MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MeduzaStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356
SHA3-384 hash:	4c0f6ed002e91ccf200cbfb2fe5621d84b7ee67de03650e34c810a04cfdba9772414c4fc76a73a27178a65d225fb1496
SHA1 hash:	db53a9d930e8bc480e1e1b10abbf1fab158814c7
MD5 hash:	36c1f4bde9faa23abacb87a2d090ce77
humanhash:	beer-oregon-ten-arizona
File name:	SecuriteInfo.com.Win64.SpywareX-gen.26829.18381
Download:	download sample
Signature	MeduzaStealer Create hunting rule
File size:	923'136 bytes
First seen:	2024-08-21 20:34:19 UTC
Last seen:	2024-09-25 12:35:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2d0a5beab2cc32f0d0a2af98aef9f47b (1 x MeduzaStealer)
ssdeep	24576:VrpRrJq00ihAcWgudeIPDMJD0n5xs70ivjt:1pRrJqNihA4XD0n5GQiv
TLSH	T1B4152A19155D07ADC5BE803C8E4B9E02F666384603B1A7EB16D147923FA77E0AF3E721
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	147-45-44-131 exe MeduzaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win64.SpywareX-gen.26829.18381

Verdict:

Malicious activity

Analysis date:

2024-08-21 20:37:10 UTC

Tags:

stealer meduza exfiltration evasion

Link:

https://app.any.run/tasks/e44bac19-9db8-46bb-ba2a-453f1be5fee0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.SpywareX-gen.26829.18381.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c64f7ce7ff3f5a063bb746

Tags:

Discovery Generic Infostealer Network Stealth Agent

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Connection attempt

Reading critical registry keys

DNS request

Sending a custom TCP request

Creating a window

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto fingerprint lolbin microsoft_visual_cc shell32

Link:

https://www.filescan.io/uploads/66c64f7aca4afcdb304467ad/reports/b64cc89a-612d-4fb3-b80f-355779083913/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Meduza

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f242b456-9571-488d-bf3f-fafaadda977e

Result

Threat name:

CredGrabber, Meduza Stealer

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1496965

Signature

AI detected suspicious sample

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected CredGrabber

Yara detected Meduza Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356/

Threat name:

Win64.Trojan.SpywareX

Status:

Malicious

First seen:

2024-08-21 20:13:03 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=psql4b36qy5lj552xpf2dnaoqgnh2ltpl65l4j737z5bew4l4nla._file

Verdict:

malicious

Result

Malware family:

meduza

Score:

10/10

Tags:

family:meduza collection credential_access discovery spyware stealer

Link:

https://tria.ge/reports/240821-zc1bxsshjn/

Behaviour

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Browser Information Discovery

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a0ac8a04-6000-4f4b-b75b-09fb6622b81d

Unpacked files

SH256 hash:

7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356

MD5 hash:

36c1f4bde9faa23abacb87a2d090ce77

SHA1 hash:

db53a9d930e8bc480e1e1b10abbf1fab158814c7

Link:

https://www.unpac.me/results/5af87100-c341-4fa5-be94-27b21aede104/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7ca0be077e86/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	medusa_stealer Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	Medusa/Meduza Stealer Payload

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MeduzaStealer

exe 7ca0be077e863ab4f7babbcba1b40e819a7d2e6f5fbabe27fbfe7a125b8be356

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3120760/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CreateStreamOnHGlobal
DP_API	Uses DP API	CRYPT32.dll::CryptUnprotectData
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipAlloc
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken WININET.dll::InternetCloseHandle KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess ntdll.dll::NtQuerySystemInformation KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW
WIN_CRED_API	Can Manipute Windows Credentials	ADVAPI32.dll::CredEnumerateA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample