shared/Resources/1028/License_SysClrTypes.rtf
- Size
  
  124KB
- MD5
  
  af75df6971c1d09d31549698c1917eb2
- SHA1
  
  737b7c496498eb83cd13433861425b3c58c14f4c
- SHA256
  
  0cb71395534f598d40d12d80d0b1818b2715434a93cc2e4e63bb070aa20c0377
- SHA512
  
  ebcd8004fed3277769e559d5cfd61cda4909f7c4a78c092959432f6435d094300ab3fd422e1453cdcc8f0b0446b52b65bf8520b0dbb185aaf4d996979ebb3837
- SSDEEP
  
  3072:1w4J95k2o5XG0iRyXDlaO2ikE0Nud7T3LZqrJjrJoK2Z8e1UG:hJ9K2o5XRiRyTlaO2ik9Nud7T3LZqrJ6
Score

4^/10

discovery
behavioral5 behavioral6
- Target
  
  ClientSDK/90/Shared/Resources/1031/License_SysClrTypes.rtf
- Size
  
  94KB
- MD5
  
  7bb97c6c5b3fa858710b17b0d75a28b4
- SHA1
  
  b29627a4340a757df129f4098f9c31cbefb521a5
- SHA256
  
  08cd68d8f45c4666f45766b228234a0f79aba1f0a7831fa1a57a68aa8e38109d
- SHA512
  
  968042727ab9e94f79a63093376e98c15e46ef45f38e148cf9ea7dba3980fa8a2cdc682697a274b2ec8b7f7d698fb8ce589b2426336deef85d0a54e4759184c7
- SSDEEP
  
  768:lc4YqWmrDcJiILpro6Qg/rHot6qB/nkQWvY7Ggsb3W3CB8yYGTBOrrw9Cgsb32P4:lcwiIqJ5gZd/
Score

4^/10

discovery
behavioral7 behavioral8
- Target
  
  ClientSDK/ODBC_sdk/170/License Terms/License_msodbcsql_ENU.txt
- Size
  
  11KB
- MD5
  
  07cf3e505b9c844de73d54d0159e55ec
- SHA1
  
  3db89b017a4ca9ed90ae1297dc25ffd7dde5df63
- SHA256
  
  c80b4a4bcc21fe489e877d8cc7b3f3cfe4943801c4bc899a0f3c82244fa0f28a
- SHA512
  
  2b954d025a2278a459445fe809d3ff425797220ed500dfac120991bc1130fbafc4d5025b790aa4d1e84d8d1897f50608b3b3d9e9c111f95bface79d8791bbd3b
- SSDEEP
  
  192:MS8fRlsLqbBDLonGehWyeusZithrBTNH5xc1eKB5wcp6aFWgHSs:MS8fRljbBnoHFeus+rpNH5+1PDDp6aFZ
Score

1^/10
behavioral10 behavioral9
- Target
  
  ClientSDK/ODBC_sdk/170/SDK/Include/msodbcsql.h
- Size
  
  108KB
- MD5
  
  bb869705cc8069a5811eeac7457622f9
- SHA1
  
  7ba894271e8a3f57c6bd8cbb6b480ec468cbba03
- SHA256
  
  3dfa4ac8ba992e3c2751688d192b382911702cc1565c27604b7548a97a5f0fc0
- SHA512
  
  019a1e3b8988b5b4f2b331a35790b31079a126ec4a92e5fbe1a36937c6a3dc407740804e935cb56480a35a65a045c66e89927ef322546a167f1a18d123a63b2a
- SSDEEP
  
  3072:hu37c3X5ybUH8HiHgGBvCWLK4S4YFIrioyAYtAOfV:vyGBvCWLK4S4YFIrioyAeAC
Score

3^/10
behavioral11 behavioral12
- Target
  
  ClientSDK/ODBC_sdk/170/SDK/Lib/x64/msodbcsql17.lib
- Size
  
  6KB
- MD5
  
  73f16ea2744aac5f7d940e270a15d96b
- SHA1
  
  7e1f685fe901aba5f055571e3712c3b96dd27372
- SHA256
  
  5f303761f4c0cdea25535dc52d4cd310308733443df2887103dd488a9f92d5d6
- SHA512
  
  b86d1d45e3d140be227595db43566ff5f83d99cba052d9e207d5337ae73c411efb61c760b9a34a37cc37094e96b5638a67545c36e23cd2a982ee185c73ead487
- SSDEEP
  
  192:GpWH0QpsyzbjX0EKW8JX0vt+RxBxJorDBxqxv5ya7KxmpqxfxJg7oxhxcx1Lx1CA:v9oEoJX0V+RxBxJorDBxqxBya7Kxmpqg
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  ClientSDK/ODBC_sdk/170/SDK/Lib/x86/msodbcsql17.lib
- Size
  
  6KB
- MD5
  
  992fd89649da9582d7f62ea0953943e8
- SHA1
  
  4fbb7e122f086ef27668eb3046786ab562c46123
- SHA256
  
  0ca1e69a010f5c4a8cea193d5144f277c7370157d68fcf45f2e09d7a8c9871e3
- SHA512
  
  e0572abc717dff3891a8d16f9f6a8355a79a9cda97976c1efd45b12cd644077ea10de767b4e33eed77b0f95a70ce1bff141cc84b921e740ad11ea3d40ebadcf2
- SSDEEP
  
  192:3ZaqjLw/BzVj+SasJf2BZ4wfMXm6Dxrx3CWD5quxyfxOx6xaxdxx1xxCxTBxCxVz:kqjLMzVj+SasJFwfMXm6Dxrx3CWD5qu1
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  DAC_DB/bin/1036/DacUnpack.rll
- Size
  
  133KB
- MD5
  
  6e2f9cb3c0ef70c9e0971c76bb30e1e3
- SHA1
  
  7088440e88c458b43fa7d186f3783589db86bfbc
- SHA256
  
  73e72e8a60458e165401dc2b5ab0cbc7444dcf806d5201780ada797f3ead3a83
- SHA512
  
  f7e402ba1585fba3d73e8303ace86f91c983514f8f5ab8925dbacf782a6f259342c5aec8148d11e3472588bce0e1ae41f1c49f5da55e78bb74685ff4b2ed101a
- SSDEEP
  
  768:tzb8oJYg8Hf48aWen+TVP7CUB8h8CgG/yHGpGBIV1SbMcFpypHgkatQi9GfYbcWw:FooFyAJWnPhC+I2McFkpHgTqmAwYezj2
Score

1^/10
behavioral17 behavioral18
- Target
  
  DAC_DB/bin/de/Microsoft.Data.Tools.Utilities.resources.dll
- Size
  
  31KB
- MD5
  
  071f4576ffcc629eca9010606a4a4137
- SHA1
  
  ac45e2cd2c69d372df59f340305823a10c009197
- SHA256
  
  af55eb0c01623a7b3b9ef8125d03cc8a54b764527c7f4bbfa899cf8bda3b1a0d
- SHA512
  
  c12eec9c2475352adee6087d938c4b0e2b8d838c21dc9b323206fab4043fd339feb71b3925716d289284905189df086ee8742fb75f3f7c624ee592a6b3ef8e40
- SSDEEP
  
  768:aIxJyrYJ50T+NdEq8LagJscKYGX4mnyCFjXefh/1lVQBb6FjXHUB:Bg8MElFcx1lVQV6FrHUB
Score

1^/10
behavioral19 behavioral20
- Target
  
  DAC_DB/bin/fr/Microsoft.Data.Tools.Schema.Sql.resources.dll
- Size
  
  1.2MB
- MD5
  
  08aea77a547f418b126beb2cbe6e83f3
- SHA1
  
  32034ed7fef24f0e8a8a26aa23363250893942d7
- SHA256
  
  44699cd41e8e1b46cb964e39ab80ca169b8c5411b0baa40f8fb7b1aa8003d810
- SHA512
  
  07ccd46de2db4ca92c1bc42399611f443f907c24b39c6c18c89bf1df4f0c6ef9775183d682511c4cd77782c0ba93396a1a9f5a7becbec5f5af86c3c16ddcd298
- SSDEEP
  
  6144:jGG2HvMaOYCZWj2tx+yxgc3shLbl9txmyawSan2q/8EvW+P7dOok6YDX2fWyJQtK:n2HvcZ9Hr2F+E
Score

1^/10
behavioral21 behavioral22
- Target
  
  DAC_DB/bin/fr/SqlPackage.resources.dll
- Size
  
  23KB
- MD5
  
  4a1bdcb903cd29e12f2b50ee6779ea19
- SHA1
  
  5073292a2a97d4ca3f0cba4f826175c8f63178c8
- SHA256
  
  6e450ff5f4ac3ddbb1148555fa057982ad4b9c168d7247132bd7c50b98c5a013
- SHA512
  
  a021667fe2db0654e6cb1d4ae01b4b792f960aefafda7816052a89ad92e07d4cf3080fd2fee31534999fa6a21df14830e28ef6ee16ab95973bee68786b43b8df
- SSDEEP
  
  384:OMK0zz39dQzNuc1MG52bcoYMi+iXUciEfB52fNbU1wl7+Gibl2GMly7kT9S14IcK:Bzz39uzNR1MGIbjYMZ4XiEfBIfJuwqbt
Score

1^/10
behavioral23 behavioral24
- Target
  
  DAC_DB/bin/it/DacUnpack.Resources.dll
- Size
  
  153KB
- MD5
  
  8eb108cb899f91a7719e57251fa20b0e
- SHA1
  
  1daf818a148c215cdf20a4d884573bd30cc7fc6a
- SHA256
  
  a06d7b32cd9df7c6c8bde43bf36198488de046393e63421a04dfb530dab5d151
- SHA512
  
  77cc8aa6367a9720e3b527f32f06abff0fcce78275a63a96ba3ac2b11f595c403898a05656cffc14eae585d6701d7a395bfa6db8a8c643bcb69269d6b727cf07
- SSDEEP
  
  1536:fh1MtooFyAJWnPhC+V2McFkpHgTqmADutfRdPE:fOFHWnPhC+VYOwRdPE
Score

1^/10
behavioral25 behavioral26
- Target
  
  DAC_DB/bin/it/Microsoft.Data.Tools.Schema.Sql.resources.dll
- Size
  
  1.2MB
- MD5
  
  197e2fb3e0d732a92774456984977a8d
- SHA1
  
  a4433ea98bd9b12cf07acbcbd88a71b55f4caa04
- SHA256
  
  5f29cf5ceba2efdfd683337ab00d601e0fea076075b4d86703e8de389f02abb3
- SHA512
  
  f3d46b7567e8e0d9054cf473b891debd04bf7e04f1c7342d42db451918d55cba13ee1c6dcdb8dcda89deba3d4f03e9e32657ee615a1e381afafcb746a01c1416
- SSDEEP
  
  6144:lJsx+lW5aLMMgXe4kOoxcF++AmOnGe7qoSDGswfUg4Qhm9ujrzaT+IrI5iNCdTst:3sx+lW5aLmm4zIiOZzlnlyf
Score

1^/10
behavioral27 behavioral28
- Target
  
  DAC_DB/bin/ja/Microsoft.Data.Tools.Schema.Sql.resources.dll
- Size
  
  1.2MB
- MD5
  
  3a46ac2412b5f372ae30e70ae979d99c
- SHA1
  
  fa0f3c8b60ab030ba4784e418825c28c86c51e48
- SHA256
  
  9353bdd8fba8a25871845411037ec00753702b0c1ce05638ea6c2c5a69254af0
- SHA512
  
  4d464a4eced5b9804ba5d62eecf60974e372ff0b58ae9db24b8a3d98275bbefee54236faeafdd95ec7aa4b5aed08151d43693f0849ff93bef6ac8e783b3e92b1
- SSDEEP
  
  6144:vL1SdZHww0HSSQUdNVrPOvftUQdoH/SazGX9dyagxHgCZf8u/WtUPqp4bajjZ1oW:zMHww0HFQVKPbg5
Score

1^/10
behavioral29 behavioral30
- Target
  
  DAC_DB/bin/ja/Microsoft.Data.Tools.Utilities.resources.dll
- Size
  
  33KB
- MD5
  
  1bcf766ed70123c1177b03996b4f4758
- SHA1
  
  35487f70a7c9c06e5853e439fbf50bfaf16d568e
- SHA256
  
  d97f6cf3bca59c1374027058f173a695f64c8fe74562b1d5d240a2f4667a0d0e
- SHA512
  
  a95a74ac9bd90966d9f4867407b41dd3a3b0fae72a8eab08f9195e02857b53e7c9a62ccd9fabf25d6bd4f643f15a9f9681b2ce849b1bd284fcf2a2fe64d3a77e
- SSDEEP
  
  768:2IxJyRKVHLm66qPnQYRUozAXY3qk0GIgXSMb6Fjpvf5:dgSLMkSo6F5x
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Downloads MZ/PE file

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32