meduza

Sharing

Copy URL

Twitter E-mail

General

Target

Wild Reborn.7z
Size

47.6MB
Sample

250302-tc11kayjt5
MD5

ccb8604309826c5ef39da9da9843e6e7
SHA1

fb4fc3b201bcc2dfca10bff71044d36e60e1308b
SHA256

e6a7f8e9092115954fd820563d2888d4fc7a699186b87c41737c6bf4cf8d1952
SHA512

28818c22cdda3bb0a468ce2a9b779006c92406240dc91117fee1605a345bcbd7ff892046e8d79e8bc2cfff9df59ac00596caa575eaeddbb5e92796ee5af586f8
SSDEEP

786432:6OTMKVpQxry3X/8j+j2O7EvBieLFktx9t4CL0s1zkdCu076HssrgQ4ymPeGikXee:6OTMKVpB3X/8jAN7EEeCdt6mMCuyNxyQ

Score

10^/10

meduza 5 collection defense_evasion discovery execution persistence spyware stealer

Malware Config

Extracted

Family

meduza

Botnet

77.239.119.53

Attributes

anti_dbg
true
anti_vm
true
build_name
5
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Targets

- Target
  
  Wild Reborn.7z
- Size
  
  47.6MB
- MD5
  
  ccb8604309826c5ef39da9da9843e6e7
- SHA1
  
  fb4fc3b201bcc2dfca10bff71044d36e60e1308b
- SHA256
  
  e6a7f8e9092115954fd820563d2888d4fc7a699186b87c41737c6bf4cf8d1952
- SHA512
  
  28818c22cdda3bb0a468ce2a9b779006c92406240dc91117fee1605a345bcbd7ff892046e8d79e8bc2cfff9df59ac00596caa575eaeddbb5e92796ee5af586f8
- SSDEEP
  
  786432:6OTMKVpQxry3X/8j+j2O7EvBieLFktx9t4CL0s1zkdCu076HssrgQ4ymPeGikXee:6OTMKVpB3X/8jAN7EEeCdt6mMCuyNxyQ
Score

10^/10

meduza 5 collection defense_evasion discovery execution persistence spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  defense_evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3
- Target
  
  VC_redist.x64 - (1).exe
- Size
  
  24.2MB
- MD5
  
  1d545507009cc4ec7409c1bc6e93b17b
- SHA1
  
  84c61fadf8cd38016fb7632969b3ace9e54b763a
- SHA256
  
  3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a
- SHA512
  
  5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104
- SSDEEP
  
  786432:tSp+Ty2SfUfnbDDko5dFMYqlQbgAVLSElbmucMuZZxs6Sf:4p+Ty2SfWnHDk8FjVbfzPTq4
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral4 behavioral5 behavioral6
- Target
  
  Wild Reborn.exe
- Size
  
  59.7MB
- MD5
  
  1e7565f891c766aad94f941c541a53cc
- SHA1
  
  29645ed4f4e612d4b69a44cae82d4946ce3fca8c
- SHA256
  
  532a4599883f61688c96843898ec634969a5934fc4a7c5c8eb913be9eb77e708
- SHA512
  
  42438b34b11f08d2e650f298d5cdf6066537e0c7d6932511e31a78050ac8bcc7cb1d10213333264d330ff1540931c48c2b40d0b74c8cf5ce99336419d573411f
- SSDEEP
  
  786432:O9T/j0BmSyv3+gc5ibDB28+oFwjvYKM289vy3TOZ34wWIN34w:O9T/jemSyvf28+u289l4ul
Score

3^/10

discovery
behavioral7 behavioral8 behavioral9
- Target
  
  vcredist_x64 - (2).exe
- Size
  
  6.9MB
- MD5
  
  49b1164f8e95ec6409ea83cdb352d8da
- SHA1
  
  1194e6bf4153fa88f20b2a70ac15bc359ada4ee2
- SHA256
  
  a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c
- SHA512
  
  29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60
- SSDEEP
  
  196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC
Score

7^/10

discovery
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral10 behavioral11 behavioral12
- Target
  
  vcredist_x64 - (3).exe
- Size
  
  6.9MB
- MD5
  
  49b1164f8e95ec6409ea83cdb352d8da
- SHA1
  
  1194e6bf4153fa88f20b2a70ac15bc359ada4ee2
- SHA256
  
  a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c
- SHA512
  
  29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60
- SSDEEP
  
  196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC
Score

7^/10

discovery
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral13 behavioral14 behavioral15
- Target
  
  Инструкция.txt
- Size
  
  360B
- MD5
  
  9f4ae12f3a31a749f7e1ca9e9e589f78
- SHA1
  
  0322a3d4a923c143782ab45fab052e4668825a51
- SHA256
  
  58bd5e021e6979a26da338146339e0c817576a0221622e9c83882731973ed2da
- SHA512
  
  88525f62697c17b61bad8bf1597cd5a149cf32faea81aee78f778cfd624fa3c7e0f8b9e2ec71c826712dfd87cc4635ce9ce4a1d79cd06bfd37c28b97b76c8fe0
Score

3^/10
behavioral16 behavioral17 behavioral18