meduza

Sharing

Copy URL

Twitter E-mail

General

Target

SolaraRobl.zip
Size

66.9MB
Sample

241207-achdnsvmhz
MD5

fcd533bb3964b88e4bd4552a5b531f48
SHA1

820b53ea94f0ebb919493897a62858cfde3f1f0c
SHA256

0257bf562a0b7f9c64a56b31ab1926076df0245f5cbe33d3ce2b5c1261c3c2ea
SHA512

cb6d85fd5271cc028e23e859b4eee88cba82e2ddc3b78959ad4f28b7bc3e630808f3d6b7d0b00df6b5d3b718de456e8759359f870c8dd0757040c6ab417d3aa0
SSDEEP

1572864:kciw52iy1VJmRUwuseDluOWxrS2y+gi4GYcs3iZpZsORbTnb+vUEXVIaSHDaAlIC:kcF2VJwROeu2Qic73I6ORbTnasEWaSey

Score

10^/10

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Targets

- Target
  
  Solara.exe
- Size
  
  702.3MB
- MD5
  
  4a8663562de787bd73373e3beb354ec4
- SHA1
  
  7f47d22c13d7ba5d9468ab4eaed15e4db4558d3f
- SHA256
  
  5a11f62b542cfdad4639e490ba312cf0a911edcccbee98dd859ca7c9af19313b
- SHA512
  
  63cd2069a9fb8371d22c71a15138fc07632044ff40654428bd9c1ed1091bf266f6d00346dc1a24442afb2094340b536a3970e77eed80af5c82818736e19f2b08
- SSDEEP
  
  24576:45gG2YYesWBxQiZhPoRHfIlhwBn9POOUKGlIaAI/+r5pGFccM4L+0RRKc9EeMbDx:4572gDjQOPmfnBROOUKGoAocLFRNAFG
Score

10^/10

meduza stealer collection discovery spyware
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  bin/d3dcompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  bin/libEGL.dll
- Size
  
  90KB
- MD5
  
  50c717ab7624384b2b2d8a953263beb2
- SHA1
  
  58d82865ab86a193f8f6ff1cbf7677525f6e217d
- SHA256
  
  63580999b8210315b664e7742b6d4f59e587d20b4d0826072a5ef311c6f25b74
- SHA512
  
  8caac7982eba6380df162b62353088339754ff211847e3921dd74f239e8a980d588b36db385acbd2ba0edcaebcfb4d272eb0405672dc158e58666b6f695a02b4
- SSDEEP
  
  1536:KGP6HhCY9bVfdiVkfynyCjUzjBUpgmsWS4dMOe9dl58Zh3Cz0b:KGPG/xViVk4yOUz26KPWHiyzy
Score

1^/10
behavioral5 behavioral6
- Target
  
  bin/libGLESv2.dll
- Size
  
  3.7MB
- MD5
  
  dd3f55559ca3eb1a89e7d696c8c5de53
- SHA1
  
  ce2785277d60aa366e6faf3c3318d5767a3d949e
- SHA256
  
  99f261fa5a69dd2b3bd6192aaf72a0d9f88d769a311fac87963658a7573ec669
- SHA512
  
  bd47d44177970c08bb645f0e92011b2c9143c016d2baaf03a55f26e5e4fc157f1273fda49320815c0cbaa34b531c7fd1f28fa37d2486104d486063b138d75739
- SSDEEP
  
  49152:oVgDuIkH0auiXZR2oWisTDLKvka5A9rC1Mw50uaj3cRhONxp7Im8TV659Zx/M70M:QgDWXv96pjkwpcTB5Vf
Score

1^/10
behavioral7 behavioral8
- Target
  
  bin/libcrypto-1_1-x64.dll
- Size
  
  3.3MB
- MD5
  
  3390d76a13973bd46b512bf257c171c8
- SHA1
  
  cd269f1f752c272e3868b4dd6dc65464715ae0b0
- SHA256
  
  deb034588ef43db62809cc2c599374894bf7fef5df990da6eaaa0674fbec0301
- SHA512
  
  8d714e4859ffe4beb2c6a499b4d62cd549679411b5af2b50ec4f75e522e7af1943c4c29cc5d4266409351c596c6a0bb470e4ec0301e23425191f059752458620
- SSDEEP
  
  49152:cVwASOC3IU6ixBGtlqREzGbOggxFSAnVJcjp15QAMa4OHjbtNPA6UsQ0H1CPwDvF:l4+0SgbhVUsIjJW6UsB1CPwDv3uFfJ
Score

1^/10
behavioral10 behavioral9
- Target
  
  bin/natives_blob.bin
- Size
  
  240KB
- MD5
  
  94855c31f6c24656a6d67ceae0b04cca
- SHA1
  
  1d5346516d5f1f7546d4400ca3eea55022ddd9bd
- SHA256
  
  20210a0e530832a0267d584015eecb331c2ac0d841faf7b36feb9d326c32c113
- SHA512
  
  1043759ed4b4e1df6f05724cf5132bbcf410bc5d6ffe791ad243a6c66a577965993d72908f032805bdc14ee8b69f93417535fcc8b38bfdb006de20f7c7b0d1c4
- SSDEEP
  
  3072:kUotXVrxNpyXcsR/H/UxRjh7z5/w7JrMCOL2ZHJSSC/s9a:kUopVrxNpyXcsRf/UxRjhxw7JoCOLuI
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  bin/pydantic/__init__.cp312-win_amd64.pyd
- Size
  
  34KB
- MD5
  
  3d6e5bd4d480c8b6de04ee7b366fd1a7
- SHA1
  
  6b82a10757ea9b0935869dad758bdd79ff0a4047
- SHA256
  
  74936fbe39d47f391a7b8cf095a7a67b190265e401f7d4103e47113534595b21
- SHA512
  
  764f1dddc3bcd60687fc5e226f2bcaa5e9ada0762b5ff14a1dacc5c34c3d6950fb2a264f81ee086e6e8d0d5ea2df9cc2c5d3c19c46e23171622139d8025fbc71
- SSDEEP
  
  384:KXIR3YdiuoNfksmra5aWVFT+lGE1ADDeLm8uemVrJxC2XNrt9mgg5G/9:pR3mQNfkk7T+l1kSLt8vXNPg5+
Score

1^/10
behavioral13 behavioral14
- Target
  
  bin/pydantic/_hypothesis_plugin.cp312-win_amd64.pyd
- Size
  
  137KB
- MD5
  
  8e1a415e1e712540239276bdbc978317
- SHA1
  
  d74fa9398b7f322fbec55bb435fed2519d9c0179
- SHA256
  
  9a263c966f961a344393f10ef2fd2600e37cb0556715ef3de14a6ae25c9e9897
- SHA512
  
  219c7817a00f3faa33bb17cd960b454370bb765399692fff4a6baa0ff7ba5e50513ef8d514d07198a201071e7851fb126b82c0f1b91560ce76d5a6f33adea151
- SSDEEP
  
  3072:PKPvxqmrYtO8j1As5byiuwq2hbqaIQY6qun+qiYOPoYFkL7fW:P+ZrY1Bt5byiuwq2hbqaIQY6qun+RYcP
Score

1^/10
behavioral15 behavioral16
- Target
  
  bin/pydantic/annotated_types.cp312-win_amd64.pyd
- Size
  
  64KB
- MD5
  
  1251c9c662771fa9bffc7768a0fbb16b
- SHA1
  
  1bfcf4ca1a17a9e4970abbaaa7b80fa9d5bbee86
- SHA256
  
  ed04f36f6ba461c9f6f3cf9f3c5cfd7021b511e321a04002bab1c7672aab46a1
- SHA512
  
  7c6422c063405c61541bba1bc7d77837eb42a3312cd415a6e8ae52ac4480643aae4d2defa95bdea6417ae5532e46ae3962c9c2aed6328b06971702ef88e694e4
- SSDEEP
  
  768:VgKtIKukRDOedBN/8w0JEOtPC4c9fQOspVEmtDpeasP7Jrp46uN/:mKtIKxndBNkt9pTVHM7JrwN
Score

1^/10
behavioral17 behavioral18
- Target
  
  bin/pydantic/class_validators.cp312-win_amd64.pyd
- Size
  
  179KB
- MD5
  
  152d1b2db2161a1339735a644eaacdb5
- SHA1
  
  94c10e0dfe811e990109565ba369d4fcc6b634ce
- SHA256
  
  f16eaa7e5024affd6d7e97441f570ea5c151ea3060041acfc70cc68ffeac9586
- SHA512
  
  4cca996bf3de2c8c1b95cc947c4247799a570c03175ca3f1ccf46714f1d94020faa3009d08ef40a0d6482b55e7e32259dac5e5ad6317a5ea60c9c62c587e8cee
- SSDEEP
  
  3072:Esf0QqQGVWiFZLq4Sh9BpofA9iqGz+B3W5fKC64plrI/X:rf6TVWcZSIzdiC6WlE/
Score

1^/10
behavioral19 behavioral20
- Target
  
  bin/pydantic/color.cp312-win_amd64.pyd
- Size
  
  203KB
- MD5
  
  dc830e828da3e1f55a2f185b0a19c3dc
- SHA1
  
  8ba65c743fc536a486055e9d1dcc27df77ebd054
- SHA256
  
  c9717ff3f4ccefa6b2b3042f6b81bb0bfc766a5b69c18d2537c4a70015ae7266
- SHA512
  
  cb725bfd7d2e876c1c421b4e29ec9dc56f1d3b2940d0f281cef6acc5e38f6cb485de77bc835b5a22462039531519e9dc5b4bffc7a4d515d6affed32f61a54cea
- SSDEEP
  
  6144:QaB4FLnEHVonCQXl3A5zhbVd0IEDV4xF3:65C9qIEa
Score

1^/10
behavioral21 behavioral22
- Target
  
  bin/pydantic/config.cp312-win_amd64.pyd
- Size
  
  74KB
- MD5
  
  7b21c805b93cd7f2932f6b0dbab268a6
- SHA1
  
  4678bcdb7f06f98208daf854f3a910d90dec9808
- SHA256
  
  628df2c66ca3dcf51622ced6e3b94284ff8c6356529ff38d06817cc0ccea0eb4
- SHA512
  
  b7d37f7937824349ebd97a63ec95eda87b3f2f36cab91dc947de8abc7f15113cb44f1b2ccb628a146921b4ea0b14ef43c9ba0939f29ca6bf6073fa853617d6bd
- SSDEEP
  
  768:0iijBFta2FRxvSMwxBBv0metgQw018+1ZOiwdOfEc9Y7NAZLJOlf+WSFqJw4r1XY:8VB/ptwhVWS7VOfYOZ54r1Yw
Score

1^/10
behavioral23 behavioral24
- Target
  
  bin/pydantic/dataclasses.cp312-win_amd64.pyd
- Size
  
  180KB
- MD5
  
  7e01b7640f04fbcbff82d1ed74bb98b9
- SHA1
  
  6bc793b1cbe83c03230f21432d04b5fbcd7949c6
- SHA256
  
  5a09d4c4dfcd1023791eb259faeb8e756828cd4953de60482a56d20a03cfd8c7
- SHA512
  
  4f55e98c655a0bcaa8b016f4714cc36888d6a1c4dbe07a71b9922b07227987f8d9d1e36d248c354cc21b52e525f3ad69956f8281be5ec750a7306547f3f359ae
- SSDEEP
  
  1536:ylnRLcLwaoynZJd3EzrVaLbAEx/v96E/vH5BwEMKG1vabEaJvAJbGggIaM9hOUa0:QRLgPogjd0z8FvHTU0zJDiiiYeNRw8
Score

1^/10
behavioral25 behavioral26
- Target
  
  bin/pydantic/datetime_parse.cp312-win_amd64.pyd
- Size
  
  83KB
- MD5
  
  4c80f635cc426ef438c02731774b1fd3
- SHA1
  
  119dacfd687004c93b072dca624fa610ce852a55
- SHA256
  
  cb04127023c052720f37f7abdcd21e9ee0b061672059a5d8727a50d064963837
- SHA512
  
  10b9fce253a27c9d3df32ea52df15f4fb84e9123d9517829857e661a3657e5ee068601a623cbd9b526d639a12a89d84859dd95d8774309dbd160afbedc186946
- SSDEEP
  
  1536:Qm21L2SZjx2Q9/eNIa1xXVB+WnQ+t1pJV5ME9GrEUfKfKx0zHb8V/as:g1iSZjx2Q9/a1xXL+WnQ+jpJV5MWUCf
Score

1^/10
behavioral27 behavioral28
- Target
  
  bin/pydantic/decorator.cp312-win_amd64.pyd
- Size
  
  124KB
- MD5
  
  dc6eb0d48d94b06577521e435a6026d7
- SHA1
  
  81ae1314df8cb19b4ef39ca1d5268354baecafb1
- SHA256
  
  73f5adbba91f3d5865512273eda792ae038967d4ceb633144196dc824c72e807
- SHA512
  
  3c1c3ea1e36dc55338b036f6639ab5868859381d9d5d8d8b2e4f0e649a770d54c84007b559082cb0af8f43c3466cbe3554870d4ca261a6301755d1ffcd5abe6f
- SSDEEP
  
  3072:2hj9FLIOL5UF32SvfA0BX3kwoV70ll1qATQ+7W9:2hj9F8gUFmwfA0BX3kwoV70llwAvW
Score

1^/10
behavioral29 behavioral30
- Target
  
  bin/pydantic/env_settings.cp312-win_amd64.pyd
- Size
  
  162KB
- MD5
  
  f07eafa63354a32c582b82714fe32479
- SHA1
  
  6dbfa3197e2047f42dce07a584114324cd06bac6
- SHA256
  
  99946918487dac5baf70502001f1b21eac2fd59e1cd7b0f805f22c6fe1c91b69
- SHA512
  
  3814264363d53cb9ee946bb355b45b939933ca84c6786c8422d0cb1232a929476b69460d9e7743924ef5df5c96876cd6c199eaa07b36d3cc0e979e1715079621
- SSDEEP
  
  3072:QmcGwMpdhv4p8DpMoXreFbomSMX9KUs4du6MlIXFSVHDZ19oAbBwyUN24E:QmZwIdhvYmhXreFnDXMUsqu6MlIXFSVf
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32