MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MeduzaStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 6 File information Comments

SHA256 hash:	9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103
SHA3-384 hash:	4881af2193c5b0f9734feb53518f8e896c63472ab6faa13410f476038199ce209032fc6b7098826667b6709e3263025f
SHA1 hash:	60bcea02905c09e691043d05837e4942b8c4ae25
MD5 hash:	d3435ebfc26894fe8b895267ca8712b4
humanhash:	chicken-cola-fruit-moon
File name:	jhnykawfkth.exe
Download:	download sample
Signature	MeduzaStealer Create hunting rule
File size:	2'045'440 bytes
First seen:	2024-11-30 21:28:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d18aa68269a30cd13693bec0b3505c6a (6 x MeduzaStealer)
ssdeep	49152:kqKuOKE3tn7J8ZsN0zZQQI0qnX9eztpls0uNYe:k3nX4lnuT
TLSH	T13F956B66984C12EAD87D9038CE9B4B13F276744443B1D7EB1A9026961FA37E02F3FB54
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	aachum
Tags:	exe MeduzaStealer

iamaachum

https://github.com/olosha1/oparik/blob/main/jhnykawfkth.exe

Meduza C2: 62.60.217.159

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
62.60.217.159:15666	https://threatfox.abuse.ch/ioc/1349738/

Intelligence

File Origin

# of uploads :

# of downloads :

392

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

inv.zip

Verdict:

Malicious activity

Analysis date:

2024-11-30 21:22:00 UTC

Tags:

arch-exec stealer stealc loader amadey botnet vidar upx rdp netreactor telegram lumma

Link:

https://app.any.run/tasks/3ec8dd3e-9d71-4833-be4c-30b0e9b61901

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Doina-10036848-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=674b8524e64d1c722d7ab31b

Tags:

gumen virus shell sage

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/674b83a1b0c1f225b44ac91a/reports/4074056c-2b7b-4cf0-a725-0f65ac073e48/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

Malware family:

Koder

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e1e3c53f-a3d8-437d-8ba1-da5a960c0e94

Result

Threat name:

CredGrabber, Meduza Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1565838

Signature

AI detected suspicious sample

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected CredGrabber

Yara detected Meduza Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103/

Threat name:

Win64.Trojan.MeduzaStealer

Status:

Malicious

First seen:

2024-11-30 21:23:20 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=toz4h35mppub2iwdqycx7zeqihl6p3z5uglu5s4ypted5lunuebq._file

Verdict:

malicious

Label(s):

meduzastealer

Similar samples:

error

MeduzaStealer

Result

Malware family:

meduza

Score:

10/10

Tags:

family:meduza collection discovery spyware stealer

Link:

https://tria.ge/reports/241130-1bwssawkey/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Meduza

Meduza Stealer payload

Meduza family

Malware Config

C2 Extraction:

62.60.217.159

Verdict:

Malicious

Tags:

External_IP_Lookup Win.Malware.Doina-10036848-0

YARA:

n/a

Link:

https://app.threat.zone/submission/f9d47c9f-7e9e-413e-b79d-cc46de0d77f5

Unpacked files

SH256 hash:

9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

MD5 hash:

d3435ebfc26894fe8b895267ca8712b4

SHA1 hash:

60bcea02905c09e691043d05837e4942b8c4ae25

Link:

https://www.unpac.me/results/4922bf3b-0b97-4863-82bc-2513a4c34a70/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ICMLuaUtil_UACMe_M41 Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:	https://github.com/hfiref0x/UACME

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MeduzaStealer

exe 9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

(this sample)

Link

https://tria.ge/241130-z4lb3szmar/behavioral15

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidA ADVAPI32.dll::RevertToSelf
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
DP_API	Uses DP API	CRYPT32.dll::CryptProtectData CRYPT32.dll::CryptUnprotectData
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipAlloc
KERNEL_API	Manipulates Windows Kernel & Drivers	ntdll.dll::RtlInitUnicodeString
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::ImpersonateLoggedOnUser
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::WriteProcessMemory WININET.dll::InternetCloseHandle KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess ntdll.dll::NtQuerySystemInformation KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRED_API	Can Manipute Windows Credentials	ADVAPI32.dll::CredEnumerateA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample