MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Suncrypt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824
SHA3-384 hash: 9e58f5762ab5b4361391123c8846b49ec8365b703939a3b2f9db041a8e0e0e7357f7ee1325a06e8ff07be7e05d2778d3
SHA1 hash: 7710f609e7623a08f0dd7cb8fae1ff38d0c729ef
MD5 hash: 8e2ccd9284e09ccc4e9eef325a83b435
humanhash: single-nitrogen-bacon-blossom
File name:8e2ccd9284e09ccc4e9eef325a83b435.bin
Download: download sample
Signature Suncrypt
Create hunting rule
File size:435'712 bytes
First seen:2020-12-03 15:33:46 UTC
Last seen:2020-12-03 18:00:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc901cea0dbc07592dc00499830db9f3 (1 x Suncrypt)
ssdeep 6144:K0/7NJkOEB5ytGGhbRPRVwHHGG8odjNU8a/qEmnsGMi7Y2NAOxe:L7LEB5ytPhblwHmVodRPoIsW7+
Threatray 72 similar samples on MalwareBazaar
TLSH C5946B2280BB765FF147F4F52579757B387BDA30A0228EA28F9CDB3CA0946D1124593E
Reporter Sapphirex00
Tags:Ransomware Suncrypt

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106630/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33270.20550.16696.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Sending a UDP request
Creating a file
Changing a file
Modifying an executable file
Replacing files
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Replacing executable files
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% directory
Reading critical registry keys
Moving a recently created file
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Suncrypt
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/551597
Signature
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Suncrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824/
Threat name:
Win32.Ransomware.SunCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 03:17:30 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5xjs3xeuqgs2gnwjbtj3ekgkytconmweyrzgjetpjohl6adbasa._file
Verdict:
suspicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
Suncrypt
2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f
Suncrypt
8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e
Suncrypt
8c99069bcb559bf7d9606af7ba1538cc8bacd79b4f3846f7487ec3b5179ef9d5
Suncrypt
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
Suncrypt
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
Suncrypt
d7d8683f4534ce4888d12821ce5034b73de42cc5c00f088231d9825809307ea8
Suncrypt
dec66b4f3cf3475a91d972d4820cc6ccd75477075184bec61840d1b051d0e1cc
Suncrypt
f54cec2b04daafb0a1d612ef84913a1d03ef61d7de8b4c144414378c4415ac09
Suncrypt
f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf
Suncrypt
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware spyware
Link:
https://tria.ge/reports/201203-rnnnjhaf7a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Drops desktop.ini file(s)
Enumerates connected drives
Reads user/profile data of web browsers
Drops startup file
Modifies extensions of user files
Unpacked files
SH256 hash:
3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824
MD5 hash:
8e2ccd9284e09ccc4e9eef325a83b435
SHA1 hash:
7710f609e7623a08f0dd7cb8fae1ff38d0c729ef
Link:
https://www.unpac.me/results/477622b3-8599-4916-8ffa-e88f9b2d72a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106630/

Comments