MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MedusaLocker


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44
SHA3-384 hash: a6cf230ab2e6db89b5f16e7f10255afb663e6634c77829188f27816a35da9d6b0d6a6becab9c48ff86f260583ceef0b1
SHA1 hash: 6a1a46a0de15e81a8157bf3d3e9e1cb498791e3f
MD5 hash: b64ced51ca13ef75fa0347d3a638555a
humanhash: hydrogen-failed-saturn-butter
File name:a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44
Download: download sample
Signature MedusaLocker
Create hunting rule
File size:681'984 bytes
First seen:2022-10-13 05:40:04 UTC
Last seen:2022-10-18 06:49:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a395bd10b20c116b11c2db5ee44c225 (42 x MedusaLocker)
ssdeep 12288:ZYW1LNT35lDbK/LIVaN8+T7vwqyqhYMhWt918vulAVC9+m:dd35lDbKDIwWUDyqS5omYC9+
TLSH T1EFE4AF1035C28033EAB301718EBD966D916DF9220B266DD7A3D8465E5FB99F27E31233
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:MedusaLocker

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319687/
Detection(s):
ditekSHen.MALWARE.Win.Ransomware.MedusaLocker.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader34.46651.11705.30145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing a file
Creating a file in the %AppData% directory
Creating a file
Creating a window
Launching a process
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Moving a recently created file
Blocking the User Account Control
Creating a file in the mass storage device
Enabling autorun by creating a file
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42844/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive exploit greyware medusalocker shell32.dll wmic.exe
Link:
https://www.filescan.io/uploads/6347a4ee0d2bcf0ff9a2bb31/reports/b8c8c70d-d70f-44e8-85c6-9b7e1f1fb1ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Medusa
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e41e6b9f-7d8c-4991-b481-f4ae0d284268
Result
Threat name:
Babuk, Conti
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089496
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify Windows User Account Control (UAC) settings
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Writes a notice file (html or txt) to demand a ransom
Yara detected Babuk Ransomware
Yara detected Conti ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722095 Sample: y3aNF4QTWG.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 7 y3aNF4QTWG.exe 503 128 2->7         started        12 svhost.exe 2->12         started        process3 dnsIp4 42 192.168.2.100 unknown unknown 7->42 44 192.168.2.101 unknown unknown 7->44 46 98 other IPs or domains 7->46 34 C:\Users\user\AppData\Roaming\svhost.exe, PE32 7->34 dropped 36 C:\Users\user\...\svhost.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\...\!-Recovery_Instructions-!.html, HTML 7->38 dropped 40 3 other malicious files 7->40 dropped 56 Deletes shadow drive data (may be related to ransomware) 7->56 58 Writes a notice file (html or txt) to demand a ransom 7->58 60 Spreads via windows shares (copies files to share folders) 7->60 62 Disables UAC (registry) 7->62 14 WMIC.exe 1 7->14         started        16 WMIC.exe 1 7->16         started        18 WMIC.exe 1 7->18         started        20 3 other processes 7->20 64 Antivirus detection for dropped file 12->64 66 Contains functionality to bypass UAC (CMSTPLUA) 12->66 68 Contains functionality to modify Windows User Account Control (UAC) settings 12->68 file5 signatures6 process7 process8 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44/
Threat name:
Win32.Ransomware.MedusaLocker
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 05:41:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uuz7tlupe2pzp3vtlxnmnuozkwje63xkc6klrirhiv7jlt2sjvca._file
Verdict:
malicious
Result
Malware family:
medusalocker
Create hunting rule
Score:
  10/10
Tags:
family:medusalocker evasion ransomware spyware stealer trojan
Link:
https://tria.ge/reports/221013-gcxlxsaghq/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
MedusaLocker
MedusaLocker payload
UAC bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bacf9fec-ba1c-4584-969c-1c592c631305
Unpacked files
SH256 hash:
a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44
MD5 hash:
b64ced51ca13ef75fa0347d3a638555a
SHA1 hash:
6a1a46a0de15e81a8157bf3d3e9e1cb498791e3f
Detections:
win_medusalocker_auto
Create hunting rule
Link:
https://www.unpac.me/results/84da8aee-e555-4b30-82e0-fc098009a457/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a533f9ae8f26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a533f9ae8f269f97eeb35ddac6d1d955924f6eea1794b8a227457e95cf524d44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:MALWARE_Win_MedusaLocker
Create hunting rule
Author:ditekshen
Description:Detects MedusaLocker ransomware
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RAN_MedusaLocker_Aug_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect MedusaLocker ransomware
Reference:Internal Research
Rule name:win_medusalocker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.medusalocker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319687/

Comments