MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


JobCrypter


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59
SHA3-384 hash: b6b9885daf868c745faa7a63e39a245d9b7e6d8dbc00d4de297df00af1c7ec0c42e13dbce81f9531786cdaf42057b968
SHA1 hash: 8999a4b47f44f07f8cb2da8dc9934b21dd0e2507
MD5 hash: 8524294a17274452361d886d9278de32
humanhash: autumn-wisconsin-yankee-cardinal
File name:784577477.bin
Download: download sample
Signature JobCrypter
Create hunting rule
File size:662'528 bytes
First seen:2021-03-23 07:49:02 UTC
Last seen:2021-03-23 09:35:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:9nowbmV+IxPw9RYu6ccGZcakRuSnGcQatkDuczffvbQXYSg3c5GMXk1OJZUxDc:9sIumeFfnLc5v8XYhl18Zj
Threatray 762 similar samples on MalwareBazaar
TLSH 46E4E82976549A00C3C839718F97D53407A2BC8EAA36D6563AF47F8B3EFD2674D46380
Reporter JAMESWT_WT
Tags:exe Filecoder.ABC JobCrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
784577477.exe
Verdict:
Malicious activity
Analysis date:
2020-08-31 08:37:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a39a9b76-37aa-40de-ab97-b257c41ad591

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126443/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.31857.8655.21719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Changing a file
Modifying an executable file
Creating a window
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
JobCryptor
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/649498
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the recycle bin to hide itself
Drops executable to a common third party application directory
Drops script or batch files to the startup folder
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected JobCryptor Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373705 Sample: 784577477.bin Startdate: 23/03/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 5 other signatures 2->46 6 784577477.exe 18 2->6         started        11 wscript.exe 1 2->11         started        process3 dnsIp4 34 smtp.ionos.fr 213.165.67.119, 49710, 587 ONEANDONE-ASBrauerstrasse48DE Germany 6->34 18 C:\Users\user\AppData\Roaming\tredszer.exe, PE32 6->18 dropped 20 C:\Users\...\tredszer.exe:Zone.Identifier, ASCII 6->20 dropped 22 C:\Users\user\AppData\Roaming\...\cougolio.js, ASCII 6->22 dropped 24 6 other malicious files 6->24 dropped 48 Creates files in the recycle bin to hide itself 6->48 50 Drops script or batch files to the startup folder 6->50 52 Drops executable to a common third party application directory 6->52 54 Infects executable files (exe, dll, sys, html) 6->54 13 tredszer.exe 16 11->13         started        file5 signatures6 process7 dnsIp8 36 213.165.67.103, 49723, 587 ONEANDONE-ASBrauerstrasse48DE Germany 13->36 38 smtp.ionos.fr 13->38 26 C:\bootTel.dat.txt, ASCII 13->26 dropped 28 C:\MSOCache\All Users\...\setup.exe.txt, ASCII 13->28 dropped 30 C:\MSOCache\All Users\...\setup.dll.txt, ASCII 13->30 dropped 32 5 other malicious files 13->32 dropped 56 Antivirus detection for dropped file 13->56 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59/
Threat name:
ByteCode-MSIL.Ransomware.JobCrypter
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 14:04:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0f5ed9c64792717b7c69940fc2e3db1a1b21515b506ab1de34da534012a5cac2
JobCrypter
150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302
JobCrypter
15c3cfbad0e3b0afe327e53605c463775ef2ae1d5c21b23928a2aa34b7e36719
JobCrypter
1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98
JobCrypter
3aeac75dedb84f873b1982843de3adcf11d956f1645eb7a91625de0dd67f1f8a
JobCrypter
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
JobCrypter
89d2c8b2ef681c0e34e5d0f1ecb6aa850c90380a7cced1347bf9f7ed5b3fbd31
JobCrypter
a84ff17c2a70d4953ce67e44cf6a3160feaf4a13d3bdad4aefe94810ef124c44
JobCrypter
b0840f04d3b97ae3c5873249a3a2f6393be99c73b38bbafbb0c7e749d8cb9a9b
JobCrypter
d047df658498dd43b18f3adaa2775c42d1103a0c211eb52ff1e312c9f2784149
JobCrypter
+ 752 additional samples on MalwareBazaar
Result
Malware family:
ryuk
Create hunting rule
Score:
  10/10
Tags:
family:ryuk ransomware
Link:
https://tria.ge/reports/210323-t26pqvng4a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Drops startup file
Ryuk
Unpacked files
SH256 hash:
f22ae8e4bae38bbf0dd5cb00add8480a5b77012805236336b2f43145a34983bb
MD5 hash:
cc5f1440fb289cef794da4c35672126f
SHA1 hash:
e977fc1ec8b43d3b0f7114b5fb6954306c46aab9
Link:
https://www.unpac.me/results/d8c3e728-0c1b-49d8-9736-52fa51a0ae3c/
SH256 hash:
1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59
MD5 hash:
8524294a17274452361d886d9278de32
SHA1 hash:
8999a4b47f44f07f8cb2da8dc9934b21dd0e2507
Link:
https://www.unpac.me/results/d8c3e728-0c1b-49d8-9736-52fa51a0ae3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126443/

Comments