ScreenShot
| Created | 2023.07.20 17:20 | Machine | s1_win7_x6403 |
| Filename | Meduza.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 36 detected (Meduza, Malicious, score, Generic PWS, Marte, Vbga, TrojanPSW, Attribute, HighConfidence, high confidence, SpywareX, QQPass, QQRob, Rsmw, xjhwr, ai score=88, Sabsik, R589196, unsafe, Chgt, R002H0DGJ23, confidence, 100%) | ||
| md5 | 40fbeddad5a68665f9cf789dc4658f1a | ||
| sha256 | e5fd0cd5236b8a14e957049d52e422ac1da98077c8f37141cd1a8d0e3938d1b9 | ||
| ssdeep | 12288:Cl2P4G+a9A35KMRvZLgVALw2/qoBqcoUhpF:ClQJZ9SZLlLdioBqcNp | ||
| imphash | 108e18be559cec71db1f519ae1ab24ab | ||
| impfuzzy | 48:5sUfTr9Xnu1pKxTyt7TQLuFZ/rs5vi83ccDYn9vy0rz45LeSnXZ:tXnu1p2Tyt7TQkzs5vi9csnVnjuXZ | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Dapato Trojan files |
| watch | Creates known Dyreza Banking Trojan files |
| watch | Creates known Hupigon files |
| watch | Creates known Upatre files |
| watch | Detects VirtualBox through the presence of a file |
| watch | Harvests credentials from local email clients |
| notice | A process created a hidden window |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Protocol detection skipped
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x140090538 inet_pton
0x140090540 WSAStartup
0x140090548 closesocket
0x140090550 socket
0x140090558 connect
0x140090560 recv
0x140090568 send
0x140090570 htons
0x140090578 WSACleanup
CRYPT32.dll
0x140090038 CryptUnprotectData
WININET.dll
0x1400904f8 InternetQueryDataAvailable
0x140090500 HttpQueryInfoW
0x140090508 InternetOpenUrlA
0x140090510 InternetReadFile
0x140090518 InternetCloseHandle
0x140090520 InternetOpenW
0x140090528 InternetOpenA
KERNEL32.dll
0x140090090 MultiByteToWideChar
0x140090098 LocalFree
0x1400900a0 WideCharToMultiByte
0x1400900a8 IsDebuggerPresent
0x1400900b0 WriteProcessMemory
0x1400900b8 TerminateProcess
0x1400900c0 GetModuleFileNameW
0x1400900c8 WaitForSingleObject
0x1400900d0 ResumeThread
0x1400900d8 CloseHandle
0x1400900e0 GetThreadContext
0x1400900e8 VirtualAllocEx
0x1400900f0 CreateProcessW
0x1400900f8 SetThreadContext
0x140090100 GetExitCodeProcess
0x140090108 ExitProcess
0x140090110 GetModuleFileNameA
0x140090118 GetVolumeInformationW
0x140090120 GetGeoInfoA
0x140090128 HeapFree
0x140090130 EnterCriticalSection
0x140090138 GetProductInfo
0x140090140 LeaveCriticalSection
0x140090148 InitializeCriticalSectionEx
0x140090150 HeapSize
0x140090158 GetLogicalDriveStringsW
0x140090160 GetTimeZoneInformation
0x140090168 GetLastError
0x140090170 HeapReAlloc
0x140090178 GetNativeSystemInfo
0x140090180 HeapAlloc
0x140090188 GetUserGeoID
0x140090190 DecodePointer
0x140090198 GetProcAddress
0x1400901a0 DeleteCriticalSection
0x1400901a8 GetComputerNameW
0x1400901b0 GetProcessHeap
0x1400901b8 GlobalMemoryStatusEx
0x1400901c0 GetModuleHandleW
0x1400901c8 RtlCaptureContext
