General

  • Target

    Wild Reborn.7z

  • Size

    47.6MB

  • Sample

    250302-tc11kayjt5

  • MD5

    ccb8604309826c5ef39da9da9843e6e7

  • SHA1

    fb4fc3b201bcc2dfca10bff71044d36e60e1308b

  • SHA256

    e6a7f8e9092115954fd820563d2888d4fc7a699186b87c41737c6bf4cf8d1952

  • SHA512

    28818c22cdda3bb0a468ce2a9b779006c92406240dc91117fee1605a345bcbd7ff892046e8d79e8bc2cfff9df59ac00596caa575eaeddbb5e92796ee5af586f8

  • SSDEEP

    786432:6OTMKVpQxry3X/8j+j2O7EvBieLFktx9t4CL0s1zkdCu076HssrgQ4ymPeGikXee:6OTMKVpB3X/8jAN7EEeCdt6mMCuyNxyQ

Malware Config

Extracted

Family

meduza

Botnet

5

C2

77.239.119.53

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    5

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      Wild Reborn.7z

    • Size

      47.6MB

    • MD5

      ccb8604309826c5ef39da9da9843e6e7

    • SHA1

      fb4fc3b201bcc2dfca10bff71044d36e60e1308b

    • SHA256

      e6a7f8e9092115954fd820563d2888d4fc7a699186b87c41737c6bf4cf8d1952

    • SHA512

      28818c22cdda3bb0a468ce2a9b779006c92406240dc91117fee1605a345bcbd7ff892046e8d79e8bc2cfff9df59ac00596caa575eaeddbb5e92796ee5af586f8

    • SSDEEP

      786432:6OTMKVpQxry3X/8j+j2O7EvBieLFktx9t4CL0s1zkdCu076HssrgQ4ymPeGikXee:6OTMKVpB3X/8jAN7EEeCdt6mMCuyNxyQ

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      VC_redist.x64 - (1).exe

    • Size

      24.2MB

    • MD5

      1d545507009cc4ec7409c1bc6e93b17b

    • SHA1

      84c61fadf8cd38016fb7632969b3ace9e54b763a

    • SHA256

      3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

    • SHA512

      5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

    • SSDEEP

      786432:tSp+Ty2SfUfnbDDko5dFMYqlQbgAVLSElbmucMuZZxs6Sf:4p+Ty2SfWnHDk8FjVbfzPTq4

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      Wild Reborn.exe

    • Size

      59.7MB

    • MD5

      1e7565f891c766aad94f941c541a53cc

    • SHA1

      29645ed4f4e612d4b69a44cae82d4946ce3fca8c

    • SHA256

      532a4599883f61688c96843898ec634969a5934fc4a7c5c8eb913be9eb77e708

    • SHA512

      42438b34b11f08d2e650f298d5cdf6066537e0c7d6932511e31a78050ac8bcc7cb1d10213333264d330ff1540931c48c2b40d0b74c8cf5ce99336419d573411f

    • SSDEEP

      786432:O9T/j0BmSyv3+gc5ibDB28+oFwjvYKM289vy3TOZ34wWIN34w:O9T/jemSyvf28+u289l4ul

    Score
    3/10
    • Target

      vcredist_x64 - (2).exe

    • Size

      6.9MB

    • MD5

      49b1164f8e95ec6409ea83cdb352d8da

    • SHA1

      1194e6bf4153fa88f20b2a70ac15bc359ada4ee2

    • SHA256

      a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c

    • SHA512

      29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60

    • SSDEEP

      196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC

    Score
    7/10
    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      vcredist_x64 - (3).exe

    • Size

      6.9MB

    • MD5

      49b1164f8e95ec6409ea83cdb352d8da

    • SHA1

      1194e6bf4153fa88f20b2a70ac15bc359ada4ee2

    • SHA256

      a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c

    • SHA512

      29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60

    • SSDEEP

      196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC

    Score
    7/10
    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      Инструкция.txt

    • Size

      360B

    • MD5

      9f4ae12f3a31a749f7e1ca9e9e589f78

    • SHA1

      0322a3d4a923c143782ab45fab052e4668825a51

    • SHA256

      58bd5e021e6979a26da338146339e0c817576a0221622e9c83882731973ed2da

    • SHA512

      88525f62697c17b61bad8bf1597cd5a149cf32faea81aee78f778cfd624fa3c7e0f8b9e2ec71c826712dfd87cc4635ce9ce4a1d79cd06bfd37c28b97b76c8fe0

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks