MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MedusaLocker


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2
SHA3-384 hash: 3c8e032ca566dc9e595ff5f74dc8e0cdb723628078cedb302ab162042fffca865a9876352e8af3316345a3ac3c7dede0
SHA1 hash: f3e66237577a690ee907deac9ffbf6074a85e7a5
MD5 hash: 9353a3fa46ce13ea133cfab51c8cbd7a
humanhash: four-mexico-happy-alaska
File name:svhost.exe
Download: download sample
Signature MedusaLocker
Create hunting rule
File size:694'784 bytes
First seen:2020-07-30 22:10:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a8a842c869f344b4d75729bc60feed (8 x MedusaLocker)
ssdeep 12288:cPJ4U0TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLueJVoM7:JzTYVQ2qZ7aSgLwuVfstRJLFYM
Threatray 7 similar samples on MalwareBazaar
TLSH 54E48D1035C2C132E97315728EBD996E416DFD220B2728DBA3C8165E5FB99F27E32532
Reporter hippie_23
Tags:MedusaLocker

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
MedusaLocker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35728/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file
Launching a process
Enabling the 'hidden' option for recently created files
Changing a file
Connection attempt
Moving a recently created file
Creating a window
Network activity
Reading critical registry keys
Creating a process from a recently created file
Creating a process with a hidden window
Blocking the User Account Control
Deleting volume shadow copies
Creating a file in the mass storage device
Unauthorized injection to a system process
Stealing user critical data
Enabling autorun with Startup directory
Encrypting user's files
Result
Threat name:
MedusaLocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/404424
Signature
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify Windows User Account Control (UAC) settings
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Found Tor onion address
Machine Learning detection for sample
Spreads via windows shares (copies files to share folders)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes many files with high entropy
Yara detected MedusaLocker Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 254441 Sample: svhost.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 92 45 g.msn.com 2->45 47 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->47 55 Yara detected MedusaLocker Ransomware 2->55 57 Machine Learning detection for sample 2->57 59 Found Tor onion address 2->59 61 Deletes shadow drive data (may be related to ransomware) 2->61 8 svhost.exe 503 61 2->8         started        13 svhost.exe 2->13         started        15 svhost.exe 2->15         started        signatures3 process4 dnsIp5 49 192.168.2.100 unknown unknown 8->49 51 192.168.2.101 unknown unknown 8->51 53 98 other IPs or domains 8->53 37 C:\Users\user\AppData\Roaming\svhost.exe, PE32 8->37 dropped 39 C:\ProgramData\...\SmsInterceptStore.db, DOS 8->39 dropped 41 C:\Users\user\...\svhost.exe:Zone.Identifier, ASCII 8->41 dropped 43 104 other malicious files 8->43 dropped 63 Creates files in the recycle bin to hide itself 8->63 65 Deletes shadow drive data (may be related to ransomware) 8->65 67 Spreads via windows shares (copies files to share folders) 8->67 73 3 other signatures 8->73 17 WMIC.exe 1 8->17         started        19 WMIC.exe 1 8->19         started        21 WMIC.exe 1 8->21         started        23 3 other processes 8->23 69 Contains functionality to bypass UAC (CMSTPLUA) 13->69 71 Contains functionality to modify Windows User Account Control (UAC) settings 13->71 file6 signatures7 process8 process9 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2/
Threat name:
Win32.Ransomware.MedusaLocker
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 23:08:27 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ron5yxhvkngto6tcahiyaos2ucivxe6j35jegbyrr7lb6nq33ora._file
Verdict:
malicious
Similar samples:
0aa6ad540cef4f7c3583accdb2d103681f2ebf066928df8760f2b5668fbd58f2
MedusaLocker
50a672f57c59c6c3658e484c1c271f358ef2a92596242c77eb8aba6b46465e97
MedusaLocker
58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60
MedusaLocker
8597f458f1dcc5ecdf209d9c98b1f72c2fce2486236a3ae73adbe26fb6f9c671
MedusaLocker
9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd
MedusaLocker
bc8487f444ed159dc422bc062c47141357eb64fc49838e5bfd758e05a8317343
MedusaLocker
e184f318d66c8ea996fd994937e70a67591a5f77a86058244746089ed51819ad
MedusaLocker
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan ransomware persistence spyware
Link:
https://tria.ge/reports/200730-vbypfa397e/
Behaviour
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies service
Modifies service
Drops desktop.ini file(s)
Checks whether UAC is enabled
Enumerates connected drives
Checks whether UAC is enabled
Enumerates connected drives
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies extensions of user files
Deletes shadow copies
Deletes shadow copies
UAC bypass
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptolocker
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_medusalocker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35728/

Comments