ScreenShot
| Created | 2023.05.26 09:32 | Machine | s1_win7_x6401 |
| Filename | Medusa-2.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 22 detected (Vzl3, malicious, Attribute, HighConfidence, high confidence, score, SpywareX, SMOKELOADER, YXDEYZ, Casdet, Artemis, unsafe, z1lGr5sNoqR, confidence) | ||
| md5 | 4c213248be08249f75b68d85dcdf3365 | ||
| sha256 | f0c730ae57d07440a0de0889db93705c1724f8c3c628ee16a250240cc4f91858 | ||
| ssdeep | 12288:qNKLjILWnymhwEu5GmudCkDrvnZdbwAx8oYZL38:XISnjhDmuQk/vbwA25ZLM | ||
| imphash | e3801b8f348abd7ecd0dc57530776b10 | ||
| impfuzzy | 48:fCbUo1pQ2utxYaC9VZZ475vig3DisYn9vy0rz45LiSIXZ:Xo1pLutxYaCVK75vi13nVnPnXZ | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Protocol detection skipped
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x1400824a8 WSACleanup
0x1400824b0 htons
0x1400824b8 inet_pton
0x1400824c0 WSAStartup
0x1400824c8 send
0x1400824d0 socket
0x1400824d8 connect
0x1400824e0 recv
0x1400824e8 closesocket
CRYPT32.dll
0x140082030 CryptUnprotectData
WININET.dll
0x140082470 InternetOpenA
0x140082478 InternetCloseHandle
0x140082480 InternetReadFile
0x140082488 InternetQueryDataAvailable
0x140082490 InternetOpenUrlA
0x140082498 HttpQueryInfoW
KERNEL32.dll
0x140082088 MultiByteToWideChar
0x140082090 LocalFree
0x140082098 WideCharToMultiByte
0x1400820a0 ExitProcess
0x1400820a8 GetModuleFileNameA
0x1400820b0 GetVolumeInformationW
0x1400820b8 HeapFree
0x1400820c0 EnterCriticalSection
0x1400820c8 GetProductInfo
0x1400820d0 LeaveCriticalSection
0x1400820d8 InitializeCriticalSectionEx
0x1400820e0 HeapSize
0x1400820e8 GetTimeZoneInformation
0x1400820f0 GetLastError
0x1400820f8 HeapReAlloc
0x140082100 GetNativeSystemInfo
0x140082108 HeapAlloc
0x140082110 DecodePointer
0x140082118 GetProcAddress
0x140082120 DeleteCriticalSection
0x140082128 GetComputerNameW
0x140082130 GetProcessHeap
0x140082138 GlobalMemoryStatusEx
0x140082140 GetModuleHandleW
0x140082148 RtlCaptureContext
0x140082150 RtlLookupFunctionEntry
0x140082158 RtlVirtualUnwind
0x140082160 IsDebuggerPresent
0x140082168 UnhandledExceptionFilter
0x140082170 SetUnhandledExceptionFilter
0x140082178 SetLastError
0x140082180 GetCurrentProcess
0x140082188 TerminateProcess
0x140082190 IsProcessorFeaturePresent
0x140082198 GetCurrentProcessId
0x1400821a0 GetSystemTimeAsFileTime
0x1400821a8 GetSystemInfo
0x1400821b0 VirtualAlloc
0x1400821b8 VirtualProtect
0x1400821c0 VirtualQuery
0x1400821c8 GetCurrentThreadId
0x1400821d0 FlsAlloc
0x1400821d8 FlsGetValue
0x1400821e0 FlsSetValue
0x1400821e8 FlsFree
0x1400821f0 InitializeCriticalSectionAndSpinCount
0x1400821f8 FreeLibrary
0x140082200 LoadLibraryExW
0x140082208 GetDateFormatW
0x140082210 GetTimeFormatW
0x140082218 LCMapStringW
0x140082220 GetLocaleInfoW
0x140082228 IsValidLocale
0x140082230 GetUserDefaultLCID
0x140082238 EnumSystemLocalesW
0x140082240 GetFileSizeEx
0x140082248 SetFilePointerEx
0x140082250 GetStdHandle
0x140082258 GetFileType
0x140082260 GetStartupInfoW
0x140082268 FlushFileBuffers
0x140082270 WriteFile
0x140082278 GetConsoleOutputCP
0x140082280 GetConsoleMode
0x140082288 CloseHandle
0x140082290 ReadFile
0x140082298 ReadConsoleW
0x1400822a0 RaiseException
0x1400822a8 GetModuleHandleExW
0x1400822b0 IsValidCodePage
0x1400822b8 GetACP
0x1400822c0 GetOEMCP
0x1400822c8 GetCPInfo
0x1400822d0 GetStringTypeW
0x1400822d8 SetStdHandle
0x1400822e0 GetModuleFileNameW
0x1400822e8 CreateFileW
0x1400822f0 WriteConsoleW
0x1400822f8 OutputDebugStringW
0x140082300 GetEnvironmentStringsW
0x140082308 FreeEnvironmentStringsW
0x140082310 SetEnvironmentVariableW
0x140082318 SetEvent
0x140082320 ResetEvent
0x140082328 WaitForSingleObjectEx
0x140082330 CreateEventW
0x140082338 QueryPerformanceCounter
0x140082340 InitializeSListHead
0x140082348 RtlUnwindEx
0x140082350 RtlUnwind
0x140082358 RtlPcToFileHeader
0x140082360 SetEndOfFile
0x140082368 EncodePointer
0x140082370 TlsAlloc
0x140082378 TlsGetValue
0x140082380 TlsSetValue
0x140082388 TlsFree
0x140082390 GetCommandLineA
0x140082398 GetCommandLineW
0x1400823a0 CompareStringW
0x1400823a8 LCMapStringEx
0x1400823b0 GetFileInformationByHandleEx
0x1400823b8 AreFileApisANSI
0x1400823c0 FormatMessageA
0x1400823c8 GetLocaleInfoEx
0x1400823d0 GetCurrentDirectoryW
0x1400823d8 FindClose
0x1400823e0 FindFirstFileW
0x1400823e8 FindFirstFileExW
0x1400823f0 FindNextFileW
0x1400823f8 GetFileAttributesExW
USER32.dll
0x140082438 EnumDisplayDevicesW
0x140082440 GetDesktopWindow
0x140082448 GetDC
0x140082450 ReleaseDC
0x140082458 GetWindowRect
0x140082460 GetSystemMetrics
GDI32.dll
0x140082040 CreateCompatibleDC
0x140082048 SelectObject
0x140082050 CreateCompatibleBitmap
0x140082058 BitBlt
0x140082060 GetDeviceCaps
0x140082068 DeleteDC
0x140082070 GetObjectW
0x140082078 DeleteObject
ADVAPI32.dll
0x140082000 RegCloseKey
0x140082008 RegQueryValueExA
0x140082010 RegOpenKeyExA
0x140082018 GetUserNameW
0x140082020 GetCurrentHwProfileW
SHELL32.dll
0x140082408 SHGetKnownFolderPath
ole32.dll
0x140082540 CreateStreamOnHGlobal
0x140082548 CoTaskMemFree
SHLWAPI.dll
0x140082418 None
0x140082420 None
0x140082428 None
gdiplus.dll
0x1400824f8 GdiplusStartup
0x140082500 GdiplusShutdown
0x140082508 GdipCreateBitmapFromScan0
0x140082510 GdipSaveImageToStream
0x140082518 GdipGetImageEncodersSize
0x140082520 GdipDisposeImage
0x140082528 GdipCreateBitmapFromHBITMAP
0x140082530 GdipGetImageEncoders
EAT(Export Address Table) is none
WS2_32.dll
0x1400824a8 WSACleanup
0x1400824b0 htons
0x1400824b8 inet_pton
0x1400824c0 WSAStartup
0x1400824c8 send
0x1400824d0 socket
0x1400824d8 connect
0x1400824e0 recv
0x1400824e8 closesocket
CRYPT32.dll
0x140082030 CryptUnprotectData
WININET.dll
0x140082470 InternetOpenA
0x140082478 InternetCloseHandle
0x140082480 InternetReadFile
0x140082488 InternetQueryDataAvailable
0x140082490 InternetOpenUrlA
0x140082498 HttpQueryInfoW
KERNEL32.dll
0x140082088 MultiByteToWideChar
0x140082090 LocalFree
0x140082098 WideCharToMultiByte
0x1400820a0 ExitProcess
0x1400820a8 GetModuleFileNameA
0x1400820b0 GetVolumeInformationW
0x1400820b8 HeapFree
0x1400820c0 EnterCriticalSection
0x1400820c8 GetProductInfo
0x1400820d0 LeaveCriticalSection
0x1400820d8 InitializeCriticalSectionEx
0x1400820e0 HeapSize
0x1400820e8 GetTimeZoneInformation
0x1400820f0 GetLastError
0x1400820f8 HeapReAlloc
0x140082100 GetNativeSystemInfo
0x140082108 HeapAlloc
0x140082110 DecodePointer
0x140082118 GetProcAddress
0x140082120 DeleteCriticalSection
0x140082128 GetComputerNameW
0x140082130 GetProcessHeap
0x140082138 GlobalMemoryStatusEx
0x140082140 GetModuleHandleW
0x140082148 RtlCaptureContext
0x140082150 RtlLookupFunctionEntry
0x140082158 RtlVirtualUnwind
0x140082160 IsDebuggerPresent
0x140082168 UnhandledExceptionFilter
0x140082170 SetUnhandledExceptionFilter
0x140082178 SetLastError
0x140082180 GetCurrentProcess
0x140082188 TerminateProcess
0x140082190 IsProcessorFeaturePresent
0x140082198 GetCurrentProcessId
0x1400821a0 GetSystemTimeAsFileTime
0x1400821a8 GetSystemInfo
0x1400821b0 VirtualAlloc
0x1400821b8 VirtualProtect
0x1400821c0 VirtualQuery
0x1400821c8 GetCurrentThreadId
0x1400821d0 FlsAlloc
0x1400821d8 FlsGetValue
0x1400821e0 FlsSetValue
0x1400821e8 FlsFree
0x1400821f0 InitializeCriticalSectionAndSpinCount
0x1400821f8 FreeLibrary
0x140082200 LoadLibraryExW
0x140082208 GetDateFormatW
0x140082210 GetTimeFormatW
0x140082218 LCMapStringW
0x140082220 GetLocaleInfoW
0x140082228 IsValidLocale
0x140082230 GetUserDefaultLCID
0x140082238 EnumSystemLocalesW
0x140082240 GetFileSizeEx
0x140082248 SetFilePointerEx
0x140082250 GetStdHandle
0x140082258 GetFileType
0x140082260 GetStartupInfoW
0x140082268 FlushFileBuffers
0x140082270 WriteFile
0x140082278 GetConsoleOutputCP
0x140082280 GetConsoleMode
0x140082288 CloseHandle
0x140082290 ReadFile
0x140082298 ReadConsoleW
0x1400822a0 RaiseException
0x1400822a8 GetModuleHandleExW
0x1400822b0 IsValidCodePage
0x1400822b8 GetACP
0x1400822c0 GetOEMCP
0x1400822c8 GetCPInfo
0x1400822d0 GetStringTypeW
0x1400822d8 SetStdHandle
0x1400822e0 GetModuleFileNameW
0x1400822e8 CreateFileW
0x1400822f0 WriteConsoleW
0x1400822f8 OutputDebugStringW
0x140082300 GetEnvironmentStringsW
0x140082308 FreeEnvironmentStringsW
0x140082310 SetEnvironmentVariableW
0x140082318 SetEvent
0x140082320 ResetEvent
0x140082328 WaitForSingleObjectEx
0x140082330 CreateEventW
0x140082338 QueryPerformanceCounter
0x140082340 InitializeSListHead
0x140082348 RtlUnwindEx
0x140082350 RtlUnwind
0x140082358 RtlPcToFileHeader
0x140082360 SetEndOfFile
0x140082368 EncodePointer
0x140082370 TlsAlloc
0x140082378 TlsGetValue
0x140082380 TlsSetValue
0x140082388 TlsFree
0x140082390 GetCommandLineA
0x140082398 GetCommandLineW
0x1400823a0 CompareStringW
0x1400823a8 LCMapStringEx
0x1400823b0 GetFileInformationByHandleEx
0x1400823b8 AreFileApisANSI
0x1400823c0 FormatMessageA
0x1400823c8 GetLocaleInfoEx
0x1400823d0 GetCurrentDirectoryW
0x1400823d8 FindClose
0x1400823e0 FindFirstFileW
0x1400823e8 FindFirstFileExW
0x1400823f0 FindNextFileW
0x1400823f8 GetFileAttributesExW
USER32.dll
0x140082438 EnumDisplayDevicesW
0x140082440 GetDesktopWindow
0x140082448 GetDC
0x140082450 ReleaseDC
0x140082458 GetWindowRect
0x140082460 GetSystemMetrics
GDI32.dll
0x140082040 CreateCompatibleDC
0x140082048 SelectObject
0x140082050 CreateCompatibleBitmap
0x140082058 BitBlt
0x140082060 GetDeviceCaps
0x140082068 DeleteDC
0x140082070 GetObjectW
0x140082078 DeleteObject
ADVAPI32.dll
0x140082000 RegCloseKey
0x140082008 RegQueryValueExA
0x140082010 RegOpenKeyExA
0x140082018 GetUserNameW
0x140082020 GetCurrentHwProfileW
SHELL32.dll
0x140082408 SHGetKnownFolderPath
ole32.dll
0x140082540 CreateStreamOnHGlobal
0x140082548 CoTaskMemFree
SHLWAPI.dll
0x140082418 None
0x140082420 None
0x140082428 None
gdiplus.dll
0x1400824f8 GdiplusStartup
0x140082500 GdiplusShutdown
0x140082508 GdipCreateBitmapFromScan0
0x140082510 GdipSaveImageToStream
0x140082518 GdipGetImageEncodersSize
0x140082520 GdipDisposeImage
0x140082528 GdipCreateBitmapFromHBITMAP
0x140082530 GdipGetImageEncoders
EAT(Export Address Table) is none