meduza

Sharing

Copy URL

Twitter E-mail

General

Target

DeltaExecutor.zip
Size

8.7MB
Sample

250104-yxb96avnfx
MD5

0fe9527ce6a6464c8417949dca101972
SHA1

92e3d746ef23e80ecdee68910b64030bddaa7a9a
SHA256

d9029d87aae61f32f6ea1f9bace4b63671b89d07ff8173e376d4054078c19669
SHA512

39914909702417bfae6e411d2c59acc294961e8a722a87862301f997dcf3ae3a535681045b68e5b79bd970bdae428ca5c1aa33c5115195a919622e6265c6163d
SSDEEP

196608:E0kiwudGHZV4uYmFg7zf2yEC3axVsqFckd1/r81uMRZKI81oeI:EGA56u1G7wCKLzd1/rORZKId

Score

10^/10

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Targets

- Target
  
  DeltaExecutor.exe
- Size
  
  169KB
- MD5
  
  a614a895161a44b174f8b0c5e0d94adf
- SHA1
  
  1594a374c81ee36ce6dcff56f13169c4400b8714
- SHA256
  
  d6f67c596a3017fab0f6908f38de0f996fe8742dc7131d491343d128d96564f6
- SHA512
  
  3e7f9116b528ff8a2aef56f006f8f5c231dcd0fd3e951ce4b3a0582a4429836bcded1469ba7c3ff41d59bafcee05d77150ced675c8b9fe69f17ff734de5ee981
- SSDEEP
  
  3072:nczkitvo4BpYN/6mBPry8TXROLdW5m4mUR59OOGJ0kA30165M1fSV:nA4NCmBPry/N2lOOYg0kWE
Score

10^/10

meduza discovery execution motw phishing stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  System.Collections.dll
- Size
  
  258KB
- MD5
  
  7f99540073810866c551a48ba22dbcdd
- SHA1
  
  8d07b9c89fe884ed04f762b79a9a9572a8c8f575
- SHA256
  
  12e621a0cfe6a28b22246ba06a65b832c9f11aca62ca0222265906480f01b90c
- SHA512
  
  a759a0fcbb9596f07e75e96d81c3c7e532e19f355ff1bc9437c7f8c817905be2550f427c836e8e6a5cc300f01ecbdf3070df55bc67e6e4ab9d8b99d747e88903
- SSDEEP
  
  6144:iUn63gH6scEiHjZpjRg0EZo56pAje2lY9g7CLpQH:iIH6DbtgzDWH7CLS
Score

1^/10
behavioral2
- Target
  
  System.ComponentModel.Primitives.dll
- Size
  
  73KB
- MD5
  
  fbd7ab0a2b86514ee3fe03d3a1b89adb
- SHA1
  
  0a94fb21af27624657253a94267f9cc8e4bc0e87
- SHA256
  
  9d68be843b0493b015cbc54ebb861631202d23cf5871b527523083de29102b48
- SHA512
  
  dba8f9148200b2beb383b17646d152e6e1c453da2183a672d9cd54bd5f11eee06370d6c08e2659c80f308f984f91da2af37f083ac900fda121f50cda6c974ecf
- SSDEEP
  
  768:FENxSnMIPVOAtuJBh6Rzmr1yF0YDC2oKQ15hw9xQs2GD2hDGE0n+ysSoQuSz:2/SX2d6YIFlC2oKQGzkRGv+1L7Sz
Score

1^/10
behavioral3
- Target
  
  System.Console.dll
- Size
  
  153KB
- MD5
  
  3fe0d98fda1fedbc8aa7dcb05de92805
- SHA1
  
  11c3703db5e16c174bd3d64dbb2f558d06cb736a
- SHA256
  
  dd2c6992c14120d0d758f778d5d390fe340d745a00cb0c93452b5ff23db13306
- SHA512
  
  da3ebd66b3a2a03d15c5b9a7cccf95274e3c8b6c97f312fd6fbf7b64ad3c99533b8e6eb34fbafdff612ae9808449e4174dce28ad1c56cebff2eb09cdd4c09a7e
- SSDEEP
  
