General
-
Target
ValorantSkin_Changer_2.2.zip
-
Size
91.9MB
-
Sample
250302-h9yqxsyrv8
-
MD5
3b0d12e7a6ae13fc76167b57dc9b59c6
-
SHA1
5b8099629b1e58077dade3bb960e556291603de6
-
SHA256
4e462760e6bf5b71642462a5b73a370b9b4c3d50ecb47c1b236747836cfc128d
-
SHA512
9d754b29fdee975634e7ae9a0c2755c417c0b3cb06f81c993971f248e96a973659fdeee963d9db1517b0a4499d61373191cedbc9a5b60fa50a3a82ea5c98b9aa
-
SSDEEP
1572864:aSddmUdyEuTzcP3axP6ApMQgxj2CPYwIgvbJW9K0xvJ9PUyCFxNeQ9:hmKizciAAp5wCCV1KjxvJ9sysNec
Static task
static1
Behavioral task
behavioral1
Sample
Valorant_Skin_Changer.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
iviewers.dll
Resource
win7-20240903-en
Malware Config
Extracted
meduza
1
45.93.20.15
-
anti_dbg
true
-
anti_vm
true
-
build_name
1
-
extensions
.txt; .doc; .xlsx
-
grabber_maximum_size
4194304
-
port
15666
-
self_destruct
false
Targets
-
-
Target
Valorant_Skin_Changer.exe
-
Size
201KB
-
MD5
2696d944ffbef69510b0c826446fd748
-
SHA1
e4106861076981799719876019fe5224eac2655c
-
SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
-
SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
SSDEEP
3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
-
Meduza Stealer payload
-
Meduza family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
iviewers.dll
-
Size
83KB
-
MD5
55470aea5b9f0cfc5af1bb312638cf47
-
SHA1
c9b7d95b45fe7f3282d4e76796c66f9c050961b7
-
SHA256
0e1eed48e5643a9090e8f55f741ae9c322ec9b8fb3c6f6d902a9d977762ec0b5
-
SHA512
ee001e521670500a645dcff5141d73aafd864c82b4ebb0e4c9f7975e1e25124d92bfa6dc9b6170b1d018697672116920d428e629b66b3cfbeecf93933ef2ef4d
-
SSDEEP
1536:obo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQCLHWeDCf7/P/:os5tXVQLRC7iv4qTvcGQS1VQCjWeDCfb
-
Meduza Stealer payload
-
Meduza family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1