General

  • Target

    2024-12-09_e755c5290033aa89a9a7277fe311fe8a_ryuk

  • Size

    4.1MB

  • Sample

    241209-cd6trsspaj

  • MD5

    e755c5290033aa89a9a7277fe311fe8a

  • SHA1

    a39b3013081332222d75fcb3ce0bed2710c50f1d

  • SHA256

    c9c30d0cc68bff295257d298e3cdcf2e24f13d1bbcd363efe8c7e18a23aa54d6

  • SHA512

    8f5cfaee881556a62981df49da11c08de2751dfaecfafeb92478f456a276054df98f3b9e47ded755472043417ccadb9e768d06a803f4857b887d29fb8e76f1d2

  • SSDEEP

    49152:Xl4UjB0jUuzLH5H0SpimE2bn+Z6srZ3+kQjh/IA:14UjKguCA

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    782

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      2024-12-09_e755c5290033aa89a9a7277fe311fe8a_ryuk

    • Size

      4.1MB

    • MD5

      e755c5290033aa89a9a7277fe311fe8a

    • SHA1

      a39b3013081332222d75fcb3ce0bed2710c50f1d

    • SHA256

      c9c30d0cc68bff295257d298e3cdcf2e24f13d1bbcd363efe8c7e18a23aa54d6

    • SHA512

      8f5cfaee881556a62981df49da11c08de2751dfaecfafeb92478f456a276054df98f3b9e47ded755472043417ccadb9e768d06a803f4857b887d29fb8e76f1d2

    • SSDEEP

      49152:Xl4UjB0jUuzLH5H0SpimE2bn+Z6srZ3+kQjh/IA:14UjKguCA

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks