meduza

General

Target

actualka-main.zip
Size

1.5MB
Sample

241228-wdly5szrhr
MD5

b9d72464170e8d575b6f797b1388db52
SHA1

b751f2c01cb927e06f5dbea569628a0e0dd9c857
SHA256

bf95ef9885845dd991d92c6fbc8012a309f8104ad603361c54e41c9b57e4f3f0
SHA512

bb31db007a43d5b8c2f0d394067ad20949e904d23be91a6c4a2e7221f77fd6064fa890d3a99f2e14edfb657e41a6ee2dbec5f94744bbf85aa8b04efd3fea2296
SSDEEP

24576:VBBKlNPXO89b0ln20EYjdoMfe80PnVMP4/MDOJX0LLwliqoRWQu0/9hT:Vm+89bYPEuoMW80Pm/P3wli9nT

Score

10^/10

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7504884591:AAEUFOz7SSR-3mUp0oiq_7UmkztEy-AQCyw/sendDocument

https://api.telegram.org/bot7668501460:AAH2A5oRhWUqF_EWSrJaaRppA9RgQdU2iUc/sendDocument

Extracted

Family

meduza

C2

147.45.44.216

Attributes

anti_dbg
true
anti_vm
true
build_name
424
grabber_max_size
1.048576e+06
port
15666
self_destruct
true

Targets

- Target
  
  actualka-main/43134134.exe
- Size
  
  3.1MB
- MD5
  
  8a22ce5556ad5616fb1e6bc833e98b3c
- SHA1
  
  ffd3e2ff7a4dc46b58783a60dbe80ca9706318b9
- SHA256
  
  dd030f49d69a154e37e6287b0359ff7a19fd336a8352cc07dc4acb3c3641e7c7
- SHA512
  
  9c37cb5939fb442684976a143a15d8633eed7e3fa9a4e3c44ca8a9d2b6420ae9a660b2c10da1921c200fd168489546c87004dcc19677de9b652d2ef855376088
- SSDEEP
  
  24576:qiils10EyDGbEbXLmTVpREQl/18LphqeVX9batzh3QCzjXuBL+Yn:UG1SmTxflcWNmf
Score

10^/10

meduza collection discovery spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  actualka-main/Dyfolyj.exe
- Size
  
  138KB
- MD5
  
  63805e5c8dc2663c4fa6f5f0c05bec84
- SHA1
  
  7b26611fdf98030c9c7da442bb17bb90c5424a90
- SHA256
  
  375bc635b33a9259f57fb15769fa741ede79d0e3f2a870e0047b3748879e491b
- SHA512
  
  c275fc55948436dd05cf478291f85951dbcaf21e2a707c4e0022083f86f16517a7923fb2ca2bd962044ef2a183189daf574a6e5e7d8d6bdbd7ed86095a920f60
- SSDEEP
  
  1536:OcxA4IFzn6/VvFmaUo8xUZAAg3WaDj7XWu0/N55Alh7bkcSjPi7ddI1VQN3kdb73:Ocx2bouad8xsAAFaW55eb5a40ZNcu
Score

10^/10

phemedrone credential_access spyware stealer
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral3 behavioral4
- Target
  
  actualka-main/jajajdva.exe
- Size
  
  320KB
- MD5
  
  4f0990ea72c03f3911be671cbceb7fda
- SHA1
  
  d07332f930099c4af178e4c4adcdf166decdce91
- SHA256
  
  b9e894c975b74265c0c359706931d61227c1ab7074cdf981d2d4a5ceacda9290
- SHA512
  
  903b441d433b39fb8b2d3cfd658261ad2c62d51e5171b0d1cfc37d058a27c946209b2fc1d9ca4ab3ef369753339a6c6d3845e95249d3b77a08caa2099c40e63a
- SSDEEP
  
  6144:lKTuj7ot3QBAlFV7evwYkBS7asV24JU71esarL:lJjs3QBqFV7YlV674H
Score

10^/10

phemedrone discovery stealer credential_access
- Phemedrone
  An information and wallet stealer written in C#.
  stealer phemedrone
- Phemedrone family
  phemedrone
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral5 behavioral6