Resubmissions

20/02/2025, 14:15

250220-rkw1gawran 10

General

  • Target

    Velocity (1).7z

  • Size

    280.9MB

  • Sample

    250220-rkw1gawran

  • MD5

    ddd76a3c9d42e64261a6369463305779

  • SHA1

    3edcae24eaab3fe14e4a6a84937ebb9733fa1eac

  • SHA256

    b662290de96c568fc32720e4862e8eb5da8bc47096c8b66599d51072a5db4ae8

  • SHA512

    c6e4a8f86c40401941330219c620160955f3d1b1efecfa7e3f70c77b85204af10beb76d0d2cbb4840e1b890ddf6d48173db9c9112411fd286795acb73f9110cb

  • SSDEEP

    6291456:hEa5oguevRaJwacAbRiXZvuo0j7nNh9kEC7cQ13VC29a0Ic/:WarRa2acDZwj7NhmECzCkJ

Malware Config

Targets

    • Target

      Velocity (1).7z

    • Size

      280.9MB

    • MD5

      ddd76a3c9d42e64261a6369463305779

    • SHA1

      3edcae24eaab3fe14e4a6a84937ebb9733fa1eac

    • SHA256

      b662290de96c568fc32720e4862e8eb5da8bc47096c8b66599d51072a5db4ae8

    • SHA512

      c6e4a8f86c40401941330219c620160955f3d1b1efecfa7e3f70c77b85204af10beb76d0d2cbb4840e1b890ddf6d48173db9c9112411fd286795acb73f9110cb

    • SSDEEP

      6291456:hEa5oguevRaJwacAbRiXZvuo0j7nNh9kEC7cQ13VC29a0Ic/:WarRa2acDZwj7NhmECzCkJ

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Target

      net8.0-windows10.0.26100.0/Bin/Roblox.dll

    • Size

      2.7MB

    • MD5

      3df9ab5a093b30181d06309ef4bc7fb6

    • SHA1

      fade0a6b1fc408a51d5f120ef6f672795bb37cf6

    • SHA256

      b4a7c9bf0cfcbee41b683b6f2b887b92522a45d72b08465849b852b529043293

    • SHA512

      524e88e6414bc8fd61bf34a1b282e17d77bc40eb5a76e3a5c8fad42bf32d595ad73e9f745a1c0a23439829cccfaf9bed8c8ce647ae6915333377dedc3ecf9317

    • SSDEEP

      49152:nqET+KzKfBdL/ctK3vEjJzotiGawI6OS8h1iiydSKIwGgHnMOU7:LFEnvPYwIrS8h1TydSKIwEf

    Score
    1/10
    • Target

      net8.0-windows10.0.26100.0/Velocity.dll

    • Size

      180KB

    • MD5

      2ca855104c17addc37579bb97e797830

    • SHA1

      5e8cfd85c3af87df58309877998a0fc141ffc5e9

    • SHA256

      1cd022f27a031a1328a825555d4b2fa38d391bbd14a4bae5dbaa853748eff51a

    • SHA512

      5e8da0918c489989cdac0332698832390dead824269c0b29d54120cadea5ec38d79c317c9c16bb3b715b1c817d12d63d0d4714910793c25998e4f1f367687c4b

    • SSDEEP

      3072:PmL+QbRxchWJ7ugWd//X0FTGDvdV79vZp3MeJKxlf00LLUsBSkANbs3QV+XRxx/Y:ZSw4iguv0FTGLMw0MsBSXZsAV+XRj

    Score
    1/10
    • Target

      net8.0-windows10.0.26100.0/Velocity.dll.config

    • Size

      1KB

    • MD5

      5b5d39393c3a7a56b679e5268d04bbd8

    • SHA1

      977311624996250c992dcd1980ec4fb89b8f07b2

    • SHA256

      dc5183d05ba53475ede31db2d07e6ae11974028cf4f8ec73fe80a1bd4f3b25a8

    • SHA512

      ecc3664cdca78f9729b74174e875ea66ab5ab8b94a7e8f620577c1d7fe63b455080e54843861afbb2e5c92969aa084481026cc3962873eeb1b0d017b10e3d51d

    Score
    3/10
    • Target

      net8.0-windows10.0.26100.0/Velocity.exe

    • Size

      140KB

    • MD5

      9792add6ee65934b6a03cc1605ea098b

    • SHA1

      966c698fe9cf94f27876a87192ec7f9ba487dfef

    • SHA256

      575a5ee1eb56e433e4402beef8e4c2ae66a84cb181d22ed4f35fe6d65eec5a1e

    • SHA512

      a25c8eb359a7ab52151547fcdbac1ffa41aa25ca854a2d77e70683be8e324905b05f5193cfe11fefe8b19c434e7be8bf72ab7e160a7beb827a2f60b04df8c816

    • SSDEEP

      3072:3jK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOrhBu5:3jK4TDUqgpqWDLZ5H+xuZ048hA

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks