Description
Gandcrab is a Trojan horse that encrypts files on a computer.
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample
General
Target
Size
Sample
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample
168KB
211021-k8wahsahdp
Score
10 /10
MD5
SHA1
SHA256
SHA512
700a4f7ed40dd9ac29891c2ec3d4bef7
1546e3bbe9eb3e6b185097226bb758d98a207429
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a
Malware Config
Extracted
| Path | C:\ZVRYIONLNM-DECRYPT.txt |
| Ransom Note |
---= GANDCRAB V5.0.1 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .ZVRYIONLNM
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/53559f29a53d0f6d
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAE+G+3/EdUFICPnOBuNObRZum1VGv/JEzx3yS50UZH3qofnkmdgVnwxzO4pdydqO5Jhj4nLGYacIhP2gGL06FvGSPh3MEJqXgcFcE+iWWB2OQIU2mJfCkysI72okrog2ABAJ3Z0FaomwUdCC32z0/LWeEpbEV0xAa4UViamwnmLkkoJ/3oiy/AoFTaJaliIA0VldQDQ5vxbOiXJq4iXAKGmrX5DeIlRDPf+oE8o/fiajl77iWm6FdQYTg4rRyMTN/WyCtp604gVZjzqukDPKNCelk1n33+fwumxA+NM/Ox+eD+pRa9ZEneACqKSCyoT24g7mha90W6Hleg9SDFXDfoJZm8WHbOS4+Zhv199O7g/hzbztQFBjKOEcelAt7Q5NdvSia6144eqq5DizdWqHS2qaW0Gj0qT48fWKQuxR1qEoWe/fCelqIM7qKN4CSwWw7mFxCi86+5LzAcaCkVLd+g+6gfyaSL43g4fP+qGzONPsSrdCymmH7nQrmSmSyaL39Zrj98yQAdIG28OHI5pq9+dE72S4U87GA1J+Gk2IQ1GHLtaBQpeR2OwqOStkQbjW567coSBoALitkHiXInHTr5YmAO+lEB7A3rYXO0u8Z7K37rnOsg7UcuJtgDhjRhqHoPwvHiJqHBElSdgTNtuAbNa2LJ5b/ViZXQ5gqCfR7NW3SulIhIxnpRUhhd4eXKgBQeIW2ie9XqDSgCqZiBwl/rc0pOl4sUkY6z/5iBeO1v52zLDAR961v8anbRsknJ4KLiX95mf2KZU7VJr1SgaoCutq9uagzE+yw73/L1RYgZqIbe+z1eNSO2KsJwEyHfYDz12AI5UUpiqAEy4OBhoHuIkB8g07S8432Dbv32Bgz34OwyMILthVpGlbM3eigJS3eMh23rLxWIAfNe1WsxSuEOAJbFawbLTuvwad9kSrBdUOl6GzqnLB6AdX5ejkASyYV9B5GhZh4wLfFvJjMIFqvuHV1V3+uAcXJjRAU7VQaxae1GQ9J1KC3HY1gXhy3xQeBNR5bTvk3OsKoP9WqX5H+uUtaz87yDPTR5ElVFJbCCyulDskFPEQ9oDdjvL8j3kRMg85X0fCC6lPIeGXf3F+u8AEybRdBEkdkIWHKj+0aOp/DS+Ih+Tuw3PWvDk7noLfJTAA52yf/m+lxnM/qp0Ftwyi+AlHGf5gpaFlU4z20sTlBQFW5Sz1XDESO4Z207XhCOxH1Qx4DY2h6MQv/bvO6vhm17LLbh6HvCoqEVNW4YaDmgHw7fMbb4tNb8WhpHHHsbp7ByM50upfTYDA0/Raar7Jx+SABd8JwJUDyHImZqVLYaDn7Dq5P5D+1HnR8jGq/lYJcbOJkMNVA9DSsD78HgXdXGgwZpG5w09U71zli7X7qCHfbKIV8nAzukjt4ZL0j8YSwNiiwRZdDd3uEmqB5gV3zkJc3d54WRtLSFNBT6hi2zm6eXwXbKa2EeKjBkX46UTazlEimt7BRQpY9pv6pz1cgzwxumsLYxZ2rhzt6teIgvJPx1D3YGBUpsLs/D4EfvlMhfVKggd/j4sI2aAxweRxicvgPf2+Np1EG1v1IzL3EIE6a8dxLJn1sjCHOxcK1lFfPndKgQIpmEI70mSzlfsiVYtv0HpPB5VEER9oWoTYkmPt7ZNki8V6/krp68RzmznyiqwuH92+N9kRsGmTyQAQugH1gm9V4jiUgy5N+bGzGuoqPQVodTYi9p8qLagFJxQYtMWf++Bi34KoVAGvaGZSQNUUMlCtO6DCv8jfFzfqfUmnXGcRZYhBcQHXJRApMgKkhduLaU0WbosBMAeb0VI/N7ewv9JTlFyLCuzyBNKkdbwGoXGaCNoWcztZ/3xdEnEDumWaqPvmewjsV6N84XOhbtlU75A6ML+JAhpQYHbyfQwQgTM6E/51S2Ukx87lj1dB0FLgUdjkqx7EYvBHiR1SEjam+p+Gaw/mgCOm/4E3Z/2/os+SsATRSLo4vwf7F5y6mAc8ImsDZbgOGliP+1ADSzOSte+VPEgUBmA32Xz7v4pViwVIhoDr1D016o0QWC4P9gkb6GfOvUElyMcUWRb0PMpL00DgvgXEJzikBmhetaYIEDVjuT7I2pZMJ3AkXpI87ZLvowpgMcoRTC5bExrDWfW+fpsttJiakiaoj3en+fcmYOpR65KLIVjLd5hlzFsQQ5VTrt9msjFrKCKgvLHM8Rr2mPIxdoRxsqAU5R09HrccQt1WcoUypXj/u6q1agt1K1U=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToZRtXYL7nJWobfbTGuHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZqn87qt5+hi6rEkkUrB6eL1/2M2EutyGttYOlqFBnPtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL2fiGE1g65rIQ3vxA5KyA7wZi/pDRFN3uPLaOb91wsZOHQfRkOKPzmU1gPgG39UmRzflSz0QUpnmbI4lomwvnJMVc3pJTerfEocccBmP2hNgn9IQ3DCzaYTErDtaEjxBdZMM5H4HskOLb+SRYUP
---END PC DATA---
|
| URLs |
http://gandcrabmfe6mnef.onion/53559f29a53d0f6d |
Targets
Target
MD5
Filesize
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample
700a4f7ed40dd9ac29891c2ec3d4bef7
168KB
Score
10 /10
SHA1
SHA256
SHA512
1546e3bbe9eb3e6b185097226bb758d98a207429
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a
Tags
Signatures
-
Gandcrab
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
Description
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
Tags
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Drops startup file
-
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Sets desktop wallpaper using registry
Tags
TTPs
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks