Medusa ≠ Aurora

@E0x4D5A

Ok I have Medusa stealer without any crypts or packs.

I also have Aurora stealer. I don't know if its packed or crypted. (spoiler: it isnt)

Okay I will be honest here. I never really did a complex analysis in native. And since static analysis or sandboxie doesn't work, I will use Ghidra. So I will be a amateur this time.

Let's wait for Ghidra to finish. Medusa is loaded. Window > Script Manager > RecoverClassesFromRTTIScript.java. We will execute this. Okay. Let's start with functions.

Not gonna lie, they both have FUN functions. No Idea why tho.

Let's continue with entrypoint.

They both go to a function.

Now as I said, I don't understand anything from this code. So ChatGPT will help me a lot.

These methods mostly don't do anything. Let's continue with other methods they call.

I see some naughty debug checks here.

In Aurora, there aren't as many calls as there are in Medusa, but it receives information right from the beginning.

From now on, since I really don't have an explanation, I will post anything interesting I found and post it here.

It looks like it steals the Telegram data.

It does a lot of shit in here too.

What the fuck.

And continues like this.

Let's move on to Medusa.

It initailizes MyStealer and other shit with MeduZZZa text. I may be idiot but there are so many proxy calls.

IsProcessorFeaturePresent(0x17) explanation by ChatGPT:

The IsProcessorFeaturePresent(0x17) function is used to determine whether the "SSE3" processor feature is available on the system. SSE3 is a set of instructions that enhances the performance of Intel processors.

If the processor on the system supports the SSE3 feature, the function will return a value of "TRUE" (1). Conversely, if the processor does not support SSE3, the function will return "FALSE" (0).

Medusa has a lot of proxy calls while Aurora doesn't. Medusa also grabs other information such as OEM.