Overview

overview

10

Static

static

1

85b317bb44...61.lnk

windows7-x64

10

85b317bb44...61.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61.lnk

  • Size

    1KB

  • Sample

    240703-cqdnrascpe

  • MD5

    c6d3234e6d234ac35340b68402d65f7d

  • SHA1

    b6af26d59817c43729d48c46b9a4feee284f94eb

  • SHA256

    85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

  • SHA512

    78794b7a77cd027b8dce320b6d1aaf918600a2d5c350ee676c705700a739fe7e55104ba29475ef6555adce4fec2ba0f13b0c9ca10d9730b7d8cfa44632d460b4

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://149.51.230.198:5566/config

Extracted

Language
hta
Source
URLs
hta.dropper

http://149.51.230.198:5566/config

Targets

    • Target

      85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61.lnk

    • Size

      1KB

    • MD5

      c6d3234e6d234ac35340b68402d65f7d

    • SHA1

      b6af26d59817c43729d48c46b9a4feee284f94eb

    • SHA256

      85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

    • SHA512

      78794b7a77cd027b8dce320b6d1aaf918600a2d5c350ee676c705700a739fe7e55104ba29475ef6555adce4fec2ba0f13b0c9ca10d9730b7d8cfa44632d460b4

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks