646698572afbbf24f50ec5681feb2db7

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Oct-31 06:08:40
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • bcdedit.exe
  • vssadmin.exe
 Contains references to security software:
  • Defwatch.exe
  • RTVscan.exe
  • ZhuDongFangYu.exe
 Looks for VMWare presence:
  • vmware
 Contains domain names:
  • https://protonmail.com
  • https://www.torproject.org
  • protonmail.com
  • torproject.org
  • www.torproject.org
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • SwitchToThread
 Can access the registry:
  • RegCreateKeyW
  • RegOpenKeyExW
  • RegSetValueExW
  • RegCloseKey
  • RegDeleteValueW
 Possibly launches other programs:
  • CreateProcessW
 Uses Microsoft's cryptographic API:
  • CryptExportKey
  • CryptReleaseContext
  • CryptGenKey
  • CryptImportKey
  • CryptDestroyKey
  • CryptAcquireContextW
  • CryptEncrypt
  • CryptDuplicateKey
  • CryptStringToBinaryA
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Leverages the raw socket API to access the Internet:
  • inet_addr
 Functions related to the privilege level:
  • OpenProcessToken
 Interacts with services:
  • OpenSCManagerW
  • DeleteService
  • ControlService
  • OpenServiceW
  • QueryServiceStatusEx
 Manipulates other processes:
  • Process32NextW
  • Process32FirstW
  • OpenProcess
Malicious VirusTotal score: 63/71 (Scanned on 2024-03-31 23:01:45) ALYac: Trojan.Ransom.MedusaLocker
APEX: Malicious
AVG: Win32:RansomX-gen [Ransom]
AhnLab-V3: Ransomware/Win.MedusaLocker.R335910
Alibaba: Ransom:Win32/Medusalocker.9b2
Antiy-AVL: Trojan[Ransom]/Win32.Medusa
Arcabit: Generic.Ransom.MedusaLocker.5C3CF31C
Avast: Win32:RansomX-gen [Ransom]
Avira: HEUR/AGEN.1367031
BitDefender: Generic.Ransom.MedusaLocker.5C3CF31C
BitDefenderTheta: Gen:NN.ZexaF.36802.PuW@aK13@tci
Bkav: W32.AIDetectMalware
CAT-QuickHeal: Ransom.Medusa.S13913779
ClamAV: Win.Ransomware.Medusalocker-9811271-0
CrowdStrike: win/malicious_confidence_100% (W)
Cybereason: malicious.72afbb
Cylance: unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.DownLoader30.34100
ESET-NOD32: a variant of Win32/Filecoder.MedusaLocker.C
Emsisoft: Generic.Ransom.MedusaLocker.5C3CF31C (B)
F-Secure: Heuristic.HEUR/AGEN.1367031
FireEye: Generic.mg.646698572afbbf24
Fortinet: W32/Filecoder.NYA!tr.ransom
GData: Win32.Trojan-Ransom.Medusa.A
Google: Detected
Gridinsoft: Ransom.Win32.Filecoder.oa!s1
Ikarus: Trojan-Ransom.Medusalocker
Jiangmin: Trojan.DelShad.ka
K7AntiVirus: Trojan ( 0055a9531 )
K7GW: Trojan ( 0055a9531 )
Kaspersky: Trojan-Ransom.Win32.Medusa.n
Kingsoft: Win32.Troj.Generic.jm
Lionic: Trojan.Win32.Medusa.trmQ
MAX: malware (ai score=100)
Malwarebytes: Generic.Malware.AI.DDS
MaxSecure: Trojan.Malware.74712304.susgen
McAfee: Ransomware-GUN!646698572AFB
MicroWorld-eScan: Generic.Ransom.MedusaLocker.5C3CF31C
Microsoft: Ransom:Win32/MedusaLocker.AC!MTB
NANO-Antivirus: Trojan.Win32.Medusa.ggetwi
Panda: Trj/Genetic.gen
Rising: Ransom.MedusaLocker!1.C21A (CLASSIC)
Sangfor: Ransom.Win32.Save.a
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.Generic.jh
Sophos: Troj/Medusa-Fam
Symantec: Ransom.GlobeImposter
TACHYON: Ransom/W32.MedusaLocker.685568
Tencent: Trojan-Ransom.Win32.Filecoder.16000562
TrendMicro: Ransom.Win32.MEDUSALOCKER.SMTH
TrendMicro-HouseCall: Ransom.Win32.MEDUSALOCKER.SMTH
VBA32: Trojan.DelShad
VIPRE: Generic.Ransom.MedusaLocker.5C3CF31C
Varist: W32/Ransom.OB.gen!Eldorado
ViRobot: Trojan.Win32.Z.Medusalocker.685568.BB
VirIT: Trojan.Win32.Genus.IKJ
Xcitium: Malware@#7cjnwimxf334
Yandex: Trojan.GenAsa!UnIYK6oKv/c
Zillya: Trojan.Filecoder.Win32.10829
ZoneAlarm: Trojan-Ransom.Win32.Medusa.n
alibabacloud: RansomWare:Win/Medusalocker

Hashes

MD5 646698572afbbf24f50ec5681feb2db7
SHA1 70530bc23bad38e6aee66cbb2c2f58a96a18fb79
SHA256 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
SHA3 cbd9630858ad2afc798b7f71edc0d0bd4e4388b62b9ec3416b2106418ec4c517
SSDeep 12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
Imports Hash 1a395bd10b20c116b11c2db5ee44c225

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-Oct-31 06:08:40
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x72c00
SizeOfInitializedData 0x35800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0003A327 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x74000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xab000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 62ab731da61aadc4812e6c88c169eb62
SHA1 4d06ee5cad4b027b56c2ddc49655303ec7f41184
SHA256 fe7586418095c398f853ffadf4444792d9de0fc54c90d50beda1152f06b33b01
SHA3 3b554c8ae2acab64e0b8780e66636c6ddc540f89e008a2805d00bc89ef4fde63
VirtualSize 0x72bb6
VirtualAddress 0x1000
SizeOfRawData 0x72c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.54453

.rdata

MD5 b643b039e9acfa5da219f14ae45070c3
SHA1 41ec5bd467450fd117b355d84c963bb04f154f8a
SHA256 8c10c473a4b95e3a41b897cdef41e27f49bd8e23fd7621293e9b69682548286e
SHA3 62996b84f91cf459ee9d8eb052d9b91f12f2c38237d10bd09721bd8080193503
VirtualSize 0x2adb2
VirtualAddress 0x74000
SizeOfRawData 0x2ae00
PointerToRawData 0x73000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.68826

.data

MD5 de1ce69e42bb10e84668970b0de23b26
SHA1 47264d05ef0aac61c9d60fc7fdb5e7a29298e27b
SHA256 22a56c86cf2252396062ec9e1d96565138b7ae1305129f379be9f5c746fe434e
SHA3 75e3f54ebce8a7d322d32b2a3813388a3196a9e377951cb22b4e08ac9334b75e
VirtualSize 0x4b68
VirtualAddress 0x9f000
SizeOfRawData 0x3a00
PointerToRawData 0x9de00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.77903

.rsrc

MD5 cb2274e49389fb51fd23c9bcf7155c5b
SHA1 23e9ed9a39c4535d176687f2f1210c1a444877c0
SHA256 ea98f48ecfb1951640cbe9337bfbcd1f958cd77fdeb15589e962d843c35bf208
SHA3 553be55060a3a4253b72e81350dfa9a25370d4dff2bb98fcad45218905257201
VirtualSize 0x1e0
VirtualAddress 0xa4000
SizeOfRawData 0x200
PointerToRawData 0xa1800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.70824

.reloc

MD5 5a67776ffd65edba638353ceac158796
SHA1 7767e53dc817bc8c1d3f13eb998ec557feae3656
SHA256 8497aeacf6a9d2356a03302d2335cedfcf3962f3ac88be8d23ed5f7c67eb22a6
SHA3 f31ecbdadf079046ac3a3fffbef58aec5b4e7554cee3745d8b3010f4df3bb597
VirtualSize 0x5a7c
VirtualAddress 0xa5000
SizeOfRawData 0x5c00
PointerToRawData 0xa1a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.56882

Imports

KERNEL32.dll Process32NextW
Process32FirstW
CreateProcessW
GetTickCount
CopyFileW
GetCurrentProcess
WriteConsoleW
CreateToolhelp32Snapshot
OpenProcess
WaitForSingleObject
TerminateProcess
FindClose
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
SetVolumeMountPointW
FindFirstVolumeW
QueryDosDeviceW
GetEnvironmentVariableW
GetLogicalDrives
GetProcessHeap
MoveFileExW
SetFilePointerEx
HeapAlloc
CloseHandle
GetLastError
SetFileAttributesW
GetFileAttributesW
CreateFileW
WriteFile
HeapSize
GetConsoleMode
GetConsoleCP
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapReAlloc
GetFileType
GetTimeZoneInformation
EnumSystemLocalesW
HeapFree
GetFileSizeEx
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetStdHandle
ReadFile
OpenMutexW
Sleep
CreateMutexW
GetModuleFileNameW
SetEnvironmentVariableW
EncodePointer
DecodePointer
RaiseException
GetCurrentThreadId
IsProcessorFeaturePresent
QueueUserWorkItem
GetModuleHandleExW
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
QueryPerformanceCounter
QueryPerformanceFrequency
FormatMessageW
WideCharToMultiByte
MultiByteToWideChar
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
WaitForSingleObjectEx
GetStringTypeW
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
SetEvent
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
LocalFree
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetCurrentThread
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RtlUnwind
ExitProcess
ADVAPI32.dll CryptExportKey
RegCreateKeyW
RegOpenKeyExW
RegSetValueExW
RegCloseKey
CryptReleaseContext
CryptGenKey
CryptImportKey
OpenProcessToken
GetTokenInformation
CloseServiceHandle
OpenSCManagerW
DeleteService
ControlService
EnumDependentServicesW
OpenServiceW
QueryServiceStatusEx
CryptDestroyKey
CryptAcquireContextW
CryptEncrypt
CryptDuplicateKey
RegDeleteValueW
SHELL32.dll SHEmptyRecycleBinW
ole32.dll CLSIDFromString
IIDFromString
CoInitializeEx
CoGetObject
CoInitialize
CoUninitialize
CoCreateInstance
CoInitializeSecurity
OLEAUT32.dll SysAllocStringByteLen
VariantClear
SysAllocString
SysStringByteLen
VariantInit
SysFreeString
CRYPT32.dll CryptStringToBinaryA
MPR.dll WNetGetConnectionW
NETAPI32.dll NetApiBufferFree
NetShareEnum
IPHLPAPI.DLL IcmpSendEcho
IcmpCloseHandle
GetAdaptersInfo
IcmpCreateFile
WS2_32.dll inet_addr
RstrtMgr.DLL RmShutdown
RmRegisterResources
RmStartSession
RmGetList
RmEndSession

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Oct-31 06:08:40
Version 0.0
SizeofData 940
AddressOfRawData 0x9903c
PointerToRawData 0x9803c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2019-Oct-31 06:08:40
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x4993f8
EndAddressOfRawData 0x499400
AddressOfIndex 0x4a31a8
AddressOfCallbacks 0x474398
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xa4
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x49f074
SEHandlerTable 0x498b50
SEHandlerCount 315

RICH Header

XOR Key 0x8be15043
Unmarked objects 0
ASM objects (VS2017 v14.15 compiler 26715) 17
C++ objects (VS2017 v14.15 compiler 26715) 169
C objects (VS2017 v14.15 compiler 26715) 23
C objects (CVTCIL) (VS2017 v14.15 compiler 26715) 1
ASM objects (27521) 24
C++ objects (27521) 131
C objects (27521) 36
Imports (VS2017 v14.15 compiler 26715) 23
Total imports 219
C++ objects (LTCG) (VS2019 Update 1 (16.1) compiler 27702) 13
Resource objects (VS2019 Update 1 (16.1) compiler 27702) 1
Linker (VS2019 Update 1 (16.1) compiler 27702) 1

Errors

<-- -->