meduza | 797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96

General

Target

797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe
Size

2.5MB
MD5

4f03dcb1e44a6b89d910cb4f41198172
SHA1

4b14b8244f5cd389c20fba033823be6b489c854e
SHA256

797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96
SHA512

27a7a4acadaee21da7d80e08d62b898a8f9d9f3375f85ce6c72e4244b20b63f437c932cb6722a236effb128e6eae34e6f49851f4d6d033076d4c6aeb27147fe7
SSDEEP

49152:pLIbv9GOcDhnSV/vwyTgoypdxxR6ch2CL04r+y/PioT8uNPqmQ0rFPYrxV:0LwyTgoIdL8YeuNSFl

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

C2

79.137.202.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Kitten
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4840-4-0x0000000140000000-0x0000000140117000-memory.dmp	family_meduza
behavioral2/memory/4840-7-0x0000000140000000-0x0000000140117000-memory.dmp	family_meduza
behavioral2/memory/4840-9-0x0000000140000000-0x0000000140117000-memory.dmp	family_meduza
behavioral2/memory/4840-10-0x0000000140000000-0x0000000140117000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe

Executes dropped EXE 1 IoCs

pid	Process
4840	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe

Loads dropped DLL 1 IoCs

pid	Process
3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3604 set thread context of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe:a.dll	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84
PID 3604 wrote to memory of 4840	3604	797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe	84

C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe
"C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe
  "C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe

Filesize
2.5MB

MD5
4f03dcb1e44a6b89d910cb4f41198172

SHA1
4b14b8244f5cd389c20fba033823be6b489c854e

SHA256
797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96

SHA512
27a7a4acadaee21da7d80e08d62b898a8f9d9f3375f85ce6c72e4244b20b63f437c932cb6722a236effb128e6eae34e6f49851f4d6d033076d4c6aeb27147fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\797b58eb15a41e4afea788e4bff6d0ebe57af68a9db7c06fff0420e8adb0da96.exe:a.dll

Filesize
1.2MB

MD5
27f11b0f8061976bbd30212cc067349a

SHA1
9419308473893983bb82195221f54fb526eed86d

SHA256
2c5d1801b28d7ec27b230f0ff8b952d86b2cf36002be2c0bc583a204b1809eec

SHA512
9869f032a5001b4df378a169c57185105423af1e57706b8118262cfb21b80b21cdbdd73cef67da937174da8ca2da7b959f3cc3c6a0c89370864abfea834d8646

Download Submit
memory/3604-6-0x00007FF622940000-0x00007FF622BBD000-memory.dmp

Filesize
2.5MB

Download
memory/3604-8-0x00007FFA387B0000-0x00007FFA388EF000-memory.dmp

Filesize
1.2MB

Download
memory/4840-4-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/4840-7-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/4840-9-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/4840-10-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing