General

  • Target

    2024-12-13_c66316c2b46e9cf8e3a5c289b610968d_cobalt-strike_ryuk

  • Size

    3.1MB

  • Sample

    241213-r5dpma1phw

  • MD5

    c66316c2b46e9cf8e3a5c289b610968d

  • SHA1

    ffd192774a5c2a16d9b4f6f27ccc546e9815151d

  • SHA256

    179621c7da6240aaa0bf19941285620996e87e319d50e0887849544e58ddf1c5

  • SHA512

    04682f8a3f8d54d41254dc582b17b162a74aa2959738bd5175aa49cff0a66d50af5b6662d2b7cc2d0c8ec4b06525a9a345d9d1b2224c6fe4d7ea48d8876944fa

  • SSDEEP

    24576:SBvZQzRT8jw30B6O4vJl5aipxSuVCJDxVmEAIQy/hoJFJ5AckJQzcuRl3A077P0J:ui8ONO4PS92y/6AcdQwFP0+2Kw

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    SEO2.0

  • extensions

    .txt; .doc; .xlsx

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      2024-12-13_c66316c2b46e9cf8e3a5c289b610968d_cobalt-strike_ryuk

    • Size

      3.1MB

    • MD5

      c66316c2b46e9cf8e3a5c289b610968d

    • SHA1

      ffd192774a5c2a16d9b4f6f27ccc546e9815151d

    • SHA256

      179621c7da6240aaa0bf19941285620996e87e319d50e0887849544e58ddf1c5

    • SHA512

      04682f8a3f8d54d41254dc582b17b162a74aa2959738bd5175aa49cff0a66d50af5b6662d2b7cc2d0c8ec4b06525a9a345d9d1b2224c6fe4d7ea48d8876944fa

    • SSDEEP

      24576:SBvZQzRT8jw30B6O4vJl5aipxSuVCJDxVmEAIQy/hoJFJ5AckJQzcuRl3A077P0J:ui8ONO4PS92y/6AcdQwFP0+2Kw

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks