meduza | ab1fbdebc66bbaf48985716fea2b4caf054e830384e931b6b25c92c3e302510c | Triage

Submit
Reports

Overview

overview

Static

static

1

WhatsApp I...67.jpg

windows10-ltsc 2021-x64

Sharing

General

Target

WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg
Size

221KB
Sample

250102-nshw2azpev
MD5

79976d94b495f6411cbf279c69773703
SHA1

4280f5d6228b8450e5809b34087b05c182e0a364
SHA256

ab1fbdebc66bbaf48985716fea2b4caf054e830384e931b6b25c92c3e302510c
SHA512

6a786f3a40af4970360d6b13ade3177447e8a42c7562abc01073211305ecc336c9b1c3bbcbe69c8e5df4e22b6cef0e7354e1b35be34883dc6906a6b614f9adbe
SSDEEP

6144:tnCIxNub72WbVl+jvkrQ7iXXOBE0vmhBmfCVj05:tnhmb72WbDyvBOXXOBE0vmhwKlI

Score

10^/10

meduza discovery motw phishing stealer

Static task

static1

Behavioral task

behavioral1

Sample

WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg

Resource

win10ltsc2021-20241211-en

meduza discovery motw phishing stealer

windows10-ltsc 2021-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Targets

- Target
  
  WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg
- Size
  
  221KB
- MD5
  
  79976d94b495f6411cbf279c69773703
- SHA1
  
  4280f5d6228b8450e5809b34087b05c182e0a364
- SHA256
  
  ab1fbdebc66bbaf48985716fea2b4caf054e830384e931b6b25c92c3e302510c
- SHA512
  
  6a786f3a40af4970360d6b13ade3177447e8a42c7562abc01073211305ecc336c9b1c3bbcbe69c8e5df4e22b6cef0e7354e1b35be34883dc6906a6b614f9adbe
- SSDEEP
  
  6144:tnCIxNub72WbVl+jvkrQ7iXXOBE0vmhBmfCVj05:tnhmb72WbDyvBOXXOBE0vmhwKlI
Score

10^/10

meduza discovery motw phishing stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

meduzadiscoverymotwphishingstealer

© 2018-2025

Terms | Privacy