General

  • Target

    Xeno.rar

  • Size

    2.0MB

  • Sample

    241209-jl8fws1lbv

  • MD5

    67b103622d5df8fc6d622a8e6fe32f08

  • SHA1

    0908ed7e113cac097853aed55090a1c616770d97

  • SHA256

    ce6ce51ff5758f51325e85d03f81d60a2c604c117efc8e7f24d70a29b8f5d1ac

  • SHA512

    7d61b9238bb4e7e81eb444c1713c61ec96fac58d07441c67d315b94d4b88524d3065793e096358077ce253e8939a19c0d30c2ca1c0153aac4014d755b925619b

  • SSDEEP

    49152:rihZv8enXtHTckffeJa+TGU7gJv1T/E7Ov78L3VXUVpS+sIlOs4:UxnXtHhe1TzgJdrY0qSy+sIlOs4

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Oxoxox

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Xeno.exe

    • Size

      649.1MB

    • MD5

      3b9c084d35bedcfe4cf7b306ecbf78ac

    • SHA1

      24ae90b623cddc6666d8fca32d279f75a8c293e3

    • SHA256

      d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b

    • SHA512

      18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6

    • SSDEEP

      49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks