1164e122800fda5ad79d422710877fd9767d44a15e69f3c28e9563ff3e752157.sample

General
Target

1164e122800fda5ad79d422710877fd9767d44a15e69f3c28e9563ff3e752157.sample

Size

121KB

Sample

210726-hca1byw682

Score
10 /10
MD5

da301085de77edb94e279c81bcbeb65e

SHA1

d35f76c16b7665bf7e3f412250ebc4f38670697f

SHA256

1164e122800fda5ad79d422710877fd9767d44a15e69f3c28e9563ff3e752157

SHA512

00526408f5d2557080d00ae31d3448bb54c367ab3f23aaf830cfbeca9261a30292e0f95899ebe529e3a2712e5b2333765daa73a3f51817b185cdace6b0a1af3e

Malware Config

Extracted

Path C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/7cdb61ddedc3b851 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAABBKrKM2iXGSfFajvqrEhlHfv+MoB5ot85/oRKdnpboLIZ96v6b63M9MemhmchrqS5MK1QKNOIDbnOx5fl/KySqrB8vXrSzYQZ0yLtK4z3WivhqLc+HQeX26DzrpkIRdgkqg0Y8HBOEJ5ji/Gz6bM3kPxFxRmE6095WttEMjqP3xHC9QDYfvEGGXbfOKOzpWpdZyht1+ZAWIWyJp+3xGd41QJg5q8c3VKLtoCn1xi25uLmiBDhAYmaKisFMOiRNhrYGilIXH2WZcWbCmXcqEAppwPR58D+mbSYKAPQLKyj8lESXCBFpxaoF4sbUGIa9GWCNeDMMtRF2+3UunvAi/S6S/Gf4uUYGrZ2b4nC0uIaOBL0tecOur1H9LCZLHbZbSwVlyiOzJEV7EWqzjfFXWsBaYNWWTDT33CAYNx9owTEHo6MYOzu36eTcGD2OaZVaFdcl8eae/UxXTcEQcvEjBPqeducwdj5zW0U8o+vt72QMht8AaKMVa0X9QKjMP73/MELCNSuBy8Y/48uL6Dt6WFZ5D+Wpyjvka0j8xklzpnnXt3KxDQTwVnSL9nw1rYZ9ThNBTY5N9IpviokQDvjwwYjOUOKvBhyTkp3x9Ac8e+lobiQwHut0ebtO8isrQINV3wY7o/HlypC6f5TN2f1dCbUZWqflSXEJ62JtATJq5TNNR6ur/yb1QGqVFt3tdJZy4/WUEJnAp2aYnAX/zrtVRQCBUsf3i9leyoI+QorwxTWTh+mq+e/cyOVB+JLixwsNKANgrEWgHwt6E0EBoaxu1tm7tsVp891HggeGqk7W/PwSVMagNOWBZEMi6N4sc2EBLmpFx5lXTrd4HGA/btSGq3wsaZF23Cz1cJxJFNbohIVBx6K9rCvjIY5ZmdDxwaxh6T47MNBRyVYyZQ/RRd+DAel5m+BuWt9elHeeVWXws6+J2n+soJ/0uLw6nj690nFFxRxvJnUK8UBAGBlQTzy4KlR5xTAvIfGmFKinhmUBWoAIaBNUKJye14+9+tJSzDENAIutsH/askGWnrYc7lsupvwOkuGW4iJH5bTWXi4q4BBTiJ3R068lhMgMx73W7baDJkvzP0J03BAlOMNPTfwlRtHq3OISoUmYhJra9o99r40NvyHzwlx6+a+fLR67B6xsNH1XDZK/On3mfwWzg82yIItHqTZMgFMs5BteJehyPMmygUxmfISHVB1C2E4EmYDcJEzVpwqp1hx6jUps3UO9S1ioKJ8tnq/fNCNS0mpnZ4CbpPbXmjRCVCz0lXs8ZEhVKCui5PFBj4tb5NMg7ZBwFHYpuEOokri5EXd31yvHgecwhko0D7LO/xSJ38wowJsMfu8cJUMZUrGRlgrKpM+4eAvhwvCCEFiRNF0SdHRyz1DDTReQQJZdCROdMaMCRhtcKml0AwWVgLfPs4TgNg1FriVc2eXXR6aC2yAyjC9G08BW+3KgdfL8xIuuQhnkD8AcE+ZTJuTbVTu5t/baud3RNzbd30IkUfhc0yao/kKMdB8HwXP3iBAhnDN3owRtwUgXT00MCGG+ljpHsMMAQYppGI75LDf0q6BhiFpTh4DIE3wYU5tpEQvOOV6SFOQHLP0cZu8mJXHy+Nbz7QWQUFRnSPJOzwvipQsEad3xAx+nwAaR3R8gBu//kL3nRyt0tz50yt/zf6PtX3St1UM7O8L5vG5Qmi90+KQ9p6cr9NzNVzfl3f9mwpv4nstQpCbN3Q6GPIEHzfcvODIrgBj4QnkN+azE0zBtpdNShNXf4WJi9UJB0Ldxd3shmrobnqVQUb8ilGZ2P/4OT/NRP+NeNDZz3seQKGOLIvXpcw85RC8ffIXLTYO8faWj1g5vfF53B/OM+KBroOlFT7OHWGPjFbhrg2/hx0XiTmFCmpUE3DntjL0+P27zX3vHtADUhfjYsox2OAHaUCkePaiIXokt9Z7ldLcU3b4DZVzR4DodrA08dEX2Ly0jb4b/V2S2O6EWCErO2+st4EO36S3+doNGUbH4NGgLT6m7Xs6VuLAsuAWhJPEx277mAbVPuH1aQhR53iklgMGTZD8trqsHG7wPMZ7ihR3w6uBt2N3HaF80VFvz9naoCsBkTfysuF5BJn3GnWA+6SkAI7BKZuEeux40pay2MRQ3R2Ei3L3NRXP97aVxxNlkIjEYBaOq1fsno3/jekKsidEMKh7My8eOXqISThtwIHUfZGXW5UPi1cKo/zyLBev6K01f5EOMIQzA/MQXnc1uK4imkkQs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaToVRvHYU7mFWqLfbTG6Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQocHZ/P7g/X/rG1tRzlzbsjcBAGngul51nEd05CBIxSw7QDMkr9X00SmPFCQ+oka0tOdi8qcGns7r357BijLErkRzB7eKj/zU2Ret0Gt1YbVrXBnPt+BGCEYoboidA4tG4PqbgY91yMYz32S+izJRoTWUqGFPGJOoJ1pEcwL0oBhPPnKs+D+5ZAL6fj2E1g65rIA3gxAhK3w71ZirpChFN3v3LN+aq1wUZOHQWRlKKfjnH1gjgIH8AmUnfmCz2QV9n3rJrlp2whHJXVdrpcTf3fBEcf8B1PzBN138UQzLCgqYdEr3tIUisBZdMbJHrHpsOar+fRYoP4IknV/zuuLPFzJX9aXZZh5Iz ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/7cdb61ddedc3b851

Extracted

Path C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/d5cbddfa99bd0cb4 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADoWNNy1zEwNxJ068GdiKPSCxCD1XtHDdnYlnIR3895s68rfmP2uVryHBAazh9j6wl2jlMrNDc27YKUc4prRQErJhPHJOQKqqdVZtE546RLJ3TdjpPnZWjJWfLrTQrq6zT3y/yyIyLSrpmkdcXxyVA88OzBvzvt+mG6UYwwoil9ZRk5dyBocXwA6U2glPnwa4sPHnnO+wCqQIg59EHlr+JX5TNeP0977FGcuG1alLhr3sxzRy3PPRWc9xLCOQbg7hqMLO37yTs611csS3eRr86kMu6FQrDv60Q/KvX0DdN0mfrB6dBhFNGKiyjof6fPwfMcbjFISLrLMJ2d8DHQ1JrEFCGGgvLVuzica09nSsm8UXHezZqlBybiv8Bp1hKDMqbKMU4vejTkoTu6ir0GM5IqFmm4IWMQvSrPVEJO2W/W8M3RswDfFxJ55e8uCKif4rz22ACo0W90Iur0639VC7rY9MgR5W2f5YFOw66+t28KIkVrYf9EOzHRvnuIkpICBMSggpOjxMHqlei11ovQCp+xvCiQAwu6KuH6AoDb+Zhkj1pJ7fzBGGwH1Z6Mdada4aWDmHW7c9+2qrVyri6KaIduwyTRAmYcyPnJdj7c1JSdy2g2WQZsVSHiwxOx0LksC+Ji1m3lI2TeMIpWN7Y0QkfwZuArMmiWZrejpYubyTIqf/JIC+/nZkcbiM9i/se4f9mymm9mWFOKVh7Giru2gx3UzeSCZ1++EjVP1oj2DUbtMuYWIkUOAhKWe1+gWUoi7afhmRM+ZB/nU0Te5uwUvDTRM+jGKhVxTE+ddMjjED8APevi1h0FIF4hQaPYhU8LptRicEbzh4DWAX13PjtULlEoPxMpBkufBKSQON8luzftajbJJi6lwCMt1Zqoj39B6ekdZTljHnzvteHa2s2YFtlh2pnS/36jBxCnd88RrDL2++BC+lFo9BJ7Sp/meSJ3j/QR+VoJXd9HNKHOwt1+kn1fla9Kd067nCeEzxmnZjzhS1i0I4AsObYZmzLehGuuvuedg1LUCCRAgl+5KohSvZfbqLXenxG8/jOlCPzQOTXp+w97WGZxv3XPhq7CSzMNZeqC747P+7dGd3TTpEgnLpb0v/MzUdBqoSwAOvzUK3ouOvWvHqMX5w8FYqDQlA3Wv/r3Zf9ObWspN3GYbpoe0BoqcWZwH4oRpjpk5+frg9FRS2WF7LpBo9CXBDbn5KSGxpqLmE8zB3VjC9CqHA0YiUfLU2ZwzpQBcyWLEW/8RzJh5Ev+AMZmGT/8lJFm/KdVDf0We78Kg9CtR202fXFfAMu19WeFAvaSSfKEdhgURvl1vD9v/HDiq1Ej0ok1bq8awA32C7kvc6yKOczOS794BKPm5oZxsEi4NBPSDzfrMahKqYHac5cei9COagUpvanvpQZY6QMSlMELAOq6a4nkJBetnz2YchDYYQ3YOw06o/hqHRJMn6DOjt7A7e4e7Uo+feh0d1MmkaNXcynmC99WakwoDKYJPFyGBZqBCqpOtBzZoWNGj6nSnXraJhzGnWHgu8N0+WaKLpUJC1kgt5GglNOnW5o/9t9Os3j9HTM/0taUf/5pEYG0GGsyfjjo6XnCj/hx0auOcLC/ZYq1YQQxQqbrztwvSjMT0OWZGAGG9RIR4TJhG0/Y0DX+qYcMbCh83bZKBB3BTpvuh2gqMlQ1KloGA602zPMq8K31Xn704LnmttJwKQnR9wPLP4xBIPmzSwF026QyNxqaMnEULepT3Ygt/i3/B7YOM4HmgxlyhGuO1T91IygXGXQRHAb0EnAekgYTIlPg9YeieCR548bhRlQ0xpmkeFtP8/0gnaVkZkjcVjUXDC3zZjRbCUQPNnWx6gfXXSFRCq2JR5iuyNaDIygrj14syLnbpWMnDJCxQINBDyo6RK4Z3QtWzROFoxr9Kp4vYURYOcq3Pfq/93x8LD9/LNL6MAPLkJdk1BVC4qq9iZm0mieuJP0VtFYSYI2i+VEgNZ7nOuAAPmU5baAwu+CO6Jhr6cExBQDY6H7yVZcwaZiTycVbfG0+uYaduMrhp1d2A21ea2FqIwRJJL1UyT2MbVkbPwP3sFg+kA129EFpWhlm4rCApVcBjdjw5+QoNcsF+UDmHfLZufEH3yz+epvMoGRx8anAxO51ICynI6KzHPtPlR/cj3YF3jCPn6g3nffHtBgkPlUsmEgLqPCFUGXaoIf3GaKB2TeFaxVE/b6hC/zReH40PFnn+LRkBPiqLg/apSz0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZFTp1Rs3YO7npWs7fRTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqcun9br7579it7EmkR7BseKt/282Q+tyGttYP1rRBiPtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL2fiGE1g65rIQ3sxAlKxQ72Zi7pDxFF3uPLaOb91wsZMHQWRlGKajmS1hTgJn9imRHfzCz/QUpnmLItltmwrXJbVczpPzetfEscIsBuP3JNnH9XQ2/C2qZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/d5cbddfa99bd0cb4

Targets
Target

1164e122800fda5ad79d422710877fd9767d44a15e69f3c28e9563ff3e752157.sample

MD5

da301085de77edb94e279c81bcbeb65e

Filesize

121KB

Score
10/10
SHA1

d35f76c16b7665bf7e3f412250ebc4f38670697f

SHA256

1164e122800fda5ad79d422710877fd9767d44a15e69f3c28e9563ff3e752157

SHA512

00526408f5d2557080d00ae31d3448bb54c367ab3f23aaf830cfbeca9261a30292e0f95899ebe529e3a2712e5b2333765daa73a3f51817b185cdace6b0a1af3e

Tags

Signatures

  • Gandcrab

    Description

    Gandcrab is a Trojan horse that encrypts files on a computer.

    Tags

  • suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation