General

  • Target

    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk

  • Size

    3.1MB

  • Sample

    241214-lsdwzaxrdv

  • MD5

    36b15b22ccf73ecfec445f9bd7dc59ff

  • SHA1

    4736a7feb57398e3efde894647b038014ced93dc

  • SHA256

    b4de7f656a143cb9a5a1836836f0e90d1707a92e66685d15d54e3eb203fa9476

  • SHA512

    fd36ea7181b4c3466cc9401bd10e67a138935f0098480629b51d88cd498ae346f910e4fbd138c7b59d2dd56f6ad59de05e1dddeec5be724cb7cc812060f23be5

  • SSDEEP

    24576:SBvVKjsyoZlCOjSXM8ZiPC9RSjFqfH48RdFNE2YRM+MBgOoJ14/fe7P/e:uJXjoM80dX87FNE7ME7P

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    SEO2.0

  • extensions

    .txt; .doc; .xlsx

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk

    • Size

      3.1MB

    • MD5

      36b15b22ccf73ecfec445f9bd7dc59ff

    • SHA1

      4736a7feb57398e3efde894647b038014ced93dc

    • SHA256

      b4de7f656a143cb9a5a1836836f0e90d1707a92e66685d15d54e3eb203fa9476

    • SHA512

      fd36ea7181b4c3466cc9401bd10e67a138935f0098480629b51d88cd498ae346f910e4fbd138c7b59d2dd56f6ad59de05e1dddeec5be724cb7cc812060f23be5

    • SSDEEP

      24576:SBvVKjsyoZlCOjSXM8ZiPC9RSjFqfH48RdFNE2YRM+MBgOoJ14/fe7P/e:uJXjoM80dX87FNE7ME7P

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks