medusalocker | 5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7

Sharing

Copy URL

Twitter E-mail

General

Target

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
Size

4.4MB
MD5

0985085ac2b5c9f2c64d3603e0dc23b6
SHA1

236af16ac472f6bcd9c6d56b5c270a7527059f21
SHA256

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
SHA512

d5422987d369673373dbadbf1c5e559135b1f6f6e6f7f5144ba73371d045c4b160ac869e6489a76e550a59b522ad563e831fca09717aee3e35a5d8a599c3922c
SSDEEP

49152:t5L1XVcPYu8kgVwGv5rsa/uCPJnwC9GG5YbtRqRsV5lDbKfDyqSvC9+7WQ3WLFnp:t5L4Yu8kVGhrsaG2nw+f+q//Kp/LK

Score

10^/10

medusalocker

Malware Config

Signatures

MedusaLocker payload 1 IoCs

Processes:

resource yara_rule

sample family_medusalocker
Medusalocker family
medusalocker

resource	yara_rule
sample	family_medusalocker

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7

Files

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
.exe windows x86

ea8efe958d7a465d533da661db2a26b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetOEMCP
GetACP
IsValidCodePage
SetStdHandle
GetTimeZoneInformation
ReadFile
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
HeapSize
WriteConsoleW
GetConsoleWindow
GetCommandLineA
GetModuleFileNameA
GetCurrentDirectoryW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
CloseHandle
GetLastError
MoveFileExW
GetFileInformationByHandleEx
MultiByteToWideChar
WideCharToMultiByte
RaiseException
WaitForSingleObjectEx
Sleep
SwitchToThread
GetCurrentThreadId
GetExitCodeThread
LocalFree
FormatMessageA
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
QueryPerformanceCounter
QueryPerformanceFrequency
InitOnceBeginInitialize
InitOnceComplete
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
LCMapStringEx
EncodePointer
DecodePointer
CompareStringEx
GetCPInfo
GetStringTypeW
SetLastError
GetSystemTime
SystemTimeToFileTime
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber
CreateFiber
GetModuleHandleExW
FindFirstFileW
GetStdHandle
GetEnvironmentVariableW
GetFileType
WriteFile
ConvertFiberToThread
ConvertThreadToFiber
GetCurrentProcessId
FreeLibrary
LoadLibraryA
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
SetEvent
ResetEvent
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetDriveTypeW
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExitProcess
SetConsoleCtrlHandler
GetModuleFileNameW
GetFileSizeEx
HeapAlloc
FlushFileBuffers
GetConsoleOutputCP
HeapFree

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
ShowWindow

advapi32

RegSetValueExA
RegCloseKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegCreateKeyExA

ws2_32

select
shutdown
WSASocketW
inet_pton
getaddrinfo
WSAStartup
getpeername
send
__WSAFDIsSet
ntohs
connect
recv
freeaddrinfo
ioctlsocket
getnameinfo
setsockopt
WSAGetLastError
WSACleanup
closesocket
socket
getsockopt
WSASetLastError

crypt32

CertEnumCertificatesInStore
CertCloseStore
CertOpenSystemStoreW
CertFreeCertificateContext

bcrypt

BCryptGenRandom

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 468KB - Virtual size: 468KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 30KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ea8efe958d7a465d533da661db2a26b6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ws2_32

crypt32

bcrypt

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 468KB - Virtual size: 468KB

.data Size: 30KB - Virtual size: 45KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 64KB - Virtual size: 63KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 468KB - Virtual size: 468KB

.data
Size: 30KB - Virtual size: 45KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 64KB - Virtual size: 63KB