84b88ac81e4872ff3bf15c72f431d101

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2021-Dec-21 16:10:08
Detected languages English - United States
Debug artifacts G:\Medusa\Release\gaze.pdb

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Possibly launches other programs:
  • CreateProcessA
 Uses Microsoft's cryptographic API:
  • CryptStringToBinaryA
  • CryptDecodeObjectEx
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Enumerates local disk drives:
  • GetLogicalDriveStringsW
  • GetDriveTypeW
Malicious VirusTotal score: 61/72 (Scanned on 2025-01-16 06:50:30) ALYac: Trojan.Ransom.Filecoder
AVG: Win32:RansomX-gen [Ransom]
AhnLab-V3: Ransomware/Win.MEDUSALOCKER.C5402963
Alibaba: Ransom:Win32/MedusaLocker.a7ccc022
Antiy-AVL: Trojan[Ransom]/Win32.Medusa
Arcabit: Trojan.Ransom.Imps.1
Avast: Win32:RansomX-gen [Ransom]
Avira: HEUR/AGEN.1318692
BitDefender: Gen:Heur.Ransom.Imps.1
Bkav: W32.AIDetectMalware
CAT-QuickHeal: Ransom.Medusa.S32195177
CTX: exe.ransomware.medusa
ClamAV: Win.Ransomware.Medusa-10025438-0
CrowdStrike: win/malicious_confidence_100% (W)
Cylance: Unsafe
Cynet: Malicious (score: 99)
DrWeb: Trojan.Siggen23.61227
ESET-NOD32: a variant of Win32/Filecoder.Medusa.A
Elastic: malicious (high confidence)
Emsisoft: Gen:Heur.Ransom.Imps.1 (B)
F-Secure: Heuristic.HEUR/AGEN.1318692
FireEye: Generic.mg.84b88ac81e4872ff
Fortinet: W32/Filecoder.MEDU!tr.ransom
GData: Win32.Trojan-Ransom.MedusaLocker.A
Google: Detected
Gridinsoft: Ransom.Win32.Generic.oa!s1
Ikarus: Trojan-Ransom.Medusa
Jiangmin: Trojan.Generic.hrdek
K7AntiVirus: Trojan ( 0059f3a21 )
K7GW: Trojan ( 0059f3a21 )
Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
Kingsoft: Win32.Trojan-Ransom.Generic.a
Lionic: Trojan.Win32.Medusa.j!c
Malwarebytes: Ransom.Medusa
MaxSecure: Trojan.Malware.10307848.susgen
McAfee: Ransom-Medusa!84B88AC81E48
McAfeeD: ti!4D4DF87CF8D8
MicroWorld-eScan: Gen:Heur.Ransom.Imps.1
Microsoft: Ransom:Win32/Medusa.PA!MTB
NANO-Antivirus: Trojan.Win32.Filecoder.kbqsmi
Paloalto: generic.ml
Panda: Trj/GdSda.A
Rising: Ransom.Medusa!1.10015 (CLASSIC)
Sangfor: Ransom.Win32.Medusa.Vqfw
SentinelOne: Static AI - Malicious PE
Skyhigh: Ransom-Medusa!84B88AC81E48
Sophos: Mal/Medusa-C
Symantec: Ransom.Medusa
Tencent: Malware.Win32.Gencirc.10bf15e6
TrendMicro: Ransom.Win32.MEDUSA.THIAHBD
TrendMicro-HouseCall: Ransom.Win32.MEDUSA.THIAHBD
VBA32: BScope.TrojanPSW.Stealer
VIPRE: Gen:Heur.Ransom.Imps.1
Varist: W32/Medusa.B.gen!Eldorado
ViRobot: Trojan.Win.S.Medusa.639488
VirIT: Trojan.Win32.GenusT.DYIQ
Xcitium: Malware@#2a3z9vul8pull
Yandex: Trojan.Filecoder!kFKy0lrvcmg
Zillya: Trojan.Generic.Win32.1807576
alibabacloud: Ransomware:Win/Medusa.A
huorong: HEUR:Ransom/LockFile.a

Hashes

MD5 84b88ac81e4872ff3bf15c72f431d101
SHA1 0823d067541de16325e5454a91b57262365a0705
SHA256 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6
SHA3 a52fd21a94d0cbc5b67f6c2eb3d1189f0649db888577c26c7642c61a0f916586
SSDeep 12288:V4eCA30wfnlxvaUwZNf6qYID7ZJuIQOsknZh20QyCkje0ZM7qgbGKTO7muYpral:3C8valgsDyfSBKXyMUkW2LILGBm3IzP
Imports Hash 82a8292007e682f1a127ba8dcebfae96

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x100

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2021-Dec-21 16:10:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x77c00
SizeOfInitializedData 0x2ea00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00038273 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x79000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0xaa000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 8902e5fe7d093c0eacc1af1756147f35
SHA1 8ede7b7d2a53fd3abc74c8a14401e963c674e2bb
SHA256 a5d3bf023286d1d670c73232acdb223001dbbbfb56e8ebec7ba35bd97ab4ccb4
SHA3 66ed901c0b9b20922b665b29b673feedbee5a3aa5742fb46d392b1a3551791c9
VirtualSize 0x77b47
VirtualAddress 0x1000
SizeOfRawData 0x77c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.68506

.rdata

MD5 c1aa3c4b173611d966605807d5264271
SHA1 41c095e75dc5d74e84c43ef5cb8df971e530cbbf
SHA256 b0028ded1b31998e08a46538b87821b8543c18e7172f395d03126fdd66facae6
SHA3 e5045e6b91523f3028ae9514a010ff85832ec79932dcffe85cdea67fad4d2a66
VirtualSize 0x19a44
VirtualAddress 0x79000
SizeOfRawData 0x19c00
PointerToRawData 0x78000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.37653

.data

MD5 59bebc6defcf603b0655bcd602564b43
SHA1 a368b9976292f6011bd3d19a96d1249137208add
SHA256 2aafa18278fb51dc708c866446d346a3e053b67811fba54f0c7b0e15912887fc
SHA3 61dd90354e496cb97067e9e933089b14ac85a573559cf25eb90d1e81e4e7dc96
VirtualSize 0xd714
VirtualAddress 0x93000
SizeOfRawData 0x3000
PointerToRawData 0x91c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.52291

.rsrc

MD5 26dcbe29c388cbc6c191d09039a56f72
SHA1 446881167e17d0ccefb0d12f1052a6535a0f7aee
SHA256 21541d81ec2d20b1509b5e7ef5a71bafe2d2cc773815989ee28df0dbd7d722aa
SHA3 66daa75efad8c04294d38e7f59dbcc2d720e510169124b243b82cdcf0c0dc74a
VirtualSize 0x1e0
VirtualAddress 0xa1000
SizeOfRawData 0x200
PointerToRawData 0x94c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.70824

.reloc

MD5 3eab52f87974bb62fbe6341ab401f648
SHA1 1c792ac720e74f841fa9a5d771252cf7cfcfb31f
SHA256 147d23c1c25a3fb06bf37e4963b22e090ae57a12f65504099d9cbcc00e3b3f06
SHA3 93bc0077ee9eb03a0019aa23c8443d6d92772047fa7a2c1876a5713c7ce7f388
VirtualSize 0x730c
VirtualAddress 0xa2000
SizeOfRawData 0x7400
PointerToRawData 0x94e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.67734

Imports

KERNEL32.dll ReadFile
SetHandleInformation
lstrlenW
CreatePipe
GetFileAttributesW
SetFileAttributesW
GetLogicalDriveStringsW
Sleep
GetTickCount64
GetDiskFreeSpaceExW
CloseHandle
GetConsoleWindow
CreateProcessA
MoveFileW
GetDriveTypeW
GetSystemFirmwareTable
HeapSize
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
GetTimeZoneInformation
HeapReAlloc
FlushFileBuffers
GetFileSizeEx
GetConsoleCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetProcessHeap
HeapAlloc
WriteConsoleW
HeapFree
RaiseException
WaitForSingleObjectEx
SwitchToThread
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
MultiByteToWideChar
LocalFree
FormatMessageA
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
GetLastError
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
QueryPerformanceCounter
EncodePointer
DecodePointer
GetStringTypeW
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
SetEvent
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetCurrentThread
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RtlUnwind
ExitThread
GetModuleHandleExW
SetEnvironmentVariableW
ExitProcess
GetStdHandle
WriteFile
GetCommandLineA
GetCommandLineW
GetConsoleMode
ReadConsoleW
GetFileType
GetDateFormatW
GetTimeFormatW
USER32.dll wsprintfW
ShowWindow
bcrypt.dll BCryptImportKeyPair
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptSetProperty
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt
BCryptHashData
BCryptGenerateSymmetricKey
BCryptCreateHash
BCryptOpenAlgorithmProvider
CRYPT32.dll CryptStringToBinaryA
CryptDecodeObjectEx

Delayed Imports

1

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2021-Dec-21 16:10:08
Version 0.0
SizeofData 51
AddressOfRawData 0x8d1a0
PointerToRawData 0x8c1a0
Referenced File G:\Medusa\Release\gaze.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2021-Dec-21 16:10:08
Version 0.0
SizeofData 20
AddressOfRawData 0x8d1d4
PointerToRawData 0x8c1d4

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Dec-21 16:10:08
Version 0.0
SizeofData 940
AddressOfRawData 0x8d1e8
PointerToRawData 0x8c1e8

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2021-Dec-21 16:10:08
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x48d5a4
EndAddressOfRawData 0x48d5ac
AddressOfIndex 0x4967d0
AddressOfCallbacks 0x4792e8
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xb8
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x493018
SEHandlerTable 0x48cddc
SEHandlerCount 241

RICH Header

XOR Key 0xc0268e29
Unmarked objects 0
ASM objects (VS2017 v14.15 compiler 26715) 17
C++ objects (VS2017 v14.15 compiler 26715) 182
C objects (VS2017 v14.15 compiler 26715) 23
C objects (VS 2015/2017/2019 runtime 28920) 18
ASM objects (VS 2015/2017/2019 runtime 28920) 23
C++ objects (VS 2015/2017/2019 runtime 28920) 146
Imports (VS2017 v14.15 compiler 26715) 9
Total imports 172
C++ objects (LTCG) (VS2019 Update 7 (16.7.1) compiler 29111) 3
Resource objects (VS2019 Update 7 (16.7.1) compiler 29111) 1
Linker (VS2019 Update 7 (16.7.1) compiler 29111) 1

Errors

<-- -->