General

  • Target

    SynExec.zip

  • Size

    68.8MB

  • Sample

    241209-sqk1tssjey

  • MD5

    5b5589cb62e24de5ba498bcdfffd1066

  • SHA1

    9667785b5187c6b72e05f22cad3d6e58e4f62ed0

  • SHA256

    729968b92882fba172918f18c7c6246c33e6a4ed7f3b85f8f4eea73aab45c346

  • SHA512

    9258ec09db16804c336f05635a8585798b4f7d75739e13dfecdb6f0b59449adc3cda96a33c5394c123625cb359376e0f2c76cac0ff98f3d0a80b7f1c78f0944f

  • SSDEEP

    1572864:0ciw52iy1VJmRUwuseDluOWxrS2y+gi4GYcs498UiZpZsORbTnb+vUEXVIaSHDa9:0cF2VJwROeu2Qic745I6ORbTnasEWaSe

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      Synapse.exe

    • Size

      654.2MB

    • MD5

      d9f3ff1ec9ac3aa14f6186320d4da207

    • SHA1

      a9c0eda0727b55306c91be738edb800d1b34950c

    • SHA256

      239289ad6236e2da8ff163019e1addb94a1697f2efc991904121f8575c725e05

    • SHA512

      eac3df15a76bb14b0e4423aa8c305bdc2cfa4db91a7411784f5208209db0816e44a010395ca304a749d79b91239c0a39378c96f40c0526c82bbcb1f5fc15d533

    • SSDEEP

      98304:A5774MykUq3JDinr5mQwWrxVU8Cy/Dul:m7lFZutrxrxmnyLE

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks