Resubmissions

07/03/2025, 03:43

250307-ead1pas1d1 10

General

  • Target

    Polysy_Tool_Pro_Edition.zip

  • Size

    110.0MB

  • Sample

    250307-ead1pas1d1

  • MD5

    b60609aeaa3cd612456a176f120d7900

  • SHA1

    c1280bcddeaaf800732fb9f45af2bdff36dbe7d4

  • SHA256

    86c5fbaec4886b844cbcf2376968430ecbd7a9b51dcf09fc9fe954b49fe6fe53

  • SHA512

    179a73055096a21547e7e457bac999c423c9c1d3ea1dcea5581977571c1531dc1161f03a792c49eae746843e8fd1cc846e0adde1b149791af7cc3caa2ac7e343

  • SSDEEP

    3145728:73lak6DIrjDrAnejuGEcrdBhnJSXGWmYR2G2:iIDEguGEcDhnJS2WmY0r

Malware Config

Extracted

Family

meduza

Botnet

2

C2

45.93.20.15

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    2

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      517b4e9dea5396ee6996f1ae35291121.dat

    • Size

      23.8MB

    • MD5

      7ad8c9f2be167c90bae1ebeec2787706

    • SHA1

      9fd65dffa03fc0d705bd20f2ab45695be426e485

    • SHA256

      adcf7c0e2c61eaa09ac57324afa4534f27f9a756edba38ec99ef17e08dd14415

    • SHA512

      d080ca7ae81a6742844cefbac6088fa6e758fdb0f078795d0c1f81c4222d44cd1801bea7bdde446944f7ea1569d1243ca191a5b70fab3ea3a2b6d00bafa7f05c

    • SSDEEP

      393216:jli2ZBsnG2jK5wwi4OAVbqCrEhoIBaNbNDkIrsmrgOteX8aP+UDpYVv8t55a:hsndjawwi4OAoCaPaNDsNOosa2k+VvWK

    Score
    3/10
    • Target

      6a7718c005eed33ce409b03914a5b782.bin

    • Size

      20.4MB

    • MD5

      943e1d89214f1bacbb44013b0868074c

    • SHA1

      0e97341c28725979410c0ffd9cde9119688d18cb

    • SHA256

      9c5be8ef39305a0f8157ef34d38bd4d8e166930d4f698aab93104048700deb07

    • SHA512

      c406989fc578d5d8c5212b7f17651371294a881283b1b2c2735e21bee24c921429c728978b0742597a7367d8ee97738f012ead663646a043cab7c2bea719a6ac

    • SSDEEP

      393216:UWrmKiWpcSHbUkRVjW/6zdY4KITmDiBRsKR8trA3/m+Xn1Ul5s0v:/SKi4oHiRGAmD08pg/my1Ul5sa

    Score
    3/10
    • Target

      6b5fcc06180fde176b0cbef028282df1.txt

    • Size

      23.4MB

    • MD5

      f6aef251d15a856c651f6d1ef9613c0f

    • SHA1

      41e46b138aded091449bad8d45120c53f774d7c0

    • SHA256

      b8e4be4abdbf09d2ff6f0983371cbbda74775e1285eeb2c5871c7b346dfa68df

    • SHA512

      35f74c4200634b09eb257cf9075de75ba2a0765ff7a2457f4111286386ee9e0deb3e706c6e2e7e7bd6ddf0e3d8f818796c6eefa414dc0ce2467b1cab3b4b3c94

    • SSDEEP

      393216:y8WoFTFaRtdtsARrJPps3ApCWLQxeKAImGxk7beAEIaspLf5uuZ9FpFJLgGP:6o5FardaARhuwRti0qAEH4XAi

    Score
    1/10
    • Target

      70949548f432b49d62b8b4a1cddbc07e.txt

    • Size

      21.7MB

    • MD5

      443e2f870866ea5367d749da755d3c10

    • SHA1

      2051e127ba30bfe5d2fc32e3a08c11910daa5e28

    • SHA256

      deb34a857e4cfecfc736aa74503f2d8a8b6e821c41f6a6ffbd15b8bad421e421

    • SHA512

      fd6a3fc1b1ef040357274005adfe38f85b2197c3b364004c707051a5261dc36998f098dd5a4661714cd42bc86764025b13d2ac134d997669299995a92c3ece51

    • SSDEEP

      393216:P7Jyt6LWxIU5OAl2aHcEmQVwOK7axCmCHRMWHemLl2wTPyNSVffijefDo1:DJUI3eN3HcETw3aCmORQKl2w2MVAefk1

    Score
    1/10
    • Target

      Polysy_Launcher.exe

    • Size

      201KB

    • MD5

      2696d944ffbef69510b0c826446fd748

    • SHA1

      e4106861076981799719876019fe5224eac2655c

    • SHA256

      a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

    • SHA512

      c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

    • SSDEEP

      3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      a48116275bbf2d3781a72732edfad182.dat

    • Size

      20.6MB

    • MD5

      3e2bec14e1670971de9139a3d1871a35

    • SHA1

      bb7feebb33bc2c69dd6910233c8210da996adab2

    • SHA256

      c6adbc93211f13438fbeaae5cee03d8cb79b2167ac99719f9f44364f7877ed57

    • SHA512

      a6f40572a48f3c6bc854c017bc7c478a7502ebfbf812e7244a23f2835a1ba2ed39a70ad175aa00cb802be4288f0c5bb9ecfc485c6fa7ca2708e83393da648089

    • SSDEEP

      393216:P5IYftFepPCb1I7ZxUqPY0XYVDE2ccv/8iOoSW0HPneXFYij4XTPhxlmBYzi:P3regbm7ZFbao2cE/8SSW0veVYij4NxA

    Score
    3/10
    • Target

      iviewers.dll

    • Size

      83KB

    • MD5

      5d57d199c4418e0cd2305dbe761ec9ae

    • SHA1

      9dfdaf2c9f92c1d6bf3ac1d65d0fbca32e2f0359

    • SHA256

      be71bb6d00d2759b6e925249307d08f900ddfc48744b6b3a1cac2e6100724c37

    • SHA512

      8817eea5118074e95d9e2d3ac5a4216959122d3379add8d250c29e1e18403d9c5e95f8d5f687db8995183cfb6418e696553ca0ad3f4e7ab363cf341b7e3e239b

    • SSDEEP

      1536:vbo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQPLHWeDCf7/P/:vs5tXVQLRC7iv4qTvcGQS1VQPjWeDCfb

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks