General

  • Target

    App_Lite.zip

  • Size

    103.7MB

  • Sample

    250222-rm8r2s1kv4

  • MD5

    da78922d4a5d49d96eb12c22539856cb

  • SHA1

    6cb481f9ee7eedb5733da897f7a2df46b7218cc8

  • SHA256

    e5f28e017baf7ffebe3b58cee33a73d3006acf6f3e15c9bb149aa4a13da6c848

  • SHA512

    0643760b4ed503df5df75c2576e18ae08b178dfb4c4083032e8bf4150b98ff9e4d763fc72599b1e48c3a2430983e8c89a2d5472d41f3bbb59ba815f689ff3414

  • SSDEEP

    3145728:TA6nCvaTW7Dl0irRY684u1H2u/F2javJS7xNmMy6O2+oW:JnCHB0i101H2uN2j+J2xNhNNW

Malware Config

Extracted

Family

meduza

Botnet

3

C2

45.93.20.15

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    3

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      Launcher.exe

    • Size

      201KB

    • MD5

      2696d944ffbef69510b0c826446fd748

    • SHA1

      e4106861076981799719876019fe5224eac2655c

    • SHA256

      a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

    • SHA512

      c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

    • SSDEEP

      3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      iviewers.dll

    • Size

      83KB

    • MD5

      b273ffa32f2666ea4009ad513068fe88

    • SHA1

      f5da4946574e72fa24587e005f9bf4974a37856d

    • SHA256

      517963b561575a9592becf985ea32fa5a9c5accbcb4a70857ee5543c7b72e42f

    • SHA512

      bc666ee4e658e0875e53b3157c07983660c5a2d0436f5cac57c1c704ccec0ea676700be28f00d7d623f922123ce1669ae868cefb35b67f1e181834e4cba9d794

    • SSDEEP

      1536:cbo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQHLHWeDCf7/P/:cs5tXVQLRC7iv4qTvcGQS1VQHjWeDCfb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks