Overview

overview

10

Static

static

3

Update_13.zip

windows10-ltsc 2021-x64

10

Xeno.exe

windows10-ltsc 2021-x64

Sharing

Copy URL Twitter E-mail

General

  • Target

    Update_13.zip

  • Size

    151.9MB

  • Sample

    241214-z75vwsvlft

  • MD5

    a5721460c2e2af64c81295e06912af7b

  • SHA1

    1601b056fd88e97ab9a99409fae978418c5784ab

  • SHA256

    4b08ab3102e6eda7f4b3815de934f65bc6d0828d843174e4aabb5a6f13899e6f

  • SHA512

    aa66610bebe9c1db3f07d365e836f244061d4f7404f729527f038aef233a0bad08fcaef79da2141bb74f92fd2c81fdc4d6e7dc5a495acfc97249a1ef7826c60f

  • SSDEEP

    3145728:k6D8BJf7jLrjWKrpvT9XIBCohjY/J2JCiC2ZKbKIsFfsfgSwmJf7jLrjWKrpayc6:k6D8fWKrdxShjSJF2s25NsISjWKr8R6

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Santa

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Update_13.zip

    • Size

      151.9MB

    • MD5

      a5721460c2e2af64c81295e06912af7b

    • SHA1

      1601b056fd88e97ab9a99409fae978418c5784ab

    • SHA256

      4b08ab3102e6eda7f4b3815de934f65bc6d0828d843174e4aabb5a6f13899e6f

    • SHA512

      aa66610bebe9c1db3f07d365e836f244061d4f7404f729527f038aef233a0bad08fcaef79da2141bb74f92fd2c81fdc4d6e7dc5a495acfc97249a1ef7826c60f

    • SSDEEP

      3145728:k6D8BJf7jLrjWKrpvT9XIBCohjY/J2JCiC2ZKbKIsFfsfgSwmJf7jLrjWKrpayc6:k6D8fWKrdxShjSJF2s25NsISjWKr8R6

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Xeno.exe

    • Size

      523.2MB

    • MD5

      1391df709808858adaa32c7fc680dbec

    • SHA1

      e05bff40b18a09ab850050f68d5607b8ee3597d3

    • SHA256

      e361615674074939b49a67d30a65d1c00b2557a8e89e1eac1b3c2c0fdf24c2fb

    • SHA512

      b9e5519f21190a8e67ef5fcfffcdc61e4f481d24fdfa37539deafc0c371fd650278d60c233e4d38657e187c11d2967a58be3da483092ffea77352603fe70aa11

    • SSDEEP

      49152:d57YWl8bbPdrRPy2P0M7FGbhFVSYqdkTWGbqNXvXGO:d57plQ1rRPyQRUbhFVSDoWGbqNv2O

    Score
    1/10
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks