MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


JobCrypter


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98
SHA3-384 hash: c1b93e3562e4f03df9be31bb3995667f52795dfe23102f2210acd0295c96db9d916ecc94007808b6fbbe98c2612ec8cb
SHA1 hash: 66ee46d73644bc77bb8eabd8bbc3382524e35cff
MD5 hash: a96c22902a9a7c5d4fc3282473297db7
humanhash: venus-arkansas-four-sierra
File name:784754123687.bin
Download: download sample
Signature JobCrypter
Create hunting rule
File size:652'288 bytes
First seen:2021-03-23 07:49:13 UTC
Last seen:2021-03-23 09:35:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:Ec0lbAlGp79y9glg7diRUx+0dvM9V3nXhQ:6x59blO0RUvvM9V3i
Threatray 646 similar samples on MalwareBazaar
TLSH ABD4E52972909A01C7E435758F93C43503A2BD4E6A35D60A3AF43F9B3EFD26B8C46785
Reporter JAMESWT_WT
Tags:exe Filecoder.ABC JobCrypter

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'431
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
784754123687.exe
Verdict:
Malicious activity
Analysis date:
2020-08-17 09:45:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a884bc44-26a3-41aa-b02b-979136f5085f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126444/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.21852.15706.5749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Changing a file
Modifying an executable file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
JobCryptor
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/429244
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Drops executable to a common third party application directory
Drops script or batch files to the startup folder
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected JobCryptor Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265343 Sample: 784754123687.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 88 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Yara detected JobCryptor Ransomware 2->53 55 Sigma detected: Drops script at startup location 2->55 57 3 other signatures 2->57 8 wscript.exe 1 2->8         started        10 784754123687.exe 443 2->10         started        process3 dnsIp4 15 tredszer.exe 501 8->15         started        45 smtp.ionos.fr 213.165.67.119, 49725, 49726, 587 ONEANDONE-ASBrauerstrasse48DE Germany 10->45 33 C:\Users\user\AppData\Roaming\tredszer.exe, PE32 10->33 dropped 35 C:\Users\...\tredszer.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Roaming\...\cougolio.js, ASCII 10->37 dropped 39 2 other malicious files 10->39 dropped 59 Drops script or batch files to the startup folder 10->59 61 Drops executable to a common third party application directory 10->61 file5 signatures6 process7 dnsIp8 47 smtp.ionos.fr 15->47 25 {1AC14E77-02E7-4E5...5198B7}_osk_exe.txt, Unknown 15->25 dropped 27 {1AC14E77-02E7-4E5...B7}_notepad_exe.txt, Unknown 15->27 dropped 29 {1AC14E77-02E7-4E5...7}_narrator_exe.txt, Unknown 15->29 dropped 31 284 other malicious files 15->31 dropped 49 Infects executable files (exe, dll, sys, html) 15->49 20 tredszer.exe 14 15->20         started        file9 signatures10 process11 dnsIp12 41 213.165.67.103, 49728, 587 ONEANDONE-ASBrauerstrasse48DE Germany 20->41 43 smtp.ionos.fr 20->43 23 tredszer.exe 20->23         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98/
Threat name:
ByteCode-MSIL.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 18:48:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0f5ed9c64792717b7c69940fc2e3db1a1b21515b506ab1de34da534012a5cac2
JobCrypter
1367648c61fa272ebb3baed76d9df6075a81338bb646e887f2cd4ba9dc374f59
JobCrypter
150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302
JobCrypter
15c3cfbad0e3b0afe327e53605c463775ef2ae1d5c21b23928a2aa34b7e36719
JobCrypter
3f9b5ecaed880f50c6bee7504768aa9f362326666ff2197cc487f0707bff56fa
JobCrypter
6e0f67620da1ee82c0cfc0c166f2a027fdd8af9c8f4622952b19bed41de60b7b
JobCrypter
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
JobCrypter
89d2c8b2ef681c0e34e5d0f1ecb6aa850c90380a7cced1347bf9f7ed5b3fbd31
JobCrypter
b0840f04d3b97ae3c5873249a3a2f6393be99c73b38bbafbb0c7e749d8cb9a9b
JobCrypter
d047df658498dd43b18f3adaa2775c42d1103a0c211eb52ff1e312c9f2784149
JobCrypter
+ 636 additional samples on MalwareBazaar
Result
Malware family:
ryuk
Create hunting rule
Score:
  10/10
Tags:
family:ryuk ransomware
Link:
https://tria.ge/reports/210323-h7qxwsdmqx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Drops startup file
Ryuk
Unpacked files
SH256 hash:
40bbb6cfdcbe0604416c991fc0d2322e1f76a402cbc2195acae79941814858c1
MD5 hash:
00cac8be4171e47bfc3fab7b73e726b6
SHA1 hash:
0ff9655c9896627c43b24a601c75893dc39399df
Link:
https://www.unpac.me/results/e6fa739f-93d5-448f-aa41-9e744bcccb5e/
SH256 hash:
1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98
MD5 hash:
a96c22902a9a7c5d4fc3282473297db7
SHA1 hash:
66ee46d73644bc77bb8eabd8bbc3382524e35cff
Link:
https://www.unpac.me/results/e6fa739f-93d5-448f-aa41-9e744bcccb5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f41de97656b9567db858082699fb516514a1c7ac2cb3c047543ca71566cea98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126444/

Comments