General

  • Target

    ValorantSkin_Changer_2.2.zip

  • Size

    91.9MB

  • Sample

    250302-h9yqxsyrv8

  • MD5

    3b0d12e7a6ae13fc76167b57dc9b59c6

  • SHA1

    5b8099629b1e58077dade3bb960e556291603de6

  • SHA256

    4e462760e6bf5b71642462a5b73a370b9b4c3d50ecb47c1b236747836cfc128d

  • SHA512

    9d754b29fdee975634e7ae9a0c2755c417c0b3cb06f81c993971f248e96a973659fdeee963d9db1517b0a4499d61373191cedbc9a5b60fa50a3a82ea5c98b9aa

  • SSDEEP

    1572864:aSddmUdyEuTzcP3axP6ApMQgxj2CPYwIgvbJW9K0xvJ9PUyCFxNeQ9:hmKizciAAp5wCCV1KjxvJ9sysNec

Malware Config

Extracted

Family

meduza

Botnet

1

C2

45.93.20.15

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    1

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      Valorant_Skin_Changer.exe

    • Size

      201KB

    • MD5

      2696d944ffbef69510b0c826446fd748

    • SHA1

      e4106861076981799719876019fe5224eac2655c

    • SHA256

      a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

    • SHA512

      c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

    • SSDEEP

      3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      iviewers.dll

    • Size

      83KB

    • MD5

      55470aea5b9f0cfc5af1bb312638cf47

    • SHA1

      c9b7d95b45fe7f3282d4e76796c66f9c050961b7

    • SHA256

      0e1eed48e5643a9090e8f55f741ae9c322ec9b8fb3c6f6d902a9d977762ec0b5

    • SHA512

      ee001e521670500a645dcff5141d73aafd864c82b4ebb0e4c9f7975e1e25124d92bfa6dc9b6170b1d018697672116920d428e629b66b3cfbeecf93933ef2ef4d

    • SSDEEP

      1536:obo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQCLHWeDCf7/P/:os5tXVQLRC7iv4qTvcGQS1VQCjWeDCfb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks