meduza

Resubmissions

07/03/2025, 03:43

250307-ead1pas1d1 10

Sharing

Copy URL

Twitter E-mail

General

Target

Polysy_Tool_Pro_Edition.zip
Size

110.0MB
Sample

250307-ead1pas1d1
MD5

b60609aeaa3cd612456a176f120d7900
SHA1

c1280bcddeaaf800732fb9f45af2bdff36dbe7d4
SHA256

86c5fbaec4886b844cbcf2376968430ecbd7a9b51dcf09fc9fe954b49fe6fe53
SHA512

179a73055096a21547e7e457bac999c423c9c1d3ea1dcea5581977571c1531dc1161f03a792c49eae746843e8fd1cc846e0adde1b149791af7cc3caa2ac7e343
SSDEEP

3145728:73lak6DIrjDrAnejuGEcrdBhnJSXGWmYR2G2:iIDEguGEcDhnJS2WmY0r

Score

10^/10

meduza 2 collection discovery execution spyware stealer

Malware Config

Extracted

Family

meduza

Botnet

45.93.20.15

Attributes

anti_dbg
true
anti_vm
true
build_name
2
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Targets

- Target
  
  517b4e9dea5396ee6996f1ae35291121.dat
- Size
  
  23.8MB
- MD5
  
  7ad8c9f2be167c90bae1ebeec2787706
- SHA1
  
  9fd65dffa03fc0d705bd20f2ab45695be426e485
- SHA256
  
  adcf7c0e2c61eaa09ac57324afa4534f27f9a756edba38ec99ef17e08dd14415
- SHA512
  
  d080ca7ae81a6742844cefbac6088fa6e758fdb0f078795d0c1f81c4222d44cd1801bea7bdde446944f7ea1569d1243ca191a5b70fab3ea3a2b6d00bafa7f05c
- SSDEEP
  
  393216:jli2ZBsnG2jK5wwi4OAVbqCrEhoIBaNbNDkIrsmrgOteX8aP+UDpYVv8t55a:hsndjawwi4OAoCaPaNDsNOosa2k+VvWK
Score

3^/10
behavioral1 behavioral2
- Target
  
  6a7718c005eed33ce409b03914a5b782.bin
- Size
  
  20.4MB
- MD5
  
  943e1d89214f1bacbb44013b0868074c
- SHA1
  
  0e97341c28725979410c0ffd9cde9119688d18cb
- SHA256
  
  9c5be8ef39305a0f8157ef34d38bd4d8e166930d4f698aab93104048700deb07
- SHA512
  
  c406989fc578d5d8c5212b7f17651371294a881283b1b2c2735e21bee24c921429c728978b0742597a7367d8ee97738f012ead663646a043cab7c2bea719a6ac
- SSDEEP
  
  393216:UWrmKiWpcSHbUkRVjW/6zdY4KITmDiBRsKR8trA3/m+Xn1Ul5s0v:/SKi4oHiRGAmD08pg/my1Ul5sa
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  6b5fcc06180fde176b0cbef028282df1.txt
- Size
  
  23.4MB
- MD5
  
  f6aef251d15a856c651f6d1ef9613c0f
- SHA1
  
  41e46b138aded091449bad8d45120c53f774d7c0
- SHA256
  
  b8e4be4abdbf09d2ff6f0983371cbbda74775e1285eeb2c5871c7b346dfa68df
- SHA512
  
  35f74c4200634b09eb257cf9075de75ba2a0765ff7a2457f4111286386ee9e0deb3e706c6e2e7e7bd6ddf0e3d8f818796c6eefa414dc0ce2467b1cab3b4b3c94
- SSDEEP
  
  393216:y8WoFTFaRtdtsARrJPps3ApCWLQxeKAImGxk7beAEIaspLf5uuZ9FpFJLgGP:6o5FardaARhuwRti0qAEH4XAi
Score

1^/10
behavioral5 behavioral6
- Target
  
  70949548f432b49d62b8b4a1cddbc07e.txt
- Size
  
  21.7MB
- MD5
  
  443e2f870866ea5367d749da755d3c10
- SHA1
  
  2051e127ba30bfe5d2fc32e3a08c11910daa5e28
- SHA256
  
  deb34a857e4cfecfc736aa74503f2d8a8b6e821c41f6a6ffbd15b8bad421e421
- SHA512
  
  fd6a3fc1b1ef040357274005adfe38f85b2197c3b364004c707051a5261dc36998f098dd5a4661714cd42bc86764025b13d2ac134d997669299995a92c3ece51
- SSDEEP
  
  393216:P7Jyt6LWxIU5OAl2aHcEmQVwOK7axCmCHRMWHemLl2wTPyNSVffijefDo1:DJUI3eN3HcETw3aCmORQKl2w2MVAefk1
Score

1^/10
behavioral7 behavioral8
- Target
  
  Polysy_Launcher.exe
- Size
  
  201KB
- MD5
  
  2696d944ffbef69510b0c826446fd748
- SHA1
  
  e4106861076981799719876019fe5224eac2655c
- SHA256
  
  a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
- SHA512
  
  c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
- SSDEEP
  
  3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
Score

10^/10

meduza 2 collection discovery execution spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral9
- Target
  
  a48116275bbf2d3781a72732edfad182.dat
- Size
  
  20.6MB
- MD5
  
  3e2bec14e1670971de9139a3d1871a35
- SHA1
  
  bb7feebb33bc2c69dd6910233c8210da996adab2
- SHA256
  
  c6adbc93211f13438fbeaae5cee03d8cb79b2167ac99719f9f44364f7877ed57
- SHA512
  
  a6f40572a48f3c6bc854c017bc7c478a7502ebfbf812e7244a23f2835a1ba2ed39a70ad175aa00cb802be4288f0c5bb9ecfc485c6fa7ca2708e83393da648089
- SSDEEP
  
  393216:P5IYftFepPCb1I7ZxUqPY0XYVDE2ccv/8iOoSW0HPneXFYij4XTPhxlmBYzi:P3regbm7ZFbao2cE/8SSW0veVYij4NxA
Score

3^/10

discovery
behavioral10 behavioral11
- Target
  
  iviewers.dll
- Size
  
  83KB
- MD5
  
  5d57d199c4418e0cd2305dbe761ec9ae
- SHA1
  
  9dfdaf2c9f92c1d6bf3ac1d65d0fbca32e2f0359
- SHA256
  
  be71bb6d00d2759b6e925249307d08f900ddfc48744b6b3a1cac2e6100724c37
- SHA512
  
  8817eea5118074e95d9e2d3ac5a4216959122d3379add8d250c29e1e18403d9c5e95f8d5f687db8995183cfb6418e696553ca0ad3f4e7ab363cf341b7e3e239b
- SSDEEP
  
  1536:vbo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQPLHWeDCf7/P/:vs5tXVQLRC7iv4qTvcGQS1VQPjWeDCfb
Score

10^/10

discovery execution meduza 2 collection spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral12 behavioral13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Meduza Stealer payload

Meduza family

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Meduza

Meduza Stealer payload

Meduza family

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13