General

  • Target

    054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f.hta

  • Size

    551B

  • Sample

    241220-cjxs2sxjhp

  • MD5

    4041595b42e7b6e2ce5965cb76ea7da1

  • SHA1

    401723ee1ac651ad359b89dd7e3cefea91d6aaa9

  • SHA256

    054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f

  • SHA512

    84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19

Malware Config

Extracted

Family

meduza

C2

193.3.19.151

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    hdont

  • extensions

    .txt

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f.hta

    • Size

      551B

    • MD5

      4041595b42e7b6e2ce5965cb76ea7da1

    • SHA1

      401723ee1ac651ad359b89dd7e3cefea91d6aaa9

    • SHA256

      054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f

    • SHA512

      84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks