Overview

overview

10

Static

static

3

f5946e9f0a...96.exe

windows7-x64

10

f5946e9f0a...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe

  • Size

    1.1MB

  • MD5

    d61ac037c333f1bc288c1a96a4db7c21

  • SHA1

    777228616a18b98103594276775188b5e138fa11

  • SHA256

    f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896

  • SHA512

    1aae796964099e22c3ebf8632ded9a451f01161ca6d837cd447524c58088ab05e0cfff6d297495e97b3b1a370b98b563937334f0306095b8c625641430288999

  • SSDEEP

    24576:R06mH2AfjusEQ3MWTwGxXjbAnpiYQ7eVGKtFwVrJL/tXjuD/:RLmH2AfisEQ5XInpI74arx/tXj+/

Score
10/10
meduza1discoverystealer

Malware Config

Extracted

Family

meduza

Botnet

1

C2

66.63.187.173

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    1

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 4 IoCs
  • Meduza family
    meduza
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
    "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:184
    • C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
      "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      PID:312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 140
      2⤵
      • Program crash
      PID:3720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 184 -ip 184
    1⤵
      PID:2400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/184-0-0x000000007510E000-0x000000007510F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/184-1-0x0000000000130000-0x000000000025E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/184-2-0x0000000005140000-0x00000000056E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/184-7-0x0000000075100000-0x00000000758B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/312-5-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/312-4-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/312-6-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/312-8-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download