MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeslaCrypt


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA3-384 hash: c582e12286f54cc61c4e7a4e75463f95cd901a7fa88fbf10def90130bba503117229fb86b213571db342566a3b7c3b2e
SHA1 hash: 8d75108ec34fd79f8336041d5ff31443cc527add
MD5 hash: 19f207b20b1d2a05aba1a1eb59da54d2
humanhash: skylark-lactose-kentucky-april
File name:GZTJoxx.exe
Download: download sample
Signature TeslaCrypt
Create hunting rule
File size:90'606 bytes
First seen:2021-01-22 08:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 1536:eXoKlnzpMyqDQ+IJDDctJUX0DKR+cQpOJ0ILn6Cw+9WdlIgoAG4FbrZvJdEwP9dI:uomnzVincQDKgcQpHIbHIlDRrZRdp9dI
Threatray 4 similar samples on MalwareBazaar
TLSH 2093E14613B0DAB7C17242B00DB5FB3AEFBAD65411F2638B476417AA3D26583C60E693
Reporter ffforward
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://iffusedtrac.xyz/3/bbc.exe
Verdict:
Malicious activity
Analysis date:
2021-01-22 11:48:38 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/0bf53fe6-90ea-4337-93c8-268364a5a236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Teslacrypt
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113465/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Running batch commands
Creating a file in the %temp% directory
Searching for the window
Launching the process to change the firewall settings
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Launching a tool to kill processes
Launching the process to interact with network services
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/588078
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
May drop file containing decryption instructions (likely related to ransomware)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343063 Sample: GZTJoxx.exe Startdate: 22/01/2021 Architecture: WINDOWS Score: 72 38 Multi AV Scanner detection for submitted file 2->38 40 May drop file containing decryption instructions (likely related to ransomware) 2->40 42 Machine Learning detection for sample 2->42 8 GZTJoxx.exe 10 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\wqm58yk7.exe, PE32 8->36 dropped 11 wqm58yk7.exe 1 8->11         started        process5 signatures6 44 Multi AV Scanner detection for dropped file 11->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->46 48 Machine Learning detection for dropped file 11->48 14 powershell.exe 22 11->14         started        16 powershell.exe 8 11->16         started        18 powershell.exe 8 11->18         started        20 12 other processes 11->20 process7 process8 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 7 other processes 20->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393/
Threat name:
ByteCode-MSIL.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 02:23:18 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6
TeslaCrypt
b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
TeslaCrypt
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
TeslaCrypt
fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
TeslaCrypt
Result
Malware family:
teslacrypt
Create hunting rule
Score:
  10/10
Tags:
family:teslacrypt discovery evasion ransomware trojan
Link:
https://tria.ge/reports/210122-s195dsrzqn/
Behaviour
Discovers systems in the same network
Kills process with taskkill
Modifies registry key
Opens file in notepad (likely ransom note)
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Modifies file permissions
Windows security modification
Executes dropped EXE
Modifies Windows Firewall
Modifies extensions of user files
Modifies Windows Defender Real-time Protection settings
TeslaCrypt, AlphaCrypt
Unpacked files
SH256 hash:
8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
MD5 hash:
19f207b20b1d2a05aba1a1eb59da54d2
SHA1 hash:
8d75108ec34fd79f8336041d5ff31443cc527add
Link:
https://www.unpac.me/results/27efaa30-2de8-4ce9-b338-77a3a63d9b5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
TeslaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TeslaCrypt

Excel file xls c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71

TeslaCrypt

Executable exe 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/973697/
  
Dropped by
SHA256 c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113465/
  
URLhaus
https://urlhaus.abuse.ch/url/973904/

Comments