MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MedusaLocker


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387
SHA3-384 hash: 67aab40cb908b81bf9879d7ae6c5da14a1898a0965c3795a0c23859fa72396f6625da4793952e45563fb8dd4e841e7dd
SHA1 hash: 0cd9753113e29fd460dcdcffb21f364b3c5a14aa
MD5 hash: cfa482b23fa7a59641a6b816d56a3c58
humanhash: august-september-twenty-jig
File name:ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387
Download: download sample
Signature MedusaLocker
Create hunting rule
File size:685'568 bytes
First seen:2022-10-04 21:21:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a395bd10b20c116b11c2db5ee44c225 (42 x MedusaLocker)
ssdeep 12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DhKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWMKrKe
Threatray 47 similar samples on MalwareBazaar
TLSH T137E49D1075818132EAB301718EBDA66D517DF9220B2A58DBA3CC656D4F7D9F27E32233
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe MedusaLocker Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
575
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387
Verdict:
Malicious activity
Analysis date:
2022-10-05 03:54:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ddcfd6de-2f9e-4548-8e45-cc5d714a52fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316647/
Detection(s):
Win.Ransomware.Medusalocker-9811271-0
Create hunting rule

Win.Ransomware.MedusaLocker-9811277-1
Create hunting rule

Win.Ransomware.MedusaLocker-9811280-1
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.MedusaLocker.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing a file
Creating a file in the %AppData% directory
Creating a file
Creating a window
Launching a process
Enabling the 'hidden' option for recently created files
Moving a recently created file
Network activity
Creating a process from a recently created file
Blocking the User Account Control
Creating a file in the mass storage device
Enabling autorun by creating a file
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41171/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive exploit filecoder globeimposter greyware medusa medusalocker ransomware shell32.dll wmic.exe
Link:
https://www.filescan.io/uploads/633ca3fbc9e2f3435432b6b0/reports/9090efda-9a4f-4df8-b29c-c006e54f6d8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Medusa
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ae50c8b-dca1-47a7-86c9-e9d424bfe2b2
Result
Threat name:
Babuk, Cerber, Conti, Marlock
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083639
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify Windows User Account Control (UAC) settings
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Cerber ransomware
Yara detected Conti ransomware
Yara detected Marlock Ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716197 Sample: meiyp6IpaF.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 7 other signatures 2->59 8 meiyp6IpaF.exe 503 76 2->8         started        13 svhost.exe 2->13         started        process3 dnsIp4 47 192.168.2.1, 274 unknown unknown 8->47 49 192.168.2.10 unknown unknown 8->49 51 98 other IPs or domains 8->51 39 C:\Users\user\AppData\Roaming\svhost.exe, PE32 8->39 dropped 41 Z:\...\tracking.log.deadfiles (copy), data 8->41 dropped 43 Z:\Recovery\...\boot.sdi.deadfiles (copy), data 8->43 dropped 45 33 other malicious files 8->45 dropped 61 Deletes shadow drive data (may be related to ransomware) 8->61 63 Writes a notice file (html or txt) to demand a ransom 8->63 65 Spreads via windows shares (copies files to share folders) 8->65 73 2 other signatures 8->73 15 WMIC.exe 1 8->15         started        17 WMIC.exe 1 8->17         started        19 WMIC.exe 1 8->19         started        21 3 other processes 8->21 67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Contains functionality to bypass UAC (CMSTPLUA) 13->71 75 2 other signatures 13->75 file5 signatures6 process7 process8 23 MpCmdRun.exe 1 15->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started        process9 37 conhost.exe 23->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387/
Threat name:
Win32.Ransomware.MedusaLocker
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 21:22:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkd5s6smpxwe4lxptfyzb5pyoxefmq4vx46jlpmvavpui7cjkodq._file
Verdict:
malicious
Similar samples:
54b8ca90cd5c6b8053a612d2e8d99bf05f427b36e7fccc0f63427e1f386db186
MedusaLocker
66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a
MedusaLocker
6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625
MedusaLocker
8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230
MedusaLocker
a5fdfacc22914d12eec28fb085f026401db10ae51d4e549dfec6160501be0dcf
MedusaLocker
b15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627
MedusaLocker
cb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0
MedusaLocker
fbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c
MedusaLocker
+ 37 additional samples on MalwareBazaar
Result
Malware family:
medusalocker
Create hunting rule
Score:
  10/10
Tags:
family:medusalocker evasion ransomware spyware stealer trojan
Link:
https://tria.ge/reports/221004-z7wbfschcp/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
MedusaLocker
MedusaLocker payload
UAC bypass
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4453160c-16be-4ea2-9505-0cd1a92611ab
Unpacked files
SH256 hash:
b7634d96d331a872a41bdf67df0fd4cca5b0705388bc96a441c029ec1c5c86d9
MD5 hash:
e6976968fc62f389e34f4e5599e9254c
SHA1 hash:
7db5f4359f3c8fffbe9fa23d83f2de7852c0edba
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
8bbd2fe90567197faebeb7ab11329a1843897d4cacce99fc0020b043509b40af
MD5 hash:
bddf3bb99c6c7657b6efdfe596b4f8c9
SHA1 hash:
25da2c474a3961ee4a86b65aa90d4e41420723be
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
22e3170cc418e2703c9579ab0988870bf3ef7edff2b6181158f3d4d2455b33c5
MD5 hash:
d3f7226f971df2704a50a5e1228b482d
SHA1 hash:
facc12bb5683d3402cd6ab0c30430bfcb6bb3864
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
f5926b3eb4cf4307e1a30600739f36c6875408609e44a7f3816de4b158dc9f59
MD5 hash:
75d3ef175872e9abb452f0238dc0a776
SHA1 hash:
9972006e582fe7a1ff6d7867ccd240f6bae1569d
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
2d83ba09f6dece1dc85dc9ae1814cc3b882fada56003a87f1489ba2e8d98bc67
MD5 hash:
e0a75c86c260c6a44ff23aaabeb0a20c
SHA1 hash:
d300997572da16caa73c0c9248ba68d9aaf2a5aa
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
a24b15869a883b405c5368c002f51086a3199744be4809bbbd04a7416f7b1db3
MD5 hash:
972ab5e9cef912813e59c58a9576b656
SHA1 hash:
080c87e36aada3c5ad27aac49fe668285808a709
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8
MD5 hash:
2da8ab1192187d1f9cf02aed04b0d0b7
SHA1 hash:
326db513af5a9f898c4870ebbc62e7cd5fd71690
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9
MD5 hash:
901ae11d5e7648350343469a92fad606
SHA1 hash:
29ba6d7d33c1b73033258f5c353e6f3077c45109
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
SH256 hash:
ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387
MD5 hash:
cfa482b23fa7a59641a6b816d56a3c58
SHA1 hash:
0cd9753113e29fd460dcdcffb21f364b3c5a14aa
Detections:
win_medusalocker_auto
Create hunting rule
Link:
https://www.unpac.me/results/6c5f1d4d-4e57-4874-b0aa-3cf4a9c4b588/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba87d97a4c7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba87d97a4c7dec4e2eef997190f5f875c8564395bf3c95bd95055f447c495387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:MALWARE_Win_MedusaLocker
Create hunting rule
Author:ditekshen
Description:Detects MedusaLocker ransomware
Rule name:RansomwareTest1
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RANSOM_MedusaLocker_July22
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects MedusaLocker Ransomware
Reference:https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf
Rule name:RAN_MedusaLocker_Aug_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect MedusaLocker ransomware
Reference:Internal Research
Rule name:win_medusalocker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.medusalocker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316647/

Comments