MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MedusaLocker


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a
SHA3-384 hash: 02d4258fab25a72be4500cb3309adbeeace26e0e27fd4c56931bf637a6ca2f546049fc9e4250ba4845d3456dc94707ae
SHA1 hash: 5fff4c7c46e9d43682b3f905b67e01a666ca042d
MD5 hash: adf82786199fd5014675f8b5450cce16
humanhash: iowa-massachusetts-charlie-red
File name:winlogin.exe
Download: download sample
Signature MedusaLocker
Create hunting rule
File size:550'400 bytes
First seen:2022-02-22 17:11:23 UTC
Last seen:2022-04-19 20:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94a05edd536770f9e1ec8c773654f3a1 (1 x MedusaLocker)
ssdeep 12288:PyX/Gc6mBG6Lg9PNPjvrdY0YZa2+OeO+OeNhBBhhBBKfsDENv5c+QgMJu1sssn:PyXuc6mE609PNPjDdYpyrPguy
Threatray 5'417 similar samples on MalwareBazaar
TLSH T1C6C47C10F262F271D46399F44A7DAE76952C7D340B2457FB73C82A295A395C08B30FAB
Reporter r3dbU7z
Tags:exe MedusaLocker Ransom Ransomware T800

Intelligence

File Origin
# of uploads :
6
# of downloads :
520
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a/
Verdict:
Malicious activity
Analysis date:
2022-02-23 01:25:59 UTC
Tags:
ransomware medusalocker
Link:
https://app.any.run/tasks/a5b93746-5ad5-4e57-842b-18f40733a736

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MedusaLocker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243318/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34948.19868.27126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a service
Creating a file
Launching a process
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Creating a file in the Program Files subdirectories
Changing a file
Moving a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to interact with network services
Deleting volume shadow copies
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7038/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control.exe curator evasive filecoder greyware lockcrypt medusalocker shell32.dll wmic.exe
Link:
https://www.filescan.io/uploads/6215196ea2660f3bb9272e21/reports/62933288-e819-4f25-b837-275c2ec59403/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/527359a6-dae1-488d-969d-21f0706c7956
Result
Threat name:
T800
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/944164
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected T800 Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a/
Threat name:
Win32.Ransomware.MedusaLocker
Create hunting rule
Status:
Malicious
First seen:
2022-02-13 02:42:35 UTC
File Type:
PE (Exe)
AV detection:
36 of 43 (83.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mngyi5mnrwjcxp5qvu6jatby7r4yt4ivaodxvtycvvo22n3v355a._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
MedusaLocker
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
MedusaLocker
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
MedusaLocker
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
MedusaLocker
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
MedusaLocker
8ea97e0efba82bd6980c34015b47984c1d99b8f39e43132d852cb38d2537b3f6
MedusaLocker
94059fda9456b0e68c641eaec8c244e12dba0d9077b18ee9b879fbb26c8f6dd0
MedusaLocker
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
MedusaLocker
e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83
MedusaLocker
+ 5'407 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence ransomware
Link:
https://tria.ge/reports/220222-vqwhnscehj/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Launches sc.exe
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Deletes itself
Modifies file permissions
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
4b4dadbf64b847377a98a18ad25a240063935391c8dcc9169282f1e25e790a0f
MD5 hash:
33340644d3d680496d0524632bd05c5b
SHA1 hash:
0bfe4200a8c1dd52a04679f3ee38559e3d9559ec
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
aa60e7b5ef3cfc8de305df61666ea0881fc0e5e3393d34b23374bf3f6cd581ce
MD5 hash:
7764ad276e10a41bdf3d33903e6a676b
SHA1 hash:
07a0a10709224e11ad0d7465f325dc91e04d2e33
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
6d0b5ac0cc09841691adc2aaee7d1f864473002ae09c204667316983b5ec52ca
MD5 hash:
a0671df0c9ff637e3827ee2d1b7ff8cc
SHA1 hash:
051c8ab09875a1ec34b5b7bfc7810c4513f6b0a1
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
9ca517db34b73311b27128766ab7397cce8cf1367deffea71f146cd4db5f80ad
MD5 hash:
23b6bd08ee03687c513d0a3fce31fcc3
SHA1 hash:
01f6a92ae6631517b60db07a343c8402e30b1dcf
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
SH256 hash:
634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a
MD5 hash:
adf82786199fd5014675f8b5450cce16
SHA1 hash:
5fff4c7c46e9d43682b3f905b67e01a666ca042d
Link:
https://www.unpac.me/results/c88bc911-0a4a-4d4a-aab2-91258fc3aff4/
Malware family:
Gibberish
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/634d84758d8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:MALWARE_Win_MedusaLocker
Create hunting rule
Author:ditekshen
Description:Detects MedusaLocker ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MedusaLocker

Executable exe 634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243318/

Comments