General
-
Target
App_Lite.zip
-
Size
103.7MB
-
Sample
250222-rm8r2s1kv4
-
MD5
da78922d4a5d49d96eb12c22539856cb
-
SHA1
6cb481f9ee7eedb5733da897f7a2df46b7218cc8
-
SHA256
e5f28e017baf7ffebe3b58cee33a73d3006acf6f3e15c9bb149aa4a13da6c848
-
SHA512
0643760b4ed503df5df75c2576e18ae08b178dfb4c4083032e8bf4150b98ff9e4d763fc72599b1e48c3a2430983e8c89a2d5472d41f3bbb59ba815f689ff3414
-
SSDEEP
3145728:TA6nCvaTW7Dl0irRY684u1H2u/F2javJS7xNmMy6O2+oW:JnCHB0i101H2uN2j+J2xNhNNW
Static task
static1
Behavioral task
behavioral1
Sample
Launcher.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
iviewers.dll
Resource
win7-20241010-en
Malware Config
Extracted
meduza
3
45.93.20.15
-
anti_dbg
true
-
anti_vm
true
-
build_name
3
-
extensions
.txt; .doc; .xlsx
-
grabber_maximum_size
4194304
-
port
15666
-
self_destruct
false
Targets
-
-
Target
Launcher.exe
-
Size
201KB
-
MD5
2696d944ffbef69510b0c826446fd748
-
SHA1
e4106861076981799719876019fe5224eac2655c
-
SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
-
SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
SSDEEP
3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
-
Meduza Stealer payload
-
Meduza family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
iviewers.dll
-
Size
83KB
-
MD5
b273ffa32f2666ea4009ad513068fe88
-
SHA1
f5da4946574e72fa24587e005f9bf4974a37856d
-
SHA256
517963b561575a9592becf985ea32fa5a9c5accbcb4a70857ee5543c7b72e42f
-
SHA512
bc666ee4e658e0875e53b3157c07983660c5a2d0436f5cac57c1c704ccec0ea676700be28f00d7d623f922123ce1669ae868cefb35b67f1e181834e4cba9d794
-
SSDEEP
1536:cbo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQHLHWeDCf7/P/:cs5tXVQLRC7iv4qTvcGQS1VQHjWeDCfb
-
Meduza Stealer payload
-
Meduza family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1