General

  • Target

    PolysyApp_Installer.zip

  • Size

    113.9MB

  • Sample

    241211-q5z27avnbt

  • MD5

    d1ae81f5a0eac760a80e7d0377d7e0bb

  • SHA1

    61085e85f50eaa905454de1b79117147ef49f116

  • SHA256

    2eeabe0491d6ed0ce9b810de803af42f9653adae4f4674cab59f8154e1e12888

  • SHA512

    6242e56d42a47b9471859718edfc25d167eccc7b71ac3a6459f6f0f6d94d902737b03ef44d0f5e9251d365ad70ae79431b6aaff5cac33e08ac7cad6f9379b780

  • SSDEEP

    1572864:FRPSPMNhBW1Mpx67DUd8G8mQGUPXmp7ZQhi5jiuWjg+1OfG746ISSowXhiVrIFgT:3jhgDUpvDUPsZOLtjgmq46fXKTqtPY

Malware Config

Targets

    • Target

      Polysy_Launcher.exe

    • Size

      199KB

    • MD5

      de1cac479c4e6835736353a50f9971bb

    • SHA1

      29f661c7966146e01c520ed986248649596f0604

    • SHA256

      738913f52e0c4028bceecf7d81c446fa4319519729d227cf5d4eeabd78f472c2

    • SHA512

      a411aa5df40f9fd69afbde612f32ac2c44bb18c7e277e8fb126d55ecbc3a024b8ef5b6515c738d75e0b7c436f33f6e8d6673930a6e654fbc72276909d9cce9ef

    • SSDEEP

      384:gjLWLV6hIElJtDINwNfyPI4HRs6AuOow60IIIaebvokSA2Sr6XOxukts1q1zk/zy:9LkteVlHR7VskidgZYcV69izh

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks