General
-
Target
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
Size
191KB
-
Sample
220128-wkyxaahhcn
-
MD5
5bc5696a899074cb3623aa640602c8ad
-
SHA1
792d0ef1d01d80426aabc2c8bbeb680690d94798
-
SHA256
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
SHA512
7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221
Score
10/10
Malware Config
Extracted
Path
C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cb99ace73fd0ad8
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAH1puCsQ4DEdXMJkqi47uZW7Nl7ZRwkRAp0Tf0eCPN7nSIsj7oujK+0alOSBNISAFmHWWGIoPAE0O7vr2M7qBmk9ujuyvKZy3moCoMRcYObs3obXWTeVL97p2v19xyCWpbN1DVGuIxEZ37HI3naO7g1HiCNliGy7GbZtcpFX8WylIjYvafC0CL+NLPd4R/I+nTK3aRPNPXU0uRjqPeZLPOkTxsIeUjEMeKbC24q1yM9QQ0BGA4lRh77X7gnUvdp+vSQ3QVGv2GtCbuvEonFPwKSIS2YctcQiWNNkLcCA6Tg3YRY6uSVFhC73v8na+JWwEp4vkW1bQ6jL7XGU8Grovymxs4GR7aN5LgI/0f8bqkELR1/4YwWzXIHJnCpz1bnlhDyxQs7GveUY5wwJmnpF/CFcy+o/R+i3y2X4+HGDhGionxBuSurEyWrtsrOIrB3L4kWjAxqb3BwB46864jbXefAZRvykykRWPvvlL9T0gsfo1mqKj/IkjZssBeinNLOw13WmNXwcQKWDADMkLFG8pZ+92GlDijZMSvWm3Led36m2ZCxQsgcou4X2PwZVzl/iLBNoRzeznZKx2CLiV227QW09Y1rc+u/GTYdShok471vr+/r8SjIWpBhexc3wBTQeZ8lEA7jnVtyr4LvxcmQNzJMyJdUAQs25U5FBZJP6I5lcjOriJWgKQ6DOMZMeBpowacDSc/UAV35NEo6hQ24/fLVag2Yf6/2wTY7SXh1Zfh04b5xGyBtIaB6py3x6R+wPuw2LIfq9mG1zv3xgbFZQFUlLbsVGPe4/qJBiottycqdcv+l7oNgf9rb06IYDMlSoZzpYeymxmrT4yUWDQ8Wlea61cknogJv2wQERq7ZCpvww/UjGGl1T1Z5y8u476zpM2kKOh3bABRk9eR34BIXRqcblM79MzljFsuyKBu60PBDtmWlKugwf33AFZAn9RcrJWZbTaWTy0FdBs1enzKG8rJL17uzx46XaPBQrnZGd2s8H7tElUZ6wLkzwFbRnX7ziWapqL8V8jgPZqIhaRIz1VMbh7rj/mp8QvCyKRg7lz/XbG19QQpiJfqe4+xFxYDSZSu1ExMsEaMIydAIldTGktcSDEl9ylRuXeZR+oJwVonT9yulIztFyMA70yiU8RWhAqLagwutDomyxMYqSuKLaqWYHgUYGY6mqLDAtsjQ6HUax0JdS7EAkidB7xli4TwqKxTdFrUwcVXpDjSWe+4bQfXcpoD+Nsx21IWLzBQ3aHNku5CvxW2/vA3Bl1FE1fEdhf3iB3taU3WEw1wgLgvABzG7pQTGcn9dV0mH/3UxLI/ECE3yh4HfOuNLhPr54afDrfG2J77WhNuooywNBXLhQmdSIDKUOl+OIwoDD1NPIvsNTb2gR3z+naslXYyQ3hZ4WDBvz7dIpax4SwghY4umQaFqY9KTrpX0Ud9pWz3EVmqJIaMmAIrWDIjiyejNd2dFm8oQQLvx1LqxYU3mAMxpCIwxBErWOBcZf4g86mM1a37ieMsojw380X/OvZOlOE+CCoHjATO4nanUY8DfEhRh4drTq1AAgfafo7q1f1J4CiXivpO/g3H6mMioCNkGwH3IbjByv7/3IxzlXkheWS2uB3+s7iXP+srpTLVyv4LGHXldGXzUxpmjf+hi+8uDibN0w40zwnqkcXwnHsXkTxD7rhedJqCISTYdXXwTik+ZhG+1etzkMeufoxGPFlH/Ub6iiTzajcKiyhgLyGfTKJCKFlJOLI8gsUMorznPOqVoyUbm9ZB7AS9RPdm9MXbOUPDlttbpifxKbD/JxEmjEoNinpX6KHFlsArK2mMcVGFgyCgy812BOWEDq1nOTykgwsyfWdCPKfUcUfg1eqGfbWxUmpQKW7UMsCOwqyg6lMbk9y0SSuU1/oNFaEd475LPB19yCGQngCNhPUqQZbaIKFFsdNZMpEGGJq5BokpQtWTMh1+DYfiJxvcgrKFvpuAFpiE//e/KqAaiJ8H5SgGz3RfEIJgszNsaVi0WXUkxdyAC0bc1iCK/soKXSuCWfShdYvLRUO1/Qj4UpnVD/PvWegqRqNmwWmr1kMo1MdH+DoQylidzCokGwJVGzQe1nZHR1u/af0Vz2nvPa1/Ls8CvcvloCePLnr9iYaG4dwUcTOyvNF4KlT/DD7dpaRkx2hqwCMhbtPa+wQpSalpUDrxn+OmldvcIIuRiYJcEFa7IIPRLoTZaWYKxsxlmuPPNODQSqst/MROw5ge0=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZGToRRtXYY7nBWqLfMTHCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEgkUHB6eL1/zU2ROshGthYOlrXBift/BGCEdEbtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIUJp5FtwNQoBRPKnKw+CO5XALafi2Epg65rLQ3qxA5KyA70ZizpABFF3vTLNeat1xAZaHRCRliKfznQ1kfgN39ImRrf9yyrQR1nkLIqlsaw7HIYVcjpKTe2fFccJcA8PyhNj39SQ2/C2KZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/cb99ace73fd0ad8
Extracted
Path
C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11c2f5583dfdc5fb
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAADm2V1zBz3C2JUz5bRIwIKJ/NLnAsDzjxEK9xqFeUct7LEGdJW/3yJBPXf46wJPckOdHIFxhN5sg3OGjnphaOhVTARHBDi/SgnGDDm+4G7OEagSqxn8ofF4Co9zmuSPGm9dMRCmJGZinrWsF8HmbmJ1kQa5bNLck66/hZzTCG58MAqqwCIWjB0kyXMBm20lza3XndcJeV5IDfpw4xl2+77ZGKs+ThjUGuzWUSDBVFaP3z9JIxWcIvLoImIr7cZdd0PBpNX1CbXU9+/vIOPH/nWjq5dbuobNxeUvmGUjSk91LPqFk/HoIJoZ6QwlIrL+9E34qPXDZ1kyzoQGgAKZ675MfXdmd51IqyGzAoJYLm6bbI45g8NnTbEmblfpVpsRSIk4QH8RE9H+9aXm/VKrq3i47CCaYh/3QbP51nuq4D8F/BrR31812lI8bzTb7Vw6dW4u5zdu5TtG2XGGzWRWF3CWMNxHaCy1TQYdKd6BXfeD092P+VOMEQqqWuneT+K567NPXted6GBg64fCXTm0pGNJzp/WXLPSeraG19PQigwyaj/PLC+kifXDzBcvdfeYTCFjrAS8TCzgknX2CMWKhafARBcm3QAuVNv1o4+tKKNH2HH3oMjWU7AQUSd/X88xHVnSaNbV9YBIH+J1jEEvxVGrQMZAmfIYz21d4JUK36FbDMSTl6tVbD3FEo4JKX9jDtRASwU4qaOUvbdLUndylV4B6VmiN0odvrvcd66vEDWE0dfwWAM2UBiueBYgrP5lRcvgSefFFFQe2o0XkO+NlYBhwNDi7Bi+lKM2aN9BKbAy1T3iaj46sIMtC7TBMmOuE3FUA2FI8znGJzO94fjyV7YWjEaFtMyII/ssmTzvCHWae824xS6XYJCrQmJv3oW2n3t+gAu9vHFKnVGabf915OQbVDYgn4xR2MeZCu+DaC5scAtoGkwx7/PY2D+a3KfIK3H7798omWrw/aQ9fLhXb85NrxYZHKrq46nwxGa0E3WhGtaow/HcuYwvGSdpiQ3FYiekmUiC8SqUsfr69YhnJTiGYs7m/2+HH+5CW5QfAjL2/eTKyJcpidHWekdyha2TYm1PuruMN2SouZuekXT0sNYWHlk4FGoUfMdkYO9zgKE88Xaq7Q5t1rlFAU90rWpTdHj6v15MujlpYN8a91CYojXYUfkIoA1q6pYTAVuuZNvAc6ItkTVEZU+bP52oTLkqEcQQR4qknWNkKUIB9OV5z37hYk+Zo/XdKM0Tjxt561QcqwMEUZArQlqUe7DwdoRJ+65MTpUeIbmjsIRCSEtU2Qiswiq5ST49E9gA0+iwoI671s89I+lCWCKYY46DhZFxmusylMw3p6F7KPXy9VntolQDIi2IV7cf2isbfBwszRPxUA7eJzIJnt6qEwFYmlsaE0VvQYSfS+KW3lZctUAxMKMa9ImZMrXMa8ilbqaL04nYBZvGl2wl03foIM0nW4hK+Ur7kMfLeZSjmk2eUhqPhOUeE/szvWceXgW6WMinN4SdIXyYFvs+M1FOObgGLbH2ZKVyL7KKTCAwXvuWFf0+ANLvYQeOxHLQwyKhll4uhZFhMQuA+cP29JQD+UHZ27QbXWzbkFuBhVZsr0drYL9O8MrYE0WdLyCq9Cho5CfMCEgRB3qs7TUT8h4b3kLQ1aIsVJDqdRHlmf9hy8vlr8AZFVBy6BGRuytQ1jbmQ0bRmjRLtk11x0kR9RfHsVnkkKOXnUx7MeozCvKsko+LcE8BL9vuCpt+9IEcMWm1NTDa4LS61XV59j7q46eWGRwYN7zDBWq+WbSBoPkk3SeuUR3UNV5KoMrLN0TVkHQX0Oex508cwPztnwkyvAEjHKdKbvTnbbN5LyBq/WEVb4YqRkmScg6Ft0lSwbm/LLYj3fh7otVxvjGxt6YEEq1ABTvVHDZoM2zj6fyJTeCQvPjbdI1A37/jHkeO5aQT45nbgfUiBAL8iqu2D2fSF8wx+cBQNoPcd9En0q8RLjb3YT7ax93Fzxo2CUHYAwMNDpf4/bQAJV9IOAptGu6r194Dv1gxmosO0qulF/536eY1lG+5C2k2D9p1gVsdy/MZ9Ry72mh6JorsJI0138qh+MDRLY4rvCcNfm1xV45o1P0jmOCdgQdIIJljWhrdFohOHirGKtOr8rNM5fuFwyw23C7Sta8/XKnBJihw7U54FC2qgZVHdobOmeG6740RQxtmd2KlZ5i4glTjLM5PBn2zEuhiq4uT3UVAvsWyoxZ4=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTp9RtXYU7nBWsLfMTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZ6n8br75+9itbF3kU3B6OKn/zI2R+tyGohYaVrVBnXtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO6JIQJopFqwNEoBhPAnKY+DO5AAL2fiGE1g6xrIA3txAhKxA7wZivpCxFJ3uPLaOb91wsZMnQXRkOKPzmU1gPgG39UmRzflSz2QUBnmrI4lomwvnJMVc3pJTerfEocccBnP2hNgX9AQyDCiKYGErrtc0j2BYRMPpGkHsYOIL8=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/11c2f5583dfdc5fb
Targets
-
-
Target
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
Size
191KB
-
MD5
5bc5696a899074cb3623aa640602c8ad
-
SHA1
792d0ef1d01d80426aabc2c8bbeb680690d94798
-
SHA256
db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9
-
SHA512
7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221
Score10/10-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-