General

  • Target

    Solara.zip

  • Size

    4.7MB

  • Sample

    241220-mtwc3svmcw

  • MD5

    01cc8b841c2c00bdd120f492131a10ea

  • SHA1

    d438903ef37254da834647bca766e5e670885859

  • SHA256

    48ce31ecda937253d2ccc1dfd01053eb4f3d93486c1ee36edd97347bf21a9e72

  • SHA512

    54af1d94fd91e981a1a8756ee84a5d75d4a07f101fa67c90c020a7d66fc244086686f32b799a3f5160ef495143ada0a18b7fe90d786f08baffb9a6a36f413fae

  • SSDEEP

    98304:pc+0rjbRcP30nr08HFGBK3s+vINCZVEMclLPPZlOZ7XtUZzPrF3J+b:QrjbRW3y4ZMI8lcJjOZJOxZ+b

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://forbidstow.site/api

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Oxoxox

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Targets

    • Target

      Solara.exe

    • Size

      754.0MB

    • MD5

      6d2557890012c957faaae8d35a4f0e56

    • SHA1

      1225cd40742576895f74b42bdc18b3af21d96eef

    • SHA256

      b29da8d3e2117236d9f8af71bed0addf68093ccf61acad5a979b2531b0049310

    • SHA512

      145b3471f498d9579b466695407c03a3bd0fad9b98cabbdab9f34ee0ba534d4734fcdb1ce357b90e0de1ec8d9ded04f5576b06e94abed79601510d05cfc4d65a

    • SSDEEP

      98304:pJxFqrqnIGHYeUt7w8TsEitaAo4N/nl3x0NlBuQa3HUQLrFD:/xFqrqnwtw8ccAoKl3fQa3J

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      WindowsManager.dll

    • Size

      433KB

    • MD5

      5b7211145cb919b8cac505949d35caa8

    • SHA1

      6373c7181bfc64cf140630219db2aefbca2c9f62

    • SHA256

      29363cf4cd506dcfbfa2f3d954e2130b85db8068c0a8acae7982a6f1fa657c90

    • SHA512

      b553730dc97cfa5e3e920b2484d157757539c7728c693bbce189f911deb5e3697c12eb4bb847d714fc8f83bf481245574ded807e88317b2dd039c97a71384571

    • SSDEEP

      12288:CI11++JcRZtddofKKrzHPJ3ii0bL7E6t7y22a:CIKRZtddoPrjR3sP7RtuS

    Score
    1/10
    • Target

      assets/TapInstaller.dll

    • Size

      25KB

    • MD5

      9cac1ad2f768d22e4aaae577097df7f3

    • SHA1

      b059d99cdd50c46948bd6e4ac264c2fe53169b22

    • SHA256

      9c050c82c065fe5e7553e73393e59d0b3ca3372e6d590d6eb074b014dab0ea78

    • SHA512

      22d59282a9b2aab81884ad1b1391c16755e895b2b79466fc163f30a8e9035498b371781ea0fab40b6e79313a9a54fe90b8903ecb8ad29471eebd02ce269a0be4

    • SSDEEP

      384:hxB7Wf+NkjZwWqXteRRUUmi/6XLNrtMQJK2+Katf5kKFKjqfvGBkSG00:/kjSoghrW29skKFKcMkP00

    Score
    1/10
    • Target

      assets/WSearchMigPlugin.dll

    • Size

      134KB

    • MD5

      b74eb945013d95409a3e071c4029cb02

    • SHA1

      d087775c3f00e9c27842cc44bcb27c0f334a865b

    • SHA256

      2bdbbd40df3b199cd8ebfc359be451971527e602ab999e23fae524f8edab0ef1

    • SHA512

      3c1e8d24a4d0eadec0beb7c3288bbb290d018ddaa104df9e65db0de0d7543ab77c4139de6b20382925e35bb1ee303dca12b2ea418770c70dde33f26be06a1c48

    • SSDEEP

      3072:PBBD02DY32F5K7lxgtRx3aHCHGA+48xgJJ5x5N3DPZtQ68f69ru:PBBD02U32F5K7KRxKiHGAP37QXfS

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      assets/WpcMigration.Uplevel.dll

    • Size

      231KB

    • MD5

      c92661b900b934ce4e4b7d047aba74e5

    • SHA1

      abf1d9b1058fb1f14a091985bd3fa3c2e9140702

    • SHA256

      85302fc70223988f2e94c5b443afe8c95f73695f60778bdc8cd5e1316a701841

    • SHA512

      34921fccfc07d4080c22d7ff056e92df2bfee61f82212501c9c86d532131c43b2b3655e101439396b887a53180159cb372b222e649bcd7d48ed9952df0a22f6d

    • SSDEEP

      3072:aqJFmRDHgpg2Ri14Myz56tvi8UKLBWAUG/+vufW4369gNbv6K9kd+GAmA8C/y:a0otLkMVizsBXUi6qNdkd+GAmA8

    Score
    1/10
    • Target

      assets/WsUpgrade.dll

    • Size

      201KB

    • MD5

      9d99b0e88cc4eaa43141dea9e31ed3be

    • SHA1

      442e48476650e97cfac8e8088a7315b9804be0c1

    • SHA256

      061de26f44da62a17eecb71f078ef90a9c8784e7c58500984314c74b32c12e46

    • SHA512

      2a0cd7adf67e535cf4a40988d6da4ee69970694875504ea7f7e68cef19e01675557bd3021d867c2bb837d1c3e8287d710259c921967324255c53d0351c6d48df

    • SSDEEP

      3072:a0qV+qDh/7k8Rr92ZSbTP6c27UxDOUreaNQbmOhG7/tfxvharBjnt:a0qVHV1IwTPrFtOe/tzarB7

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      library/ARSoft.Tools.Net.dll

    • Size

      302KB

    • MD5

      452def66509f01d15b43e4c57176d1d8

    • SHA1

      fb3438a1b191fb75c76d22023c3478a585756463

    • SHA256

      f1fe59774bf1fd914aea33459631837569d78e2c1a68d8c544cb498fcdbbef10

    • SHA512

      c5ded39b6f8961bf9e1b77fb07fc41ac321f2e5b9e7a0c4d3a55cf7debb483384b51a8abade6edb9601ea2871cfba65886582cceefcc5010f45c819ec30c625e

    • SSDEEP

      6144:/AUw1rf4dPEliWDLdQCc88UviewobzUY+GsKAZ:qbiy3Zc88UtFfU

    Score
    1/10
    • Target

      library/Autofac.dll

    • Size

      236KB

    • MD5

      f879f97c67c2d03cd47bb7ab1e6dfd51

    • SHA1

      a65ec6943e9eb3ca7001f7bc310475709a949d08

    • SHA256

      02c445f70273eff02d30055c83e77ce7434dd24f6da485b0231e88b2675795dc

    • SHA512

      882db30f98796339a610ce5e5ddd8ad161e231fdd75c5ebd3e552fbb44a618faa09904b01c7c7dcf5834a350a2170c516838bc5de363a89a3a01bb6e0171970a

    • SSDEEP

      3072:g36EQo/nAmrSwxl6g6o9We/Bwdc2lSG+qR/EWJS6A6g73yRhxgByGP/aw4cQSOhZ:gBclGKpT6zbcZAhdPSVuoxnBDPTS

    Score
    1/10
    • Target

      library/GalaSoft.MvvmLight.Platform.dll

    • Size

      23KB

    • MD5

      99a0483ce79d57b52b6a1eacd5f86a12

    • SHA1

      443fc60ab490eefea76859cd263fafa15fed26a1

    • SHA256

      16a051d25e5256348affa9f64a0919f69efd860c8fd3c3b28cea0a9fa126cd4f

    • SHA512

      977719f32b0a4bd10f584a0ee82e7c69664a2a75533f1a3c7799eb89bd5d7c98cece830538372fb7e2263f3c99942ada1e90de50e0ba0e59dfacb8ab8e66d20c

    • SSDEEP

      384:2KKUx+mQv787wr/igP39cVT0ojR97dKRSX8iPyZA3gs/bHMQJK2+KatfzNKFKjqI:DKnW3g/oTZjR97dJXTPyA3gs/bk29+Nn

    Score
    1/10
    • Target

      library/GalaSoft.MvvmLight.dll

    • Size

      50KB

    • MD5

      0fe3d6671024ea3d78aa18dd5adfa613

    • SHA1

      3dfdfa5a20c3ded2908198c85aa04b9dae024441

    • SHA256

      3baba32bdbcd1f2e715724e41ad97878bdb9fb7b7f85dfadc2f98d6cd68932fb

    • SHA512

      84b7a7104ea5cce7c713c6bc2e8c686a684b78fe4949367db6652d285d3d01ebe594070cc993456fac9a21ac2f7a39180ecaf6013d674fce4e42206d0c1c6c55

    • SSDEEP

      768:5nVF+heuJxTH6yaDSpAyYZbT0gJHTCNQYRWCiD5MaIN7UAifpzNJ2Ox/KpEsD+KQ:5VKLY5T0gUNQQiltEifpv2sCWRyIr

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks