463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604

General
Target

463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604

Size

169KB

Sample

210616-yzty5stkx6

Score
10 /10
MD5

e39a000a6c0925438b1bf9a4a9b19745

SHA1

65edffb71bc17b8fcb7a9b102952189fe13b1c4f

SHA256

463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604

SHA512

1fb459c5b06ff194c3ef399d5b2187667abec959978e75ba1c04148ff43c9bff7246bc513c5a32fe815d16915b90bb7910120bd7d9865d49c1e8e91bc34cbafd

Malware Config

Extracted

Path C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b1f448b3b357f249 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANU2/Mh8kFpSiKONb72IFVdTl6V2D8D9c+vq+jPwUzbd6svv6iRF8UsOJhPpXcJ+ZP/v5Ajn5grOqVcfAosiB3VCkt+TyvgEYxrmM9lMMzY45OEO0v+bGbzBbYUFx6OXnsiTGREiW+UIUQEat80inQtSdSsP33clZB48uEbm9Ch9ulNUusfSp7gFpaEEyCkAhaCr9EUecvchFHWNk77WPT5AvEYBLOAdyvRAMTgSZqdXf36ErLU7cVeLB+7A6Y7enODofQaM5ZxU5+Mq5JwkehJjZrtujXxiTruz8PlyyeHcH4O8J8brDtqk+cHqX6PSUv9wJSUI6HCGn8ru932cZcdwgWi2K+YSa7w7T7BEm6z4MizaQNbm2CMvEHJKhouUdYmmbToiztuNaWwZ97lAcLpplHCDbMHl5x0yc1Pr/CMPCvWz2Rq+1rYo5fRuT35yVdaweGDoWU8vN1cLinPf5iIZ0j7T8BXpaIy+IpyCqxN8QXnWAaHvKuhCpLpYMOnUD75FgeYUOaiY5W2RY9mtQSio6NtXGOLIjPuZE0HO+nCBz+CCfjiOmh9j8lMZnScl3ufa8TIJq2kJn1otVQ1G15322f04Jp/oeQl7cR7oGm0vF8g5GGmZVsozxTU8YHY3fjq29MfncnjZHh3rfDb8FZkIBzNeuHz5y758BzLCUHZXXzAKFupfWXQUOTBk5C6FvAFFT/ZYC30pTdz9CGTC8kxwiUIYlwlp9c1AP2Kf3WVLZFsmngoPwrsqIUUlzC9AFJmjftOLTGl0xwadql1SsLtegYSP95d2fh/Ltq/lm0LLNi8vjq8n+SeCD27kBUMa1MH/A6/IsZ6rJ91Tkec0muIUEkp99BwdeYD1cyrVlxbWh1ujmuCfTHm7a68jwIcaNp9Ltt4JNy+o0I/Lu+/WHxV3ZTzztPa62WDMFkR4IUTazAWQUs+4zmOQjrt++7K3vr7PgX2GfnzkOxhqUCAaqz+XsOkRob5GyImttPODCYsGxJBJTz6fqVxXaaxUxeGdKgNP+sDEvJMQwGtR1Bs2PyHfv4FPSFH9I6r9V/a+aKWzvMXOgmQGUEIyfksgcs0rsS5ihpgKToWwokaEpO8/7E3uNxbYNs8tkds8BN3wo2hI+bJTKzXv+aGGZ6tiOipUPHxTrSKcbC2TFDc6qpweraalvj7WDip3Bo9yxonU3NvdMxW+5zw603M7BXpN9lZfPMlUc7sa0o6SxoKQtbRRHOek3DylVWKgQCILspaai3flZUT1Jw/8SB5bD4g8o/89S1h2DHgEHFYnu/qTxIjL5MrWNOI6ae3oowSvJl7/1jUYOShj4ydwZjn7RpoAPPY9AEmTrBBTfFHYLUw781XaJRBUXv49kzHmssR54sueC1liLocQumsZ0EcKOnzdO+I6VHAnvIrukQOaf8nHUC8Ju9bnYv4SLcpGUQO79uPWE6mNbX0cmBwwN+GiSSclC7NDQJnJVzGQ7H8Em1m44e+dbJU9Dw5p4lwotO5yzXEwsmJDQKRCUcgrWjsZ0Rk3gCZbVOfX6i0T1sprn3WlWKQjYG+UIWFqDTLju4+PUveGGKqjEOIEJ0+vUTjHGS1QLyCfHp6hMRiSE/LquRCbE3UNKyOZ+yWLftdePH7bO4unrJ3ChJ9rU7KwMfqPL1PRXjLdLhtukmIBHoDqE7WwNxjTeoW2lCclcGioRGJU0babgiCsjmOzHnvyjuIOM0P/w3OPwY8FjLIbUmdlnm64oqqwXSWLTTGln1p1k8JnmdIUIwI58Sdg3PswU+8PWiM2COtm6zzgax/YTuNiuCPT2K/aI+H4s6/sy0CudHCNIhHpmQcNap5XHU2OOvuq2BHFonp0ohD6qopAh3DHxtScBY9QgoFO/ujCz+uYWpOElU2qKX4JWUNFrDRZxv5K/HBi1UvWSwwoaCft86vyHEMb1i/Acfi4hmCL+AzO4GswxchTubMs9OuQo6xCofWHXdMnt/jTz4OZwGQZFjU82Z/zGJQ0Pd32FX35sRTWzbmw2t7hnF1SpZrNOkAYhl1Di3vQS8b6QYPN6IsryNVbPCVBv1M3SbEC8xzMgOnNvL1iMJQGVoQyV5ssIi2eJv2czvaiZBNj4x2HO1L9MwmGqfWDlIHrhET5Bga+SpSzcEY8jy0JskHEVVw2U11dqwpIrAguMMkgXDfGzelrgCni0WvwKtSCbj17gTZjv95DPqfxIRpV+KqgnHYMe9q5X48zK/iANX493kqXOvs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaToVRvHYU7mFWqLfbTG6Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQocHZ/P7g/X/rG1tRzlzbsjcBAGngul51nEd05CBIxSw7QDMkr9X00SmPFCQ+oka0tOdi8qcGns7r357BijLErkRzB7eL2/2c2R+siGt9YZFrRBiTt/xHVEdwbpidE4tu4P6boY91yMYz32S+izJRoTWUqGFPGJOoJ1pEcwL0oBhPPnKs+D+5ZAL6fj2E1g65rIA3gxAhK3w72ZibpCRFM3vzLN+as1wEZM3QXRlOKajmI1gXgeX8MmU3fjiyxQQxnz7JBlpawv3IDVY/peTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi2BYtMe5GkHskOOL+XRYYP+olzV/Dut7OUzJr9 ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/b1f448b3b357f249

Extracted

Path C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/6fa755ca9d8583c1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANz/LpMeLMaqWLO5no/F/+BQ4przNRO3yFNV/GFoP6SmpKDtNxHP25KOcxJc23rzj1jSn9dm7QmSajD4vqzIT27MUmjtTLpIrT6RUIxEHSQHTO/yyPOFgSKhfElHyrfFvG4bclNbPEtcQJKOyznbplpInPwlZILsjSzXrgtvX23D/wPuVGhZ855xw0/SRIURZnNktrv5yhXtzbKs5Row5P7IjytBpDJLMqPY/V60ziuk6695m8Pz9tf22aqNQMxK8kN+17ol7c8vAcFY8DjTmeCqZJVaCtbbMNgUpLjLMeQ9Mu5SYKBRG4rRK407eNAYTYsQ7K+piE+lGyeBI52Mwl7CWrgET+rS+x3L4QB4jpl6t9m84YS7LXHUa486F3Xfplo/z4lWWWrU7ZEmY3kbXAg6Dg8xmIaFM181mUG21MCsTiMKY3w/5bHZHtlrP92R6H7YnNxLDXb1kVHwMZcgGt7kY274zdB9xnKpHHyWRfLYyxqZZg1umvncFd0mluzwAmIxxbPOvfM1oRPBT3NXfCjAHHMUjhvDkxA14jZBng0qj77o/+IMWPluJRW0Jx3/BcD2HGzuwln+tnasMD+l9mHVFrfSier+afIPv/jAX/Qb+qZXsUmBEGQHGnemAWpm1y5JBkwuA2ISGDuYfPOjF/0lbMHWCECSeexc4hFcfJ+j3us64wtt5/YuvjMOaLZL0xzJLPwQqKIct5yhWo4Em24taVkFPXJs6ZGJjcWhvja5HiQ7+FqiKT+JkDy8TH10p0qOhG2wCsU3AFZOXk1X7oUG+MTOj5trFoSpSK4Gr5iwKOJQQ8Mdam1ZfXH9WEwy0NyXf+Vi4YT2NEcu1tOwXe2+IbYDjgzu1a0AQ7mslcjXJZG3utOe/4JK5NwtUEk5gsDZiJqHG37gu+8p6agobIYbZ4Abi+hCF8AQ+Xx+vnuvltMeOjwuCBbLxk7T6GOAuvjWitaY6ocuQ1NR9sGsj62wiybeO7bae9j1LTRfcVGm4+KAA4fGwxjv/z6AgVoxSgaxFQp+XXphl1MVuwbT4b65WY5N4u3OZJpIxOPWXK/sHimoydhyu2qsVXcKc3qrO7Sj6L+mUuBFoWUkN7EsTjy8472ew4HKW/mSGGSbvbKSpKEXKroRCZnOFBRLtq0HzhwvcSJmaQDYH2A0ffcMdWW92JBthGeR5bvdAptR8ylZzeKyZ9izSUSsCR7W/ftI3OCCW1W393dfIFjT//WFDzDEl+jZEfv5sEMQ3BjF2/rI8C8Dw4xcFyzON6ReUNr/Sm7mww1Hjom9JF+TbiUT1lmuRkxENWDoYhubGO2Dhwfqo8RKpkpiR+YpZmiJbNoVZuJqqkcyeXYaOyoN5j/nS+qYdE5VYUjR1pr/GBzEgolOYkwSvOmsMtKx5f66HZ45QgR98f7OZF6c8RfQbkfrSo09l+5VLS0NjZPAnFg8SRVLODLTfFnsIWV0qtIRjb/DDvGVd4ZwBE27ld2+MdFWZWRmG40PtOEj9G88EhQIWlecWQIOFrp899nl5JvhJSd9PWnyKtRC9DqXruQ4HhPAY/6pDZ8ezkQt/3/3QGtAvlEo+NAbsuJYs0YHEJY2CPaP6eKUVc4dN0NQg6zITsfsZKQBPSA99h1Nr0B/APk56DlclcLBECd57jzMBikoWh0JMdwOlqK9BWmIk4NJ1/hSYMLXC3qX5xypeUQe60VNZhav29edBgCkyokxtFZlLNFGmuxSQuCdip8TrQ0cSsi+Q2bE2xZ2XrqXYbrgcU1wqDQLPSOcR4/bB4Pt97Pt0RNN9+M38tuPnakcW55H6G06/c/fzzxQf3c3XKTrBZVylEVXQvo0TUkw8u60k2Vi6M7zr8HM0ULhP1CDM8436PBDoLY5dgKxaTqxbNxpzqsrgbJPUyDaNtMRPfUcxN+MV3N1bgpLzE0GMs4tanlnTMGLj9IH3psLiETYppnrYWPhDkvqyqco3sn60qY51+tq0+SY1nI6XENCFJ3DYrilTZez9EJzSQbWXxiHsuNPT88ZXrNTOwRyxUtMzU2QypETQ8qaIJLQW90mGth2PjJaujcXFpVF6DmhHJyUSVJo4PQrsp3qB4vSo6LG4NYuniqNcpmRBAPnbZEkQVrIKgvCU5taY4KcAy1S8Imv1TxPksgOYQxyvxi9vQXj4EBmQE3QWALgQ0bixvIV2nJZOSd8DdN5Nc+p0VDZGNdu84+XXnGzQiKNQl0w5tEQpV5XF2bgnFj/SF83ECk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZFTp1Rs3YO7npWs7fRTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZmnprr55+pi5rF3kRvBseKt/zI2GesjGtNYb1rQBibtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL6fhWEzg6trLg3uxA9KyQ7/ZijpCxFb3qzLZeak1wcZNHQARhaKOTmD1j7gLX9ZmUXfmSz3QV9n27J7lo2wqHJXVdHpIjf5fBAcYsBiP2hNgH9AQyDCiKYGErrtc0j2BYRMPpGkHsYOIL8= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/6fa755ca9d8583c1

Targets
Target

463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604

MD5

e39a000a6c0925438b1bf9a4a9b19745

Filesize

169KB

Score
10/10
SHA1

65edffb71bc17b8fcb7a9b102952189fe13b1c4f

SHA256

463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604

SHA512

1fb459c5b06ff194c3ef399d5b2187667abec959978e75ba1c04148ff43c9bff7246bc513c5a32fe815d16915b90bb7910120bd7d9865d49c1e8e91bc34cbafd

Tags

Signatures

  • GandCrab Payload

  • Gandcrab

    Description

    Gandcrab is a Trojan horse that encrypts files on a computer.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation