General

  • Target

    Lost Wallet Finder.zip

  • Size

    2.4MB

  • Sample

    241220-2rjzlawjh1

  • MD5

    1dd5938f1c9297734bb2f68320f1e15b

  • SHA1

    779f122ca36f99bd6c3d7f8487aeff9d899ab87b

  • SHA256

    7f4755eb840841ebd840f9573cf376b011afbf22829fbe2b7ac15df4167d99ac

  • SHA512

    a4249b49d323a4a9fb052797fcd3bc6a57ae5273e6380c81ee309f2d42b944c5206784b4523c1a6ad814a844bf3accadfea5b32f202d3ba743780e9ac0419984

  • SSDEEP

    49152:gEatR/fPylEO4/oGnJ0f1WodLw221335IZgJUvwxuYdQIsUNpTO7/CAxe:4LfPy/knJyS5Kg6vwYYdVVC/ve

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    84

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Lost Wallet Finder.zip

    • Size

      2.4MB

    • MD5

      1dd5938f1c9297734bb2f68320f1e15b

    • SHA1

      779f122ca36f99bd6c3d7f8487aeff9d899ab87b

    • SHA256

      7f4755eb840841ebd840f9573cf376b011afbf22829fbe2b7ac15df4167d99ac

    • SHA512

      a4249b49d323a4a9fb052797fcd3bc6a57ae5273e6380c81ee309f2d42b944c5206784b4523c1a6ad814a844bf3accadfea5b32f202d3ba743780e9ac0419984

    • SSDEEP

      49152:gEatR/fPylEO4/oGnJ0f1WodLw221335IZgJUvwxuYdQIsUNpTO7/CAxe:4LfPy/knJyS5Kg6vwYYdVVC/ve

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks