ioc[.]one - OSINT Cyber Threat Intelligence Database

Threat actor believed to be spreading new MedusaLocker variant since 2022

Tags

country:	Argentina Brazil Colombia Germany France Italy Spain Mexico
attack-pattern:	Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Pass The Hash - T1550.002 Powershell - T1059.001 Private Keys - T1552.004 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Pass The Hash - T1075 Powershell - T1086 Private Keys - T1145

Show in Graph

Common Information

Type	Value
UUID	b9bc91ca-2cbf-4c2e-bfb1-fd21b76411df
Fingerprint	a53d198588f3b665
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 3, 2024, 6 a.m.
Added to db	Oct. 3, 2024, 12:32 p.m.
Last updated	Nov. 15, 2024, 1:55 p.m.
Headline	Cisco Talos Blog
Title	Threat actor believed to be spreading new MedusaLocker variant since 2022
Detected Hints/Tags/Attributes	77/2/57

Source URLs

	Redirection	Url
Details	Source	https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/
Details	Source	https://malware.news/t/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/87047

URL Provider

Details	Provider	Source level domain
Details	malware.news	malware.news
Details	talosintelligence.com	blog.talosintelligence.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	68	✔	Cisco Talos Blog	https://blog.talosintelligence.com/rss/	2024-08-30 22:08
Details	158	✔	Malware Analysis, News and Indicators - Latest topics	https://malware.news/latest.rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	904	snort.org
Details	File	16	3869.exe
Details	File	51	install.bat
Details	File	7	disabler.exe
Details	File	1	invoke-thehash.ps1
Details	File	3	invoke-smbexec.ps1
Details	File	3	invoke-wmiexec.ps1
Details	File	1	ntlhost.exe
Details	File	13	advanced_port_scanner.exe
Details	File	1	is-juad3.tmp
Details	File	1	3869.tmp
Details	File	23	1.rar
Details	File	40	netscan.exe
Details	File	56	processhacker.exe
Details	File	11	pchunter64.exe
Details	File	1	invoke-smbclient.ps1
Details	File	1	invoke-smbenum.ps1
Details	File	16	64.exe
Details	File	1	c:\users\user\desktop\64.exe
Details	File	1	c:\users\user\desktop\rclone.exe
Details	File	1	tool.pas
Details	sha256	2	33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a
Details	sha256	2	b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f
Details	sha256	2	63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499
Details	sha256	2	270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e
Details	sha256	2	759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906
Details	sha256	2	9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7
Details	sha256	2	8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f
Details	sha256	2	d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0
Details	sha256	2	1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be
Details	sha256	2	1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651
Details	sha256	2	6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c
Details	sha256	2	2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac
Details	sha256	2	dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6
Details	sha256	2	48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54
Details	sha256	2	c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801
Details	sha256	2	012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe
Details	sha256	2	8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625
Details	sha256	2	364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca
Details	sha256	2	5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2
Details	IPv4	5	5.0.1.1
Details	Pdb	1	e:\paid_memes\wmi_smb_rdp_checker\release\checker.pdb
Details	Pdb	1	d:\projects\paid_memes\pth\release\pth.pdb
Details	Pdb	1	d:\projects\paid_memes\mimik\release\stub_mimik.pdb
Details	Pdb	1	stub.pdb
Details	Pdb	1	stub_win_x64_encrypter.pdb
Details	Pdb	1	stub_win_x86_encrypter.pdb
Details	Pdb	1	checker.pdb
Details	Pdb	1	stub_mimik.pdb
Details	Pdb	1	phantom.pdb
Details	Pdb	1	pth.pdb
Details	Windows Registry Key	1	HKEY_CURRENT_USER\SOFTWARE\PAIDMEMES\PUBLIC
Details	Windows Registry Key	1	HKEY_CURRENT_USER\SOFTWARE\PAIDMEMES\PRIVATE
Details	Windows Registry Key	1	HKCU\SOFTWARE\PAIDMEMES\PUBLIC
Details	Windows Registry Key	1	HKCU\SOFTWARE\PAIDMEMES\PRIVATE
Details	Windows Registry Key	1	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ
Details	Windows Registry Key	1	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