meduza

General

Target

Warzone_Unlock_All_Tool_2.2.zip
Size

85.8MB
Sample

250316-mnmhzssjz7
MD5

ba93079e300badc1bb3c1d6350c91c5e
SHA1

9a19059f089d7dcc607e8dd38077deddf39bedb8
SHA256

6db74250d83e75eda76a61af409c1987b0cfa6568feb4ff6d4dd1309053b1610
SHA512

790659e136a160f6a24b2983b6f8c659c4da77c2f276bd2f999017998acc3450dd270920e8b7ad5ddadd2608aed425028e203564fdd48a91d95207ee48857b5a
SSDEEP

1572864:uW4dh4O3Dz4xNpUm5Qs1K/wLBNiWR1Px22wQrkXlnhGuO6ypKmN7qx3RiZ4gWRp:JIq0DWph1KIRR1PxxeXJIugKm1q5TgMp

Score

10^/10

meduza 1 collection discovery execution spyware stealer

Malware Config

Extracted

Family

meduza

Botnet

1

C2

45.93.20.15

Attributes

anti_dbg
true
anti_vm
true
build_name
1
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Targets

- Target
  
  Warzone_Unlock_All_Tool.exe
- Size
  
  201KB
- MD5
  
  2696d944ffbef69510b0c826446fd748
- SHA1
  
  e4106861076981799719876019fe5224eac2655c
- SHA256
  
  a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
- SHA512
  
  c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
- SSDEEP
  
  3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb
Score

10^/10

meduza 1 collection discovery execution spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  iviewers.dll
- Size
  
  83KB
- MD5
  
  5649b671dabb89dd275575188cd9bf51
- SHA1
  
  25f3dbb4fe5c13ea06a43efd8abae7bfd6c0e05c
- SHA256
  
  c5c48516e26cd796404e77b9275a976ec4b4f75a70e04ff7781203ee5da59cc1
- SHA512
  
  74e5f13719eba0e5fa2750225bcced7a40bb48a02d6df693cd70141219707fb5392851128bff7d0fbb9e471e414e9bd0a34deda2e9de4e9fd456d390374790fc
- SSDEEP
  
  1536:ybo5eK+wzZQ1LRC7ivPv8ZqTfXeqvz+NBGQS18sWpcdVQ/LHWeDCf7/P/:ys5tXVQLRC7iv4qTvcGQS1VQ/jWeDCfb
Score

10^/10

discovery execution meduza 1 collection spyware stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2 behavioral3