  3072:XeN/DYsIwm43AYT+a5TXa4PvbKw04mOaYIe6N1fSN:k/Dy4qaFqSmlNcILfo
Score

1^/10
behavioral4
- Target
  
  System.Diagnostics.Process.dll
- Size
  
  283KB
- MD5
  
  a688b390880e4ba55b2a4e52a6efb5c4
- SHA1
  
  10d8a6ac8d7f3cd999ac8046d4c774c72541d44c
- SHA256
  
  b47fa6c38902eb8af6745a6f968bbf79ba9e35c7b41d9d48975d87b1f8bfaa59
- SHA512
  
  c18cee38d818e5d2256e640b411aa6b744a7f4e326ea67a73de07f766c57e308e10200b40c58ef9da8ef9529b7d041851d5b00cbddf4f804cd9e34dce369e6f2
- SSDEEP
  
  6144:oTuBkBUomXAPk4KdpSdA8juGNxs9b3NX1PkxoqnS7s03enh7Y:oTEkyX6k4KdcPjuGNjO803enq
Score

1^/10
behavioral5
- Target
  
  System.Linq.dll
- Size
  
  525KB
- MD5
  
  4038f1c2bb864a85d045cb5ca7bb90ba
- SHA1
  
  2b7eb37acf9ce051e5a8d6fda79f6147dd49d5a7
- SHA256
  
  8f526784997a07aa611bce91bb33937dd4a686980af6b857b24ad39cc1bfec2a
- SHA512
  
  163e2545ba65ce80c3071235bfdf65368b4c602837bf7e134aa188094db393c34490ed81faff58a8b8d7c485695f191e2dec850dc49ca4a0a5016db7b05dbcee
- SSDEEP
  
  12288:XZe1bt8Y8lUnuiZkGxhmYIKskiWHQzctS3Ji:JkbuYthiCkf3c
Score

1^/10
behavioral6
- Target
  
  System.Memory.dll
- Size
  
  169KB
- MD5
  
  77944f96068a26ce10286d2085529515
- SHA1
  
  2b8f26f4541ba13ddfc373d112ece8a0e64c37c7
- SHA256
  
  b4ae699b19b7257605680dbd61127707444695e1207c2edc3213f597729cba1a
- SHA512
  
  3e6e92f9f140c9711788f1e6dfc473aa59c40ab31da87b398f6f8eb00dad2902c02e3c3f686a15668297bda5d5f3b3aff8ccd7dc0b1eba5d28b7a2d6bbb5095d
- SSDEEP
  
  3072:pt9TNfdOt6imRtccnfS7h+y6fM/XkFPh/h/tmlTYrAPS1tUogJs6M1fSF:Z/OtbXcn67h9oPh/hwOUPjlIU
Score

1^/10
behavioral7
- Target
  
  System.Private.CoreLib.dll
- Size
  
  10.1MB
- MD5
  
  c8ebfcfd8c7a69e30d45b4498ece29d0
- SHA1
  
  8601203764578ff3f3d853dc56c4c6093dad535e
- SHA256
  
  620a4b11fb37ab997950870b06fee3038c5922a052e06871b9c1a7e1a19c1262
- SHA512
  
  6ae4d77cd1758d2b738e794e6661cd9c8a984007386ea4c902f03f11a01f8da691c77614b66648f8a67c02560743fd29cc5a834adadc3e08dcdb7a0932db75d2
- SSDEEP
  
  98304:65kYiiZd0WH7nZu+MR0lVVKPq/SPJ5VDdo4zDCeUtQoqS0iB0mwSvFG:N/Md0WHTZu+MR0RKPq/aJfDaoeYivk
Score

1^/10
behavioral8
- Target
  
  System.Runtime.InteropServices.dll
- Size
  
  50KB
- MD5
  
  38b03b1d2cf2ec0882bdc35b75bad949
- SHA1
  
  cff00dbc2a4f0b2265f462d94a8d5a484ec04dfa
- SHA256
  
  0ad8892c72e216a4c12793dd6045e3e88413b42716c2020ddb0cce3266d12cb2
- SHA512
  
  d1ab7306313e3009a270aebc839c3f5532107ab85ca975e4d4fe509ff86f59ba04e7909ddade0872900b9aa1c3e989187d4a9bb37ed5a1560554bfb98d990792
- SSDEEP
  
  1536:mI4oWmINcz2r1GqhwFcFMjHPPtTRGvY1L7SG:mI4oWjOmgqhweFMjHPl6Y1fSG
Score

1^/10
behavioral9
- Target
  
  System.Runtime.dll
- Size
  
  41KB
- MD5
  
  6f1dae472a14ae8466bef121470c2e14
- SHA1
  
  d62ff33d7b34a5e99f3e8038b3d491b9587e6c78
- SHA256
  
  1048754b003ec6e9815e1fe328901c0d952c4babc997ca5bc4c4085fcd4b2377
- SHA512
  
  0d3d3982943fbc54f37546ba17c1068d6fdee4417ad00b6a4b055985bf8c72bab7a7e63918b3e27186ecde19734695824c585b26fde3b22a6279b30cd2799cd6
- SSDEEP
  
  768:lBV0jdpFKYl5f4bGRi2xVbcVT4phIdJhDGE0nIysSoQuSiN:1edGYl5f4bGR3G0/ILRGvI1L7Ss
Score

1^/10
behavioral10
- Target
  
  System.Text.Encoding.Extensions.dll
- Size
  
  15KB
- MD5
  
  25087ef7b75cd416efdefe229d735c51
- SHA1
  
  27d3d2ac34de956a41987aaf769d8e4dd9915788
- SHA256
  
  09cac9c6839cb028c2a05aa3407fc64756f245a6cafcd372debf411b82f722e8
- SHA512
  
  f6bad76d5ae10382a42b917ac3fa0708ed9d25155c12a4be91fd51e2d07403cffc835b66e0234c0a38e62581087b4bc795d16599db07acec1b98f401a5226054
- SSDEEP
  
  384:TRvKX3W69JWIA22mNDE2GdC0nW1y5w56SofousWu4Dzr:4HdRhDGE0n3ysSoQuS2r
Score

1^/10
behavioral11
- Target
  
  System.Threading.Thread.dll
- Size
  
  15KB
- MD5
  
  5cab51a6a205eb3b3fa232bd4e8e6cf5
- SHA1
  
  648a512d44063d6ff5285054c5c795abc29e213c
- SHA256
  
  fb1faa1f70491e085d7ef0a27ad789126d8f3662c121d091eeec52eeb3e0313a
- SHA512
  
  1ec0afe7d6ccf8e5754987b60f7cd90e9e2cf4a2f0f549c707ebe296c2385f5aea5cf3fd59a15beb93267c65c8d9e9c930a5a07d5386ca1df892c8b3ae0974a7
- SSDEEP
  
  384:az2E+ZVaD+Wcn7WIZ2mNDE2GdC0nWgLF5w56SofousWu4bFI:Q2JnZhDGE0n3ysSoQuSWI
Score

1^/10
behavioral12
- Target
  
  System.Threading.dll
- Size
  
  78KB
- MD5
  
  e546c2554286bd698fb80751692f1dff
- SHA1
  
  5ae28e9deadc4a99a506e838521862e4cb6fb997
- SHA256
  
  33437c83104c63f8178a5c737d2600082a129813b405d0262e5312a453e09121
- SHA512
  
  7bc78387eb89fd6e9cc88ac908f8b996c4b35ffde4ca029bd6eb95eac1711af06a63848d0724b96f7a22a483e680ce81283313c8655c554e8e2a0939c3b47848
- SSDEEP
  
  1536:H005RS/Dx0ibqDo9suGxdQJXRH7AWlXRGvQ1L7S6Z:Ht5RSuHDo9gxdQNKWlX6Q1fS6
Score

1^/10
behavioral13
- Target
  
  WinUpdateHelper.dll
- Size
  
  91KB
- MD5
  
  a1ba93a916b3078e8b640807c07ce1e7
- SHA1
  
  01f88dccdb8d44d2b0a160ce038ff970aa799aeb
- SHA256
  
  4135754b26dfac10cd19dcf6e03677b537244cf69fdce9c4138589e59449b443
- SHA512
  
  3c62713d2e83144e82c644a752b77ddac4652542b11416eea8289209dfa783aac54ae347ec80d55260a11f10c7829a91021e55d05af04f2404a0f19354b91431
- SSDEEP
  
  1536:OQT/HMdHIt5VhTRTewBeEyKsqFSSWWpBHER30:VLFtTRRTenD2rA30
Score

1^/10
behavioral14
- Target
  
  clrjit.dll
- Size
  
  1.4MB
- MD5
  
  92795535f2855d02685a78985d2f3d28
- SHA1
  
  46b3963b46086e370598194c428cb2d7dca36e27
- SHA256
  
  7399b0efe5b3d0a9656f35a7317c9210dfda4374fbba7b2fd07671a5855a9345
- SHA512
  
  151a8f8bbe56ef7f5a2490dd9c17990214ada7574e8db43c4f0171d2d02f36238010276d8214bbcedca4fb627dfb4aa0a7d75b42cb3a3d99e1fb003e3e04cd59
- SSDEEP
  
  24576:bLtbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGGqfY:bLtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgK
Score

1^/10
behavioral15
- Target
  
  coreclr.dll
- Size
  
  4.9MB
- MD5
  
  cbb2f646b9b2a67dad68c35bbc7cb7c8
- SHA1
  
  e8b79e2ddb8b8394f89489745a6e2a8ddf40622d
- SHA256
  
  c6e05a6d8433f111916f2b107b765a9159f41fa1c7a5d8e267645dbd6734d737
- SHA512
  
  7019fa6ee9e597f39c6b3976261cca80d3ca1e853a4821b30a3ff0bc871a258551570d136fd5b76a9d2ef3224118812bd3a790bc85710482d9fa34f96f4c87d5
- SSDEEP
  
  49152:tGDkopr1w2K6VA/VBsqAZ5oGS8M5rFbm7BQXbR7uEXxPDSAnmdav4YR2ROid/BBm:tGmHVBsqAgdgiX8aiHy2q
Score

1^/10
behavioral16
- Target
  
  hostfxr.dll
- Size
  
  369KB
- MD5
  
  a4431266f13f98d48a2f2b10fd2d8a71
- SHA1
  
  950887332a47091ab9102f3fa3cfeeee756734d3
- SHA256
  
  88945e1fd1b63c3d941f67e6cf161680f1288c97fb7ac6028d2645477708f124
- SHA512
  
  97f5f2a44ffda2bb148ee54aeeb72a246ecf9bc03b48561826bf6a1c8fc6accb5177c8ecfe8f10b93b0bb35f1fc9cc250dc3a0c99a30f1f70b7f19338f6c193b
- SSDEEP
  
  6144:YxM2mi9v7ulU6mJ6x+29QenHdpkAQPpDoiXLPTOF:r3lU8x1H0npDoi7M
Score

1^/10
behavioral17
- Target
  
  hostpolicy.dll
- Size
  
  384KB
- MD5
  
  04aebb8b06cbfa10de7225f2ae76f98f
- SHA1
  
  41de2e10ec2f2a6b2c19c08e8e82eebbf4f47846
- SHA256
  
  bfc1c6dd5eed11e15882a3d9e85c63a942a10f81c82d21bb0e7a190ba2d49a91
- SHA512
  
  5e8e74940793438672a91e5e9489b1e0a20fc26d094c5f636be561f5d28e00cc04a81a9443e7b97cc68bd00de0951b92f9f867293747f5d9b7d7113d9dd664a4
- SSDEEP
  
  6144:3hSOCeZX85yiJVGcteMtFxRkOmF+H8I6R8c9XNPRFkiO9v4:3hSle184iRtFxRkOrVADVJ
Score

1^/10
behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Mark of the Web detected: This indicates that the page was originally saved or cloned.

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18