meduza | f852c303a8940bf411ae88e4d03474de75b7de07964a287ba6491fd3cf545a22

Analysis

max time kernel
19s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2025 15:54

Target

wallet-finder.exe
Size

4.1MB
MD5

12c13fbc1cb91f08144e44c5ed0f350c
SHA1

accc1f7ea8be71ff2b5126d9c68d8b36a1be9afb
SHA256

ea802b3b7bb8e2c558e14d6a946231dfa0f22e746e622296ce60babd10511f9f
SHA512

c4f93dd2129ae77fd5810d623ec55f16448738bf7b4b324d4a4a5530ff4f0dbe639fb7c23d7216b96b08171f28e86852ee859b2cde3a12023b2c10555405fe91
SSDEEP

49152:/xGK0l3e3uHuDgMhX32D/jzt2yd6CWw2Krd+S5rVWgpTZ:/xGK09yuFZ

Score

10^/10

meduza stealer

Family

meduza

109.107.181.162

Attributes

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 11 IoCs

resource	yara_rule
behavioral1/memory/1064-5-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-6-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-4-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-12-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-18-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-19-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-17-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-14-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-10-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-11-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/1064-9-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 1064	1136	wallet-finder.exe	78

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	wallet-finder.exe
Token: SeImpersonatePrivilege	1064	wallet-finder.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78
PID 1136 wrote to memory of 1064	1136	wallet-finder.exe	78

C:\Users\Admin\AppData\Local\Temp\wallet-finder.exe
"C:\Users\Admin\AppData\Local\Temp\wallet-finder.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\wallet-finder.exe
  C:\Users\Admin\AppData\Local\Temp\wallet-finder.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1064

memory/1064-5-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-6-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-4-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-18-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-17-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-14-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-10-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-11-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1064-9-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1136-0-0x00007FF705120000-0x00007FF705121000-memory.dmp

Filesize
4KB

Download