9b5b364a32c759ada38bdc4cbfaad3ed8dc333f87796e27eef52a96d43c821a2.sample

Target

Size

471KB

Sample

210726-6trmjvfj4s

Score

10 ^/10

MD5

335859768d9a489eab3e3cbd157fb98f

SHA1

18c379b521788fc610623129ec3960de0f15f19d

SHA256

9b5b364a32c759ada38bdc4cbfaad3ed8dc333f87796e27eef52a96d43c821a2

SHA512

69576fa9a499ce667b011a9108c4cd9c276992709b89d930bb6bb8afbf28adf696faa391e7a1e928414a573f549dcccf43c91862a7017be914bcb1f10fea206c

Extracted

Path	C:\HBTFGVFTN-DECRYPT.txt
Ransom Note	---= GANDCRAB V5.0.4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HBTFGVFTN The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- \| 0. Download Tor browser - https://www.torproject.org/ \| 1. Install Tor browser \| 2. Open Tor Browser \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/bea656dae863e17b \| 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAH5EPumP6txJdN/AgK+adwGdoQRg49Sox8U1W7pzJ2ey1ChyS8JQOCLZ21HnPfB2AqOHELK9N7TOQKJXxrqg5k/LGejXXDhFoBSPjdy7HY6nTLzXBTvdBV3Swqr8D80zEud8qIDcBF6/xOcmeUfuq2GMiXuad/mmtVKit2zeShEadoO9+dTDZOe078xx/P4UahHlq4FMR3zIxVmTCwXNnBXdAG/Bss4ClnLmo/JMdIghFVqEpUQodmSBjnMrVtvyB502+/chjPub+NXMepTMGM/myj0Mbgb2jJKTi/n68nHre0Zk5t6PyiVqIW91XeKtRVrlgmZFgZ4E5bCJVYTBz3+7nr9upnMxluQd1lcTrpuuWT5zUvDmtfuUg9AiqlMLclCYU3LUHu9iYZWmg3Ir5T6HCYI9Rvv9TWw3K53/ZKGF8hxBW+kTEiByps247H6jlptThrMS1mrShb0Ul4LdpEz3jye3vdFfx8VQvEF9/yCq3wMic+4QoQDycJDuUO0/uv4pN+TPKPnU6hCWKIUuqS+0KpdnlPUY8f2EqvFDUebXizhYw4k97eGD68asN1KtxiAFq6i1WX8Kd4aVpGO3Yd8pAHuOsbeUf3TnXEWGGoplOiDAIxSeWUSAcblj1Oj2Ms3xZuaN7/nNwYccZ+3S+Ew7qdu5UJAZ+P2QlUxMIowLsFNmSdNJnCyqE7A+ZmxjpN5zy8VF0zef3DrbpgFFT5INI38KvwPz4BbarcCqYlR0QVcEBzBuJ55Ug/K1pGk/4dqlFRltAZluilRkLoz6i46ZLpL/8+MzxkgH1meUa1ORCdwpCCWPr+by6OBywtUVXh+JP9vfHJFA//5Acx+7kTa8Db4Du5M9M/f+tPc0tFhH5JivY8E2hhOdjB6QtasGG/fdZjynZD+MCpe5DgVpIvFrFrkVwyllEdAU3zTrmj3dogQUGIeneYa1G094l71EGzZVpHCfuu0RowTR9p9megdjR/iKvegjQoAqBcqdX2hk++gxO5N54C4AHiW4uuYLDPr0Uh7IB9OM7Ocr7XymZMXwJ9hLVPyHE+SbQtGlZZxXqO9ehjecid7qP2+YzpUHOBUztvx2INXa5vLr4gsPd6KJL2lB2akAt0sgRqcz/v8CoOgw8/pKip3Azc3cN/wOEAbWwFvPMIFIQO1RqzUJbd66+cvDTeui9EYxBL0S00Bp8EIT0IzWgS1HDz4vAzx3abH6Dg50lepL1Uc/5ykvtXXqHID+KDUD8j0zwvmw9OOpsw7HbDon24h43+OXYpbRrD62BDKl8d0D3nPEU2SeNEfARnxgXGyvCG2cdBdC/08tLmJ08iMVBcZdPf/ty+dyln8H5nc8j6x4YVUF27c5A3yBg44c8KODSr1CYY+It/1K6Plbdov3V/NbNfPaRDQYJwncZ2P3sLFaSoS7OxuLOxeg+X+4v/fALX3GEr4mFvwQHxaq0UTc5VKnED3y0Kl8+Ty+OEjKmf7wwtlkrkwo8tkVdWXlcbLvcSjTshqUjAj0Q1l1zJ9EfT+L6jb/2omP5VWLrvNL6qVVBvBpUR/u7rakSOHyKxw5r6d0XpDm5/qkpBwxgd8wlpLRsLUKuFnxSXz0To/JoJkoCvslrXgrHkrRwy8hyWC/C4DJVMavK8erCX36yJBEuIyQ604t2fZs0LjWOla73VUqBzBIVFYGvxKNGg/GewNZIfH7OVhhowIIkfTP4+ebZrk2cJzJvnOshNz+rt4EsyelCoWrj2P+xlneI94qaUjs03ccOpDy/Xw6IY8R1XfHdAtgH9+v/Z6J6DQ5DpfJ8YwgQDXEJzFxZ+xxaiP8GIhZeMqtgztnRzWagjpJPpxfdWYLN1PU5V1+Q0nVHj3ziqmCGJHaN6hjmrATp79g5bcXL5Vr6VB6LDyfeGJjA1BcpYnBkLFpT8LnT//SzBa6FxPH9C1txyWejB7dGp/IqFQG8cEbb8eNstQKVo+9xTGdQcaRYjOODEr9MFJUZ8ER1VbFrI7P8yzCj6+0ZAfWsfYu/Yiyh/a/HadG/pWjW//XCS0016wNWPEUJ89DWePEfZUnxKgn1HrjSgRQSFUM1Q7oeKsOC/mGjqfNwQ36ufugdMe2mf4iQ5XergZbZ2SqKuWCkFwwpfpvWca+ltcJU4rqLUaHgekFNO5mMeH/vHHCiF4UV4/p+kze7FO0ZvcFpWSd8Fet9Q5TmS8iTOVa9dnTkSN0WFmnq2rltex9zSu4yCLTvGhdw5tzWVps88U= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 5OKHmU64Yu8xMSBJy12WX435oYia6aXuRiD/hbaJONJTp/mwyrlPWz79+KgRQLTXYSySc3zpWg1J1a1lWnbcOtQwLkMR8x6RgcHh1ZVyHEpOqc18N/UOsDiIeA4OvFgLjbDeONt6goeS1heWRfRRbXUdsx1YKVrPR9uaNV3DMbkORCqfcaeWmo0qRZoHIjC7teFwB4rCiBei9EKMyC3+wVc3su99OIGFnTTWnHsUHgLRVprl5yERzSonjMun2jo0GBMTGJE3MHTMDbBl1y954Mi23P0QKhMCmxA5eCSk4+ZPn7kCWbMStL7SyA32i3CRTxB2dVFxTpUAIV3bk81QcVInpwMlHKssHlmhc6AShBgLMvxtZVBlHs4ujLbozxMAr64u2W96UvEsOKYXjjq2xPkrqAJHDCs5ZRaj8Dn7EL1q5JP7FNBSfEH4x6BwqzuXPkZWKJ0/HpP2tevwQEcci1nnLeEnvmH3ZpsdlKjKoXKe/LU6HfWD2dKK5qW2uKM8EhYM/fBFwLbrS3DFcEYRb3GvX5KlkANtJMOHBSxak/7rCgJT0PjTFWcOB0BTO3LLgM4E6Wv2ZVscA+7iI4Y= ---END PC DATA---
URLs	http://gandcrabmfe6mnef.onion/bea656dae863e17b

Extracted

Path	C:\HJJIJB-DECRYPT.txt
Ransom Note	---= GANDCRAB V5.0.4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJJIJB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- \| 0. Download Tor browser - https://www.torproject.org/ \| 1. Install Tor browser \| 2. Open Tor Browser \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/482c857a8ea94c62 \| 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAM/zpQl9QHK84HUAo4qCLfUMkFmvcWSRASpsy+IcZ0KmayiQY6bX8joQJbyoPLaA51X3kYiGaQwhINW9Z5x0pYYrVoKsSL/1cqAZsLLYrsaH5iko9PqFF+WZnhh18ObH/vXvTv1/cUuuovUE6NyDUMhg8gMCqdWGXZL8coUaibwfXDIG1mzXKY085yQCdso7lPuMLrtJguOaHUKxEvv0S5BasmmLCZ89QeZqlaP3qMR7pNlh1w06S5W3U3iXkjBuN8HQISYWjPqBebMRBGHorbeqX/vMdPZS9Qap/1Nnpy+pqOcUCAiQVuVfQzrjKng6FPBtAntGFSnsSpt9OKMip73MIShf5YEzDGEACQ1zbiAu81qQ62PBZwjsGCbh886sCk+W/bJDObbVwfDTZxT2S20sI9+sF5qwS4bdHpyVkrfVsh7igzzgVuzkmF7vAitfyVsA42IOHXTK/s7QA0/cgsiSqyR9bwccfljKyLrNQPKslIWoYXHRTtDGMr6H7xwDhR4V32o8NPMyNkvu382Y74p83PCiZMw/Udv/HevZpa0Ys5sCOPs9zFmj9eQVkC+/9foryQc2IoXmPzANiCOZD3GQyTBixMuVDhJV65wgivm3LxcQLcCfc+sjGRYUxw3pL7wtKVmCFDYmyr8m2qUkXTy7Ykf1MrcdwEXA2ibkGdlc+y119EfptzMhhl2SwJArjGz9p2HP4wx65ywQsGKHLpUkbqfGKUSLDqykbCx+MI0upGiXeLIB7YHLaBQ1DpJG0/1VSoMRG33Uah5ECOTmpO7MHkoTo/m6Q9MD2gmaYmnhY/2pAJwbF4ODjrW7nCHJpwYgbvCzNvBBRmCuMR3qSjR7kfoxNE7SQCp2aRUhVGVXvdNVT1XMJjYQ2egxLLc/67Br7ug1YIbVUBCsYjtLqDN/g9vqZhnt6ytrc895DxZmuEV/nc1FDYT6iABJevVGOzgSLf61vwlh+8Buq/aP2Nt/GkKo2BfxKKHij+dvW4GiNdXb1cx3fx0fJ92aM2dnpZIlLZ2iiDjG1Av/k0dB7VniPRIJP3ZADnxPUq2SS8cfxOREogGrpfcinYjCTWvzzmCGIvbHo56+OAp2uqm6x65VjN0MD7gam1UokxIegkgHoxPKZj4out+F0FUpm3HPluqyDNaq8E2UzaKI5aFXXuhRE+8ulbykxpiaMT60E43J1nNGgqpFrY64R/yujymG1WwqtRUxFSsFYlFnDwz1tc0o9ho5qkSD45ZMD2ak56THqBrs6QOh2o+tQ6cJcFw9TaZxpA54YOPl3nvfhf55SMCiVl3IX4xS+ObCXyD8cga8fxXKrY8sie6dsnxkjw2m74kciNHz1uZsT39KZ77M1i+7hbSuJ65WaI2dKrlI8iwEI5+MUcShZlGPhCoSDOQyMzYwm2huG/w2XxZPzF+ABt5gp8gDggmmgegc7Y1Lgy1AmkeP+UN6WDClEry/WhGVNKxvkvhpzLIOPsLwPQydoX2k3njOLLGLb5CBYNRFZwUeMJzoG9yD3uZVQlbwFpCGAXW/9TKz2q346Zz5mI7KGsMXWzR9HHY5UKIolDcxsuyhR5xXJSFo4MnsRmF9K17x6Cjlro1sl09C6sReS5sBYfxZZmjTN0/kQpGnMNZCjHYu2C3v3n4skVCTbRge67Zj+O8c1WqNRmRPDta45hemcq7NhvusmT717mSovO/9Y2tNg4FrDwUYTd34xJD0lk0r2ysW9U1yTOGiAe5IfhT7d+B9Y6vT28Ry1pWg09rZZtBHiGyoJUApOsnjp8I1MhuJL8RvOBK2lJy2kIY0tjx468K1aHUjhxXIvC7dxCIGiiV28H0a02d64dFnmaShtQBiPmDJrg+rdUM9+aGd5z99X5i4QHO62wLq3+1bDijtY3U/JBuNxenja7Q6wIe0SWlNeo3xomPQfnO9BAkySmvWCrEIoMjkyxQxcMRXyzCyD64/UzdU04h6EzaWOSRGxkvoaYVHAqp9q9DZKOJsmjYUMOu22YyzEEMhpYvJNg0AyoaXnKpZ82XJ/Eu6iIFbk1Yl3CwPDAXfpA3hFEfO9mhd75RE7GunNnDzAN8LUeFLhKvZxsfxpWBgzH6ypx0jULP+KDykGyolz0sz789pITOpotSCjkWVeeHQBzGQ+JEklKLeweMd7+WsmkQOjlA9Iy03v13MzNbTNFpxCXd+ZsfTLC03ztoTaZEgJaPCJpjCeIINlRe4+uvBhR5a6JBr3iwA9ZwbvQo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 5OKHmU64Yu8xMSBJy12WX435oYia6aXuRiD/hbaJONJTp/mwyrlPWz79+KgbQKDXYSyfc3XpRA1f1aNlWnbcOtQwLkMR8x6RgcHh1ZVyHEpOqc18N/UOsDiIeA4OvFgLjbDeONt6goeS1heWRfRRbXUdsx1YKVrPR9uaNV3DMbkORCqfcaeWmo0qRZoHIjC7teFwB4rCiBei9EKMyC3+wVc3su99OIGFnTTWnHsUHgLRVprl5yEXzTon/MuF2ic0ERNQGI03MHT6Db1l0C9s4Jm2gv1JKlQC4hApeCyk+eYBn64CArN5tPHS3g2qiyqRBBArdV9xKZVcIQ7bz80KcVInpwMqHKosS1nzc/MSxxhbMq5tMlA9HrwugbbMz3wAn64P2U96MPFdOKsX/DrIxJYr3QI6DEA5bxak8DT7E71z5JD7E9BSfEH4xqB+qziXKUZSKJk/GpPwtfXwHEdBi1PnKOEjvnX3LZtOlKPKmnLK/OA6EfWU2ZGKtaWiuJk8CRYb/aRFnra1S2vFM0ZabzOvApL4kEptK8PZBW1a1P60CkJT2fiWFWcOCEBLOw== ---END PC DATA---
URLs	http://gandcrabmfe6mnef.onion/482c857a8ea94c62

Target

9b5b364a32c759ada38bdc4cbfaad3ed8dc333f87796e27eef52a96d43c821a2.sample

MD5

335859768d9a489eab3e3cbd157fb98f

Filesize

471KB

Score

10^/10

SHA1

18c379b521788fc610623129ec3960de0f15f19d

SHA256

9b5b364a32c759ada38bdc4cbfaad3ed8dc333f87796e27eef52a96d43c821a2

SHA512

69576fa9a499ce667b011a9108c4cd9c276992709b89d930bb6bb8afbf28adf696faa391e7a1e928414a573f549dcccf43c91862a7017be914bcb1f10fea206c

Signatures

Gandcrab
Description

Gandcrab is a Trojan horse that encrypts files on a computer.
Tags

ransomware backdoor gandcrab
Deletes shadow copies
Description

Ransomware often targets backup files to inhibit system recovery.
Tags

ransomware

TTPs

File DeletionInhibit System Recovery
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Drops startup file
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

gandcrab

10^/10

behavioral1

gandcrab backdoor ransomware spyware stealer

10^/10

behavioral2

gandcrab backdoor ransomware spyware stealer

10^/10

Extracted

Extracted

Tags

Signatures

Gandcrab

Description

Tags

Deletes shadow copies

Description

Tags

TTPs

Modifies extensions of user files

Description

Tags

Drops startup file

Reads user/profile data of web browsers

Description

Tags

TTPs

Enumerates connected drives

Description

TTPs

Sets desktop wallpaper using registry

Tags

TTPs

Related Tasks

static1

behavioral1

behavioral2