0x1400901d0 RtlLookupFunctionEntry
0x1400901d8 RtlVirtualUnwind
0x1400901e0 UnhandledExceptionFilter
0x1400901e8 SetUnhandledExceptionFilter
0x1400901f0 SetLastError
0x1400901f8 GetCurrentProcess
0x140090200 IsProcessorFeaturePresent
0x140090208 GetCurrentProcessId
0x140090210 GetSystemTimeAsFileTime
0x140090218 FreeLibrary
0x140090220 GetModuleHandleExW
0x140090228 CreateThread
0x140090230 ExitThread
0x140090238 FreeLibraryAndExitThread
0x140090240 GetSystemInfo
0x140090248 VirtualAlloc
0x140090250 VirtualProtect
0x140090258 VirtualQuery
0x140090260 FlsAlloc
0x140090268 FlsGetValue
0x140090270 FlsSetValue
0x140090278 FlsFree
0x140090280 InitializeCriticalSectionAndSpinCount
0x140090288 LoadLibraryExW
0x140090290 GetDateFormatW
0x140090298 GetTimeFormatW
0x1400902a0 CompareStringW
0x1400902a8 LCMapStringW
0x1400902b0 GetLocaleInfoW
0x1400902b8 IsValidLocale
0x1400902c0 GetUserDefaultLCID
0x1400902c8 EnumSystemLocalesW
0x1400902d0 GetStdHandle
0x1400902d8 GetFileType
0x1400902e0 GetStartupInfoW
0x1400902e8 RaiseException
0x1400902f0 GetFileSizeEx
0x1400902f8 SetFilePointerEx
0x140090300 FlushFileBuffers
0x140090308 WriteFile
0x140090310 GetConsoleOutputCP
0x140090318 GetConsoleMode
0x140090320 ReadFile
0x140090328 ReadConsoleW
0x140090330 IsValidCodePage
0x140090338 GetACP
0x140090340 GetOEMCP
0x140090348 GetCPInfo
0x140090350 GetStringTypeW
0x140090358 SetStdHandle
0x140090360 CreateFileW
0x140090368 WriteConsoleW
0x140090370 OutputDebugStringW
0x140090378 GetEnvironmentStringsW
0x140090380 FreeEnvironmentStringsW
0x140090388 SetEnvironmentVariableW
0x140090390 SetEvent
0x140090398 ResetEvent
0x1400903a0 SetEndOfFile
0x1400903a8 CreateEventW
0x1400903b0 QueryPerformanceCounter
0x1400903b8 InitializeSListHead
0x1400903c0 RtlUnwindEx
0x1400903c8 RtlUnwind
0x1400903d0 RtlPcToFileHeader
0x1400903d8 EncodePointer
0x1400903e0 TlsAlloc
0x1400903e8 TlsGetValue
0x1400903f0 TlsSetValue
0x1400903f8 TlsFree
0x140090400 GetCommandLineA
0x140090408 GetCommandLineW
0x140090410 GetCurrentThreadId
0x140090418 WaitForSingleObjectEx
0x140090420 LCMapStringEx
0x140090428 GetExitCodeThread
0x140090430 GetFileInformationByHandleEx
0x140090438 AreFileApisANSI
0x140090440 FormatMessageA
0x140090448 GetLocaleInfoEx
0x140090450 GetCurrentDirectoryW
0x140090458 FindClose
0x140090460 FindFirstFileW
0x140090468 FindFirstFileExW
0x140090470 FindNextFileW
0x140090478 GetFileAttributesExW
USER32.dll
0x1400904c0 EnumDisplayDevicesW
0x1400904c8 GetDesktopWindow
0x1400904d0 GetDC
0x1400904d8 ReleaseDC
0x1400904e0 GetWindowRect
0x1400904e8 GetSystemMetrics
GDI32.dll
0x140090048 SelectObject
0x140090050 CreateCompatibleBitmap
0x140090058 BitBlt
0x140090060 CreateCompatibleDC
0x140090068 GetDeviceCaps
0x140090070 DeleteDC
0x140090078 GetObjectW
0x140090080 DeleteObject
ADVAPI32.dll
0x140090000 RegCloseKey
0x140090008 RegQueryValueExA
0x140090010 RegOpenKeyExA
0x140090018 GetUserNameW
0x140090020 RegEnumKeyExA
0x140090028 GetCurrentHwProfileW
SHELL32.dll
0x140090488 SHGetKnownFolderPath
0x140090490 ShellExecuteA
ole32.dll
0x1400905d0 CreateStreamOnHGlobal
0x1400905d8 CoTaskMemFree
SHLWAPI.dll
0x1400904a0 None
0x1400904a8 None
0x1400904b0 None
gdiplus.dll
0x140090588 GdiplusStartup
0x140090590 GdiplusShutdown
0x140090598 GdipCreateBitmapFromScan0
0x1400905a0 GdipSaveImageToStream
0x1400905a8 GdipGetImageEncodersSize
0x1400905b0 GdipDisposeImage
0x1400905b8 GdipCreateBitmapFromHBITMAP
0x1400905c0 GdipGetImageEncoders
EAT(Export Address Table) is none
WS2_32.dll
0x140090538 inet_pton
0x140090540 WSAStartup
0x140090548 closesocket
0x140090550 socket
0x140090558 connect
0x140090560 recv
0x140090568 send
0x140090570 htons
0x140090578 WSACleanup
CRYPT32.dll
0x140090038 CryptUnprotectData
WININET.dll
0x1400904f8 InternetQueryDataAvailable
0x140090500 HttpQueryInfoW
0x140090508 InternetOpenUrlA
0x140090510 InternetReadFile
0x140090518 InternetCloseHandle
0x140090520 InternetOpenW
0x140090528 InternetOpenA
KERNEL32.dll
0x140090090 MultiByteToWideChar
0x140090098 LocalFree
0x1400900a0 WideCharToMultiByte
0x1400900a8 IsDebuggerPresent
0x1400900b0 WriteProcessMemory
0x1400900b8 TerminateProcess
0x1400900c0 GetModuleFileNameW
0x1400900c8 WaitForSingleObject
0x1400900d0 ResumeThread
0x1400900d8 CloseHandle
0x1400900e0 GetThreadContext
0x1400900e8 VirtualAllocEx
0x1400900f0 CreateProcessW
0x1400900f8 SetThreadContext
0x140090100 GetExitCodeProcess
0x140090108 ExitProcess
0x140090110 GetModuleFileNameA
0x140090118 GetVolumeInformationW
0x140090120 GetGeoInfoA
0x140090128 HeapFree
0x140090130 EnterCriticalSection
0x140090138 GetProductInfo
0x140090140 LeaveCriticalSection
0x140090148 InitializeCriticalSectionEx
0x140090150 HeapSize
0x140090158 GetLogicalDriveStringsW
0x140090160 GetTimeZoneInformation
0x140090168 GetLastError
0x140090170 HeapReAlloc
0x140090178 GetNativeSystemInfo
0x140090180 HeapAlloc
0x140090188 GetUserGeoID
0x140090190 DecodePointer
0x140090198 GetProcAddress
0x1400901a0 DeleteCriticalSection
0x1400901a8 GetComputerNameW
0x1400901b0 GetProcessHeap
0x1400901b8 GlobalMemoryStatusEx
0x1400901c0 GetModuleHandleW
0x1400901c8 RtlCaptureContext
0x1400901d0 RtlLookupFunctionEntry
0x1400901d8 RtlVirtualUnwind
0x1400901e0 UnhandledExceptionFilter
0x1400901e8 SetUnhandledExceptionFilter
0x1400901f0 SetLastError
0x1400901f8 GetCurrentProcess
0x140090200 IsProcessorFeaturePresent
0x140090208 GetCurrentProcessId
0x140090210 GetSystemTimeAsFileTime
0x140090218 FreeLibrary
0x140090220 GetModuleHandleExW
0x140090228 CreateThread
0x140090230 ExitThread
0x140090238 FreeLibraryAndExitThread
0x140090240 GetSystemInfo
0x140090248 VirtualAlloc
0x140090250 VirtualProtect
0x140090258 VirtualQuery
0x140090260 FlsAlloc
0x140090268 FlsGetValue
0x140090270 FlsSetValue
0x140090278 FlsFree
0x140090280 InitializeCriticalSectionAndSpinCount
0x140090288 LoadLibraryExW
0x140090290 GetDateFormatW
0x140090298 GetTimeFormatW
0x1400902a0 CompareStringW
0x1400902a8 LCMapStringW
0x1400902b0 GetLocaleInfoW
0x1400902b8 IsValidLocale
0x1400902c0 GetUserDefaultLCID
0x1400902c8 EnumSystemLocalesW
0x1400902d0 GetStdHandle
0x1400902d8 GetFileType
0x1400902e0 GetStartupInfoW
0x1400902e8 RaiseException
0x1400902f0 GetFileSizeEx
0x1400902f8 SetFilePointerEx
0x140090300 FlushFileBuffers
0x140090308 WriteFile
0x140090310 GetConsoleOutputCP
0x140090318 GetConsoleMode
0x140090320 ReadFile
0x140090328 ReadConsoleW
0x140090330 IsValidCodePage
0x140090338 GetACP
0x140090340 GetOEMCP
0x140090348 GetCPInfo
0x140090350 GetStringTypeW
0x140090358 SetStdHandle
0x140090360 CreateFileW
0x140090368 WriteConsoleW
0x140090370 OutputDebugStringW
0x140090378 GetEnvironmentStringsW
0x140090380 FreeEnvironmentStringsW
0x140090388 SetEnvironmentVariableW
0x140090390 SetEvent
0x140090398 ResetEvent
0x1400903a0 SetEndOfFile
0x1400903a8 CreateEventW
0x1400903b0 QueryPerformanceCounter
0x1400903b8 InitializeSListHead
0x1400903c0 RtlUnwindEx
0x1400903c8 RtlUnwind
0x1400903d0 RtlPcToFileHeader
0x1400903d8 EncodePointer
0x1400903e0 TlsAlloc
0x1400903e8 TlsGetValue
0x1400903f0 TlsSetValue
0x1400903f8 TlsFree
0x140090400 GetCommandLineA
0x140090408 GetCommandLineW
0x140090410 GetCurrentThreadId
0x140090418 WaitForSingleObjectEx
0x140090420 LCMapStringEx
0x140090428 GetExitCodeThread
0x140090430 GetFileInformationByHandleEx
0x140090438 AreFileApisANSI
0x140090440 FormatMessageA
0x140090448 GetLocaleInfoEx
0x140090450 GetCurrentDirectoryW
0x140090458 FindClose
0x140090460 FindFirstFileW
0x140090468 FindFirstFileExW
0x140090470 FindNextFileW
0x140090478 GetFileAttributesExW
USER32.dll
0x1400904c0 EnumDisplayDevicesW
0x1400904c8 GetDesktopWindow
0x1400904d0 GetDC
0x1400904d8 ReleaseDC
0x1400904e0 GetWindowRect
0x1400904e8 GetSystemMetrics
GDI32.dll
0x140090048 SelectObject
0x140090050 CreateCompatibleBitmap
0x140090058 BitBlt
0x140090060 CreateCompatibleDC
0x140090068 GetDeviceCaps
0x140090070 DeleteDC
0x140090078 GetObjectW
0x140090080 DeleteObject
ADVAPI32.dll
0x140090000 RegCloseKey
0x140090008 RegQueryValueExA
0x140090010 RegOpenKeyExA
0x140090018 GetUserNameW
0x140090020 RegEnumKeyExA
0x140090028 GetCurrentHwProfileW
SHELL32.dll
0x140090488 SHGetKnownFolderPath
0x140090490 ShellExecuteA
ole32.dll
0x1400905d0 CreateStreamOnHGlobal
0x1400905d8 CoTaskMemFree
SHLWAPI.dll
0x1400904a0 None
0x1400904a8 None
0x1400904b0 None
gdiplus.dll
0x140090588 GdiplusStartup
0x140090590 GdiplusShutdown
0x140090598 GdipCreateBitmapFromScan0
0x1400905a0 GdipSaveImageToStream
0x1400905a8 GdipGetImageEncodersSize
0x1400905b0 GdipDisposeImage
0x1400905b8 GdipCreateBitmapFromHBITMAP
0x1400905c0 GdipGetImageEncoders
EAT(Export Address Table) is none