General
-
Target
meteor-client-0.5.8.jar
-
Size
4.3MB
-
Sample
250106-jmtdcssrhp
-
MD5
45f0dca8d5ad5a6a88668b0b7ca6fa43
-
SHA1
1daf36a94be3ec3bf7d4f9d1fd69aafdc5276b0b
-
SHA256
090ad8f02273a67eca753ef37ccee2256e4dd3d715501ed75433ec8f57d7c5e9
-
SHA512
b2790837dde3a02fecab6c076e8904b7fdd7db076072e51629c316840d099409bb4278f90eb8dd7f813c922ec8db0004508002b84f50c41e687cc5e689cb3bea
-
SSDEEP
98304:grM2SKrU1GdVTWClw2Mqrv3T2670HC4M1yC3MqU37KxESRmK:grM2uQZWClw2Mqrv3T26QMX3uKxHL
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
6
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Targets
-
-
Target
meteor-client-0.5.8.jar
-
Size
4.3MB
-
MD5
45f0dca8d5ad5a6a88668b0b7ca6fa43
-
SHA1
1daf36a94be3ec3bf7d4f9d1fd69aafdc5276b0b
-
SHA256
090ad8f02273a67eca753ef37ccee2256e4dd3d715501ed75433ec8f57d7c5e9
-
SHA512
b2790837dde3a02fecab6c076e8904b7fdd7db076072e51629c316840d099409bb4278f90eb8dd7f813c922ec8db0004508002b84f50c41e687cc5e689cb3bea
-
SSDEEP
98304:grM2SKrU1GdVTWClw2Mqrv3T2670HC4M1yC3MqU37KxESRmK:grM2uQZWClw2Mqrv3T26QMX3uKxHL
Score10/10-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload
-
Meduza family
-
Contacts a large (580) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: chrome@90
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
Network Share Discovery
Attempt to gather information on host network.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Query Registry
4System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1