MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbf6c8f0857d888385f6bc0d46523ebcc1634e06d0e96411fc43a8ae4213d1f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MedusaLocker


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbf6c8f0857d888385f6bc0d46523ebcc1634e06d0e96411fc43a8ae4213d1f3
SHA3-384 hash: bc04c8b9f4a69975d05be9e323e2885f9de49d112bb5149d8e420e48e99a031a4d87fd547407f8da2899ac891b6b19c4
SHA1 hash: 8c0c54194a88551feec78c5a8416411ed17c4fce
MD5 hash: 115b22d9cff82d75c28e43f83f55c663
humanhash: single-glucose-oranges-skylark
File name:skynet.exe
Download: download sample
Signature MedusaLocker
Create hunting rule
File size:694'784 bytes
First seen:2021-01-29 08:58:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a8a842c869f344b4d75729bc60feed (8 x MedusaLocker)
ssdeep 12288:cPJ4U0TYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuwJVoM7:JzTYVQ2qZ7aSgLwuVfstRJLjYM
Threatray 4 similar samples on MalwareBazaar
TLSH A0E48D1035C2C132E97315728EBD996E416DFD220B2728DBA3C8165E5FB99F27E32532
Reporter huningnig
Tags:MedusaLocker

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
skynet.exe1
Verdict:
No threats detected
Analysis date:
2021-01-29 08:50:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c952d5f-d3af-4597-95cd-04d082a82af6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MedusaLocker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114684/
Detection(s):
Win.Ransomware.MedusaLocker-9811280-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file
Launching a process
Enabling the 'hidden' option for recently created files
Changing a file
Sending a UDP request
Moving a recently created file
Connection attempt
Network activity
Reading critical registry keys
Creating a window
Creating a process from a recently created file
Creating a process with a hidden window
Blocking the User Account Control
Deleting volume shadow copies
Creating a file in the mass storage device
Stealing user critical data
Enabling autorun by creating a file
Encrypting user's files
Result
Threat name:
MedusaLocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593720
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify Windows User Account Control (UAC) settings
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes many files with high entropy
Yara detected MedusaLocker Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345899 Sample: skynet.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 100 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected MedusaLocker Ransomware 2->60 62 3 other signatures 2->62 7 skynet.exe 503 56 2->7         started        12 svhost.exe 2->12         started        14 WerFault.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 50 192.168.2.100 unknown unknown 7->50 52 192.168.2.101 unknown unknown 7->52 54 98 other IPs or domains 7->54 42 C:\Users\user\AppData\Roaming\svhost.exe, PE32 7->42 dropped 44 C:\ProgramData\Microsoft\...\tokens.dat, CLIPPER 7->44 dropped 46 C:\Users\user\...\svhost.exe:Zone.Identifier, ASCII 7->46 dropped 48 95 other malicious files 7->48 dropped 64 Deletes shadow drive data (may be related to ransomware) 7->64 66 Spreads via windows shares (copies files to share folders) 7->66 68 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 7->68 70 Writes many files with high entropy 7->70 18 WMIC.exe 1 7->18         started        20 WMIC.exe 1 7->20         started        22 WMIC.exe 1 7->22         started        26 3 other processes 7->26 72 Multi AV Scanner detection for dropped file 12->72 74 Contains functionality to bypass UAC (CMSTPLUA) 12->74 76 Contains functionality to modify Windows User Account Control (UAC) settings 12->76 24 explorer.exe 14->24 injected file5 signatures6 process7 process8 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 WerFault.exe 5 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbf6c8f0857d888385f6bc0d46523ebcc1634e06d0e96411fc43a8ae4213d1f3/
Threat name:
Win32.Ransomware.MedusaLocker
Create hunting rule
Status:
Malicious
First seen:
2020-11-29 01:44:36 UTC
AV detection:
42 of 48 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p3mr4efpweihbpwxqgumur6xtawgtqg2duwiep4iouk4qqt2hzq._file
Verdict:
malicious
Similar samples:
58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60
MedusaLocker
8597f458f1dcc5ecdf209d9c98b1f72c2fce2486236a3ae73adbe26fb6f9c671
MedusaLocker
8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2
MedusaLocker
bc8487f444ed159dc422bc062c47141357eb64fc49838e5bfd758e05a8317343
MedusaLocker
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware spyware trojan
Link:
https://tria.ge/reports/210129-3m4sl1alsx/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
UAC bypass
Unpacked files
SH256 hash:
b7634d96d331a872a41bdf67df0fd4cca5b0705388bc96a441c029ec1c5c86d9
MD5 hash:
e6976968fc62f389e34f4e5599e9254c
SHA1 hash:
7db5f4359f3c8fffbe9fa23d83f2de7852c0edba
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
8bbd2fe90567197faebeb7ab11329a1843897d4cacce99fc0020b043509b40af
MD5 hash:
bddf3bb99c6c7657b6efdfe596b4f8c9
SHA1 hash:
25da2c474a3961ee4a86b65aa90d4e41420723be
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
22e3170cc418e2703c9579ab0988870bf3ef7edff2b6181158f3d4d2455b33c5
MD5 hash:
d3f7226f971df2704a50a5e1228b482d
SHA1 hash:
facc12bb5683d3402cd6ab0c30430bfcb6bb3864
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
f5926b3eb4cf4307e1a30600739f36c6875408609e44a7f3816de4b158dc9f59
MD5 hash:
75d3ef175872e9abb452f0238dc0a776
SHA1 hash:
9972006e582fe7a1ff6d7867ccd240f6bae1569d
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
2d83ba09f6dece1dc85dc9ae1814cc3b882fada56003a87f1489ba2e8d98bc67
MD5 hash:
e0a75c86c260c6a44ff23aaabeb0a20c
SHA1 hash:
d300997572da16caa73c0c9248ba68d9aaf2a5aa
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
a24b15869a883b405c5368c002f51086a3199744be4809bbbd04a7416f7b1db3
MD5 hash:
972ab5e9cef912813e59c58a9576b656
SHA1 hash:
080c87e36aada3c5ad27aac49fe668285808a709
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8
MD5 hash:
2da8ab1192187d1f9cf02aed04b0d0b7
SHA1 hash:
326db513af5a9f898c4870ebbc62e7cd5fd71690
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9
MD5 hash:
901ae11d5e7648350343469a92fad606
SHA1 hash:
29ba6d7d33c1b73033258f5c353e6f3077c45109
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
SH256 hash:
fbf6c8f0857d888385f6bc0d46523ebcc1634e06d0e96411fc43a8ae4213d1f3
MD5 hash:
115b22d9cff82d75c28e43f83f55c663
SHA1 hash:
8c0c54194a88551feec78c5a8416411ed17c4fce
Detections:
win_medusalocker_auto
Create hunting rule
Link:
https://www.unpac.me/results/5cea9e6e-67b8-4bed-b4f9-a08401e44666/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptolocker
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbf6c8f0857d888385f6bc0d46523ebcc1634e06d0e96411fc43a8ae4213d1f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:MALWARE_Win_MedusaLocker
Create hunting rule
Author:ditekshen
Description:Detects MedusaLocker ransomware
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_medusalocker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114684/

Comments