File name:

2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk

Full analysis: https://app.any.run/tasks/8b672db3-9d7e-4741-94d5-a23607452b3b
Verdict: Malicious activity
Threats:

Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 09:50:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
meduza
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

36B15B22CCF73ECFEC445F9BD7DC59FF

SHA1:

4736A7FEB57398E3EFDE894647B038014CED93DC

SHA256:

B4DE7F656A143CB9A5A1836836F0E90D1707A92E66685D15D54E3EB203FA9476

SSDEEP:

24576:rxIk/KjsyoZlCOjSXM8ZiPC9RSjFqfH48RdFNE2YRM+MBgOoJ14/fe7P/e:rxIkPXjoM80dX87FNE7ME7P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Actions looks like stealing of personal data

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • MEDUZASTEALER has been detected (SURICATA)

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

  • SUSPICIOUS

    • Application launched itself

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 3620)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Potential Corporate Privacy Violation

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Checks Windows Trust Settings

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Searches for installed software

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Connects to unusual port

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • The process connected to a server suspected of theft

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Checks for external IP

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

  • INFO

    • Reads the machine GUID from the registry

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5432)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Checks transactions between databases Windows and Oracle

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5432)

    • Checks supported languages

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 3620)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5432)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5920)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Reads the computer name

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5432)
      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • The process uses the downloaded file

      • dllhost.exe (PID: 2612)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 2612)

    • Reads product name

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Reads Environment values

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Reads the software policy settings

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Process checks computer location settings

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Checks proxy server information

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)

    • Reads the time zone

      • 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe (PID: 5872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:10 14:34:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 72192
InitializedDataSize: 3202048
UninitializedDataSize: -
EntryPoint: 0x4e10
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe no specs 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe no specs CMSTPLUA no specs Color Management no specs 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe no specs #MEDUZASTEALER 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe

Process information

PID
CMD
Path
Indicators
Parent process
5920"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe" C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
5432"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1630
Modules
Images
c:\users\admin\desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
3988C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2612C:\WINDOWS\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3620"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe" C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
5872"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 194
Read events
4 192
Write events
1
Delete events
1

Modification events

(PID) Process:(3988) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:writeName:DisplayCalibrator
Value:
C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
(PID) Process:(3988) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:delete valueName:DisplayCalibrator
Value:
C:\Users\admin\Desktop\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
7
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2220
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2220
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/
unknown
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
2220
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5872
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
45.130.145.152:15666
LLC Baxet
RU
malicious
5872
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2220
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
A Network Trojan was detected
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
A Network Trojan was detected
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
A Network Trojan was detected
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
A Network Trojan was detected
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
Successful Credential Theft Detected
STEALER [ANY.RUN] Meduza Stealer
Successful Credential Theft Detected
STEALER [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
Successful Credential Theft Detected
STEALER [ANY.RUN] Meduza Stealer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk