General

  • Target

    e954f7f030aaa08ffa2fb7038614e59be392680fdaa0d0ce63ef5195d5d42b16

  • Size

    191KB

  • Sample

    220128-wap7dshgg9

  • MD5

    7b29dfcc04993f4fa6445fc4f56fb7fd

  • SHA1

    fed43f95450b0587759cc8b9218f81807db101e1

  • SHA256

    e954f7f030aaa08ffa2fb7038614e59be392680fdaa0d0ce63ef5195d5d42b16

  • SHA512

    c63c5c0ad5e4ef66a9904234bbec131eae45ab0a41e73ccd8bb80c70c8a0a4b90d1a9ca11ad5a513dc02905f3d2f4b5d84135f116f931ab8d13f11d677d6ae68

Malware Config

Extracted

Path

C:\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/93ed7bfc39514247 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAFym4L47lqjKB3f/O0T6ogz3TfK30umFCtbN92O1BNR0/C4ais9XgQ/kLzhK3R45oWzBsWSJe8nNOaSUERic5ulmwELbdMMWpXk7a9o0QyCEedG64O3oZk01QO9z+xuvm3aKH2ah0sAYiV9zPzZ1CjZaixtYrhfrcges6TNtK7ZxKd1Kw9iDTKfFdiH4dHYps+AO5oLIsNLCoFtKceZY0A905E8rw89dkJZQ/IZcDFenzT3rlPj9QdVqi5fXveazqs5MBld5TKcoZF+IitP8vAtW7P3jRzy8oqOJ5GsgDHv67hdkeFa5gt0szXizwDkGs1/nb9dATnKBdXC4H6GFwgty+B30bMbePDyLJVeuycafqZtHwMyCFYMYtoDmAox8ftLNn/nTh1XrYHMQz0vSW/Pk+5Vt9A5zCfqlikLwbhLnVt4Ov860QpkWblknLe1dSiqwHwMP89HHKq448Yub6RHBbTEKe66aWcaBDfhnF+Pg9E+FYU8M08h1FtSy5Ej+w0aq4VuUaphotlPjnpHGImL/VZz2hApga+S+G/4IQQgl0JqGSZHn2gWtJ686rNpxlCz/BSORuHQuS7891RtYnkNOxDrVu2pzMwuXsRVto2hlO4jq3bIJerIt+6ne78/YwyqR71W8mv/u/7VxDTYgDOtPJ5lKycwj7CQ/b318kCiBT5x79pAGK3lftJYqTsuznNcsdQgquW2YbZaGGcLNZ+FE4MipO0Qj77pTYTZx1G/inR5KpngDGufCDdt+1mSAVuxmL5667dW79ePA3lGKiQXPK5eqt1pl60dF23tf+NtcVwgFYCpStZ4Qiv0xLTZ/UTrV9a6HIu1/cNl3TnPd2kMhr1vGs9GWXU8MTgEG1EskHLOrURk350YW4EkggfasxxcfmbUK5BgEnugxGU5ugfsoBtJovrT9rJKrtXTRJHX65BsZqnSeBRSYVrnYtW0SryWoWgFvNZlezSzyrI1gg6VVYpXJR8+ToAR3iHyGuJn+SK92NIQEU0PFdeuTgZKm2D+abid9nQFAxpvWqGRrxLhG7t2m9hHRw1f6t1M0IqWW6Fyzd8+jyFn44C+YDZHUArKMNJMcHHHkryPqILBnVpszTH0IqwUdtUDmxyb6ReiSOrU8GE06ixe1cztWndqDu1W23hxAFnj2qk5cYRGj3cBGF1nScmJCnQq4VJ5txNH0mQ6jPNuvuFKPwkHYBuuSRZc0gQfz8ymCdtJiDYPg9Ebelbyhl6dYaJSeBja64lrNPCwOsRd/TkQF6A5huJh1yH2zguE5vY/fcLSQRVxkE+0qKaQT8Gn73s785AfcBi5PG5TFcSrLEOdYvsC3fakGr7NeCdXRWuuLcLwm/bx4jDrUNZleq2+pftL65MOvSIR47KbocRF0UcnKBTv3scllRvi6bHTG5BBLLazNtRfcB0GHY+vElu464hsB/0rDiwim98ir9h3t1T3qacauGqWZ+2D9d0wGnge+bQk3VXOhxa2kZPEL8wLncOaf74CoOwBNfLaTvJf3O/RyBl81RYza6Qx3hdr/iKPO2mU+qe9EazlNyX0/pCMkdxFNFscvzq32upnnrT1xdv4uLOu1Lu6f/NrzaVqIqr012jeXDubV9Nk4foxzdadSjwm3Nqy5DtnKFhPNM7cwIlRg9cWI2wGdyCLYRBoMZfsPHGQ6n+t9G3nPxudzihLNw4XLLOO8BIHn3f7oXhUIAaIIbCpBD+KKCXfXJioyg4LosTQnB6zJAOPmPtYks7PA87b8PoRLNRZpLcZxCvi44R4wBXYftOUJZp/hnf7CKiY2Xx+XvR6hdZ6hbrenNOuKAuPj2jVS0h5wEVs4odYbyq38IvwD39jw1hNycAe7XPqMuBafTwzDv7AZoxB1X0shi/pCTBQhSriyOkzOLto46zMjRWjSQdwuGuC6fgBLwITP2dzfXVXU3cDh5us6tbbeo+y5RYv3rjs730210l1sOh9upcYe/EFOQ6o0Ete1NOo7/+IRoQQowjwNN/yD1Fi5KvHastcaq2eRZCS6ZljqxVXKfR6catvcd4GPbeReAE8ZOao44GGMGskxqO9yBqfpwcOt13l7BAMMPH1PPMJ3pOd6nnIvbT+CYtI8kEaHfDfl5rCe1aCfn7nGRcS5LbnvoLFv8/lPZW0sar+iPPWA0/VxnoC6gHmjdA5ZiE9j3t2gaMaj9SVyevwzAJTm/OfDs2HgrwDnAXbnBju4Blqe+AWzlMTu6fD9RbVWO/o= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZBToZRqHYJ7ndWpLffTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi6rFxkR3BtOKj/zQ2R+t1GthYZVqGBibtqRHUEd0bpicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwQ73ZivpCBFO3vfLMeag1wAZJ3RPRgGKcTnS1lDgYn9OmQ3fyiydQRBnybIjlsuw4nIJVZjpOjehfFYcP8A6PylN3H9bQ3XCxaZBEvXtfUj7Bc1MNJGqHsQOcb+dRYgP+IkiVw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/93ed7bfc39514247

Extracted

Path

C:\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c21354a5b42f886a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAM6UVVkbB/rdW3/TBDrWH8hZkSmbRL0KYZ9A+Pv5k+5E172+KmJ6uoOSIlI69PsFInRCREb7W4+qZotivUnHION1WtJNtWfPjIeMgSrj8YXOTcqP0QfITt4wuFZl30doOb2As9Oequ0w1Vyw4plGnj9H9yhbVaIEekktWg/6fimpT/EZPsIUf4tqA5DjIoeiygCLX0EW/xgzBsC1AkpVUm3Gm5iUX/fA20UivCXX+/EcHOkeI/sQfRAEJ6n34kQjpycxOHNKwK+OAC16FvVzrAypkXEGWoeVbrMKbmhb9DNfdATeYx4ZLhiI4/JMrGkZXbPSSRYqx80MS3Qu0qqYrjJi66LdxcNjVKMOJRPAtIDakr0zJdRgkc8dDZT0NNLckk99jrcCGMM2Ne3oLJPmVzyPKZIQ6QpcJukxgxkldZ+bNLPWJomau4ZYvuNf+EpdWjZ/FocZPzvAuKjdiclTgfJqyprsDc9IAJ6GU9ADUJmIraWeFI2A+RnlpBfiyV7qZD+1SUOAcF4Rb5MWFGYzdCAeKpqpL1KNW9jtr8FRaeb2BOuQz/a/Z8dtAXT0kYk6dmh/i7KdQmF8mTX1ScPL/uV+q+rBnl8kWKe9NC9r9wNQ4+QtFX+yAFW/NsR+NU74QDVzIZez8JOHmJFtHm4z5Oo1+8M7GfvWrUG8LTM25B1LuckkOapGh7Um95M7H7p3m8XdPigsauSLp2NHkROf5Uc5DikhtaKbjynKszNGnYApbzJ9eTPSNjkkMPN1B2yMhTOZa0IlypIzqgSe0t06/FMOMFnJVLEm/RuyKsBUOBa14e6NYvscL4/fFqsuTqWUavzwXWyO1vqxev/MeASkgbDNnFxhDgS9FzAIh115QQPRRTBBWFIaoWk4lbnKm1I6ZsgQurq8cC/+kG7AYbxrfSzrigtUPsM73kPZL/RAClJDwwqsqsSUmE3E3eKH1MKlx0ejpBCnYQOzZUa0k3LE+9A+iUmcMxEuVQlvl2/ScXf1/q5qk4Onvq08//BOvLusewtwuJlNIQGRxmR2MGJue61aO/MYxESUO43TCmf9IUtvQPkw3tBCPy1rc9P1smDHiElLoome/UC3+U3sRU9O6tuJF8b5ue0MIO9nRarLYmfVQazmhHu7LUkSJXQY3UGQfUlCaRsG0UM7amld7ChF74SBjoNH1W2YeZNhZ+G3wTIC7TT3QVhALmiLToTHCjyo8gPupA2zpEOKlthfKgHNWuOgzswMXqF4s7VpD7lzGI/ebeWXGV1qPJZIteWfyWmjrTFxNEJ83fhbjiy0nuiGprIPBi8DhoqCTHbDj2uhQbOaVZbvO1YClOaTel8zcKSXOcJbicKpIkpRH1Ma+O9+zDYgqwAiM1qVgECegTnXr+ESCNOisDel/siUqss98oBjlPwLDW1NAgkRB/tI57/sAYBevoDvQxjYhTIHyHG6yOqpSJ9U0IVpdE56RziwkOgQ5gjz0lEhJy5u4BbKRfC/ON90vp3+6vllq4FD5wCeGYgirnikNqK7Anhlqt8gy5pSqYnnSnF8kRP4TAsrjzVtLTMZg3kuie0lG1Zno53uGg9KewZEGY5SfB1TLYaNw4qh5XrijYxsZJyDMA4Q1P6bUtIEL5Hnk+oZV+67Tda0P+UuLJLAVBhPWtB08/z9rDoiz+L6qkI92X7dYu25m5I8JvizuVdCjEMNdbAAxXxm5LS/K+XDkGp2RjtXvauhexA7Y466sf7HHSENytOYXcD6TMEtANno1/xIdAfKwSel7LmjwpMieHtiQ9WrekDR/UjpEmUt61rHRN1NFpWD2G7dodIJ/OQlCaNJ7RN8HbKarseMzk9Qk7dWuDqz62AXdtzrFWTu/272jA107dt+3zCOdpdO8w86UWAJod2NWNi6yQGHxzMtww1X0kXWxpDpSds/GrACrkMVPFDWA/mSEx6BhKVsGyws6+bnXehGZQq5WaFIWzb7Xra9vHyaPl/Glijx8wb4bBKdNpXnGroFK4QuWeIZuNTJKd6MTqS6hXu+mgraHtpideG2iV7iB75I9j+pup1VZIJkETOlyqUSF1NbNlJR7LNlscrcQoqVC5mSVs5Rq4ZWGvcFQM/KYcbeURnOSIcj6/tmwWMbdYgMBxwltdkcsOvjLnGv1b/Y474qAtws1C7U58DP5gG2XD1SCdm1BX+gNBkBJ7on4WO918xooX5x4XxPE5S7WYGE9H2Jg1jv/kPOASXK7NcaX1MmbjEI3Dbskrs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTp9RtXYU7nBWsLfMTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqcyn8rqp5+5i5rF2kRnB5eL2/2I2E+twGtNYZFqFBnbtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO6JIQJopFqwNEoBhPAnKY+DO5AAL2fiGE1g6xrIA3txAZKyA7zZibpABFP3uPLaOb91wsZMnQXRkOKPzmU1gPgG39UmRzflSz2QUBnmrI4lomwvnJMVc3pJTerfEocccBnP2hNgX9AQyDCiKYGErrtc0j2BYRMPpGkHsYOIL8= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/c21354a5b42f886a

Targets

    • Target

      e954f7f030aaa08ffa2fb7038614e59be392680fdaa0d0ce63ef5195d5d42b16

    • Size

      191KB

    • MD5

      7b29dfcc04993f4fa6445fc4f56fb7fd

    • SHA1

      fed43f95450b0587759cc8b9218f81807db101e1

    • SHA256

      e954f7f030aaa08ffa2fb7038614e59be392680fdaa0d0ce63ef5195d5d42b16

    • SHA512

      c63c5c0ad5e4ef66a9904234bbec131eae45ab0a41e73ccd8bb80c70c8a0a4b90d1a9ca11ad5a513dc02905f3d2f4b5d84135f116f931ab8d13f11d677d6ae68

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

1
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Tasks