Meduza Stealer (Malware Family)

Meduza Stealer
VTCollection
There is no description at this point.
References
2023-12-07 ⋅ ⋅ Cert-UA ⋅ Cert-UA
UAC-0050 mass cyberattack using RemcosRAT/MeduzaStealer against Ukraine and Poland (CERT-UA#8218)
Meduza Stealer Remcos
Yara Rules
[TLP:WHITE] win_meduza_auto (20260504 | Detects win.meduza.)
rule win_meduza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.meduza."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785d8f6ffff0a6141f0 c785dcf6ffff216f18d1 8b85d8f6ffff 8b8ddcf6ffff 898530f1ffff 898d34f1ffff c785d8f6ffff76d35939 }
            // n = 7, score = 100
            //   c785d8f6ffff0a6141f0     | mov    dword ptr [ebp - 0x928], 0xf041610a
            //   c785dcf6ffff216f18d1     | mov    dword ptr [ebp - 0x924], 0xd1186f21
            //   8b85d8f6ffff         | mov                 eax, dword ptr [ebp - 0x928]
            //   8b8ddcf6ffff         | mov                 ecx, dword ptr [ebp - 0x924]
            //   898530f1ffff         | mov                 dword ptr [ebp - 0xed0], eax
            //   898d34f1ffff         | mov                 dword ptr [ebp - 0xecc], ecx
            //   c785d8f6ffff76d35939     | mov    dword ptr [ebp - 0x928], 0x3959d376

        $sequence_1 = { eb10 83ceff bbffffff7f 8975e4 eb03 8b75d8 8d4dc8 }
            // n = 7, score = 100
            //   eb10                 | jmp                 0x12
            //   83ceff               | or                  esi, 0xffffffff
            //   bbffffff7f           | mov                 ebx, 0x7fffffff
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   eb03                 | jmp                 5
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]

        $sequence_2 = { 898dfcfcffff 8d8da0f5ffff 8985f8fcffff 8d5101 660fef8df0fcffff 0f298da0f5ffff 0f1185d0ecffff }
            // n = 7, score = 100
            //   898dfcfcffff         | mov                 dword ptr [ebp - 0x304], ecx
            //   8d8da0f5ffff         | lea                 ecx, [ebp - 0xa60]
            //   8985f8fcffff         | mov                 dword ptr [ebp - 0x308], eax
            //   8d5101               | lea                 edx, [ecx + 1]
            //   660fef8df0fcffff     | pxor                xmm1, xmmword ptr [ebp - 0x310]
            //   0f298da0f5ffff       | movaps              xmmword ptr [ebp - 0xa60], xmm1
            //   0f1185d0ecffff       | movups              xmmword ptr [ebp - 0x1330], xmm0

        $sequence_3 = { c745b407000000 50 e8???????? 83c404 c78544ffffffc87a4a00 f30f7e00 8b4808 }
            // n = 7, score = 100
            //   c745b407000000       | mov                 dword ptr [ebp - 0x4c], 7
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c78544ffffffc87a4a00     | mov    dword ptr [ebp - 0xbc], 0x4a7ac8
            //   f30f7e00             | movq                xmm0, qword ptr [eax]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]

        $sequence_4 = { 898d4cd3ffff c785d8e4ffffcb46855e c785dce4ffffee6e1f36 8b85d8e4ffff 8b8ddce4ffff 898580eeffff 898d84eeffff }
            // n = 7, score = 100
            //   898d4cd3ffff         | mov                 dword ptr [ebp - 0x2cb4], ecx
            //   c785d8e4ffffcb46855e     | mov    dword ptr [ebp - 0x1b28], 0x5e8546cb
            //   c785dce4ffffee6e1f36     | mov    dword ptr [ebp - 0x1b24], 0x361f6eee
            //   8b85d8e4ffff         | mov                 eax, dword ptr [ebp - 0x1b28]
            //   8b8ddce4ffff         | mov                 ecx, dword ptr [ebp - 0x1b24]
            //   898580eeffff         | mov                 dword ptr [ebp - 0x1180], eax
            //   898d84eeffff         | mov                 dword ptr [ebp - 0x117c], ecx

        $sequence_5 = { 83c408 c645fc0d 837f1408 7202 8b3f 8b8544feffff }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   c645fc0d             | mov                 byte ptr [ebp - 4], 0xd
            //   837f1408             | cmp                 dword ptr [edi + 0x14], 8
            //   7202                 | jb                  4
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   8b8544feffff         | mov                 eax, dword ptr [ebp - 0x1bc]

        $sequence_6 = { e9???????? 8d8d50c7ffff e9???????? 8d8d50c7ffff e9???????? 8d8d80c7ffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8d50c7ffff         | lea                 ecx, [ebp - 0x38b0]
            //   e9????????           |                     
            //   8d8d50c7ffff         | lea                 ecx, [ebp - 0x38b0]
            //   e9????????           |                     
            //   8d8d80c7ffff         | lea                 ecx, [ebp - 0x3880]
            //   e9????????           |                     

        $sequence_7 = { c785d8e4ffffdc70e11a c785dce4fffff74b9182 8b85d8e4ffff 8b8ddce4ffff 898568e9ffff c5fe6f85e0cdffff c5fdef8540e9ffff }
            // n = 7, score = 100
            //   c785d8e4ffffdc70e11a     | mov    dword ptr [ebp - 0x1b28], 0x1ae170dc
            //   c785dce4fffff74b9182     | mov    dword ptr [ebp - 0x1b24], 0x82914bf7
            //   8b85d8e4ffff         | mov                 eax, dword ptr [ebp - 0x1b28]
            //   8b8ddce4ffff         | mov                 ecx, dword ptr [ebp - 0x1b24]
            //   898568e9ffff         | mov                 dword ptr [ebp - 0x1698], eax
            //   c5fe6f85e0cdffff     | vmovdqu             ymm0, ymmword ptr [ebp - 0x3220]
            //   c5fdef8540e9ffff     | vpxor               ymm0, ymm0, ymmword ptr [ebp - 0x16c0]

        $sequence_8 = { e9???????? 8d8dc0faffff e9???????? 8d8df0faffff e9???????? 8d8df0faffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8dc0faffff         | lea                 ecx, [ebp - 0x540]
            //   e9????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]
            //   e9????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]
            //   e9????????           |                     

        $sequence_9 = { 23ce b801000000 d3e0 8b4dbc 8502 0f8499000000 e8???????? }
            // n = 7, score = 100
            //   23ce                 | and                 ecx, esi
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   8502                 | test                dword ptr [edx], eax
            //   0f8499000000         | je                  0x9f
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1433600
}
Download all Yara Rules
Meduza Stealer Propose Change

References

Yara Rules

Meduza Stealer